All Products
Search
Document Center

Elastic Desktop Service:Log auditing

Last Updated:Jun 02, 2026

WUYING Workspace Enterprise Edition provides log queries, session recording audits, and monitoring and alerts for administrator operations, end user activities, and file transfers.

01 Operation logs

Operation logs let you monitor and audit what administrators and end users do. Administrator operation logs capture how cloud computers are accessed and managed — through the console, OpenAPI, and other channels. End user operation logs capture actions such as starting, stopping, restarting, resetting, connecting to, and disconnecting from cloud computers. Together, the logs give you a reliable basis for security analysis, resource change tracking, and compliance audits.

1.1 Administrator operation logs

Administrator operation logs are powered by Alibaba Cloud ActionTrail. Use them to monitor and audit activity in your Alibaba Cloud account for security analysis, resource change tracking, and compliance audits.

  • Default status: Enabled (cannot be disabled)

  • Configuration responsibility: Customer

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: View administrator operation logs

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Security & Audits > Logs.

  3. In the top navigation bar, select a region.

  4. On the Administrator Operation Logs tab, set the filter criteria and time range.

    • Filter criteria: filter by Read/Write Type, Event Name, Operator, Resource Types, Resource Name, Event Type, or Sensitive Action.

    • Time range: the console shows the last 7 days of logs by default. You can specify a custom range and query logs from up to the past 90 days.

  5. Review event information.

    • Each event record shows the event time, operator, event name, and source IP.

    • In the Actions column, click View Details to open a side panel with details such as the API request ID, event source, and error code. The Event Record section shows the full event in JSON. For field-level descriptions, see Management event structure.

1.2 User operation logs

End user operation logs capture activity such as connecting to cloud computers and powering them on or off. Query the logs to spot abnormal behavior.

  • Default status: Enabled (cannot be disabled)

  • Configuration responsibility: Customer

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: View user operation logs

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Security & Audits > Logs.

  3. In the top navigation bar, select a region.

  4. On the User Operation Logs tab, set the filter criteria and time range.

    Records that match your filters appear in the table below. Each entry includes:

    • Event information: the action performed, including event ID, type, and time.

    • User information: the end user who performed the action, including the username.

    • Cloud computer information: the cloud computer that was acted on, including its ID and name, the ID and name of its cloud computer pool, and the ID and name of the office network it belongs to.

    • Client information: the client used for the action, including its operating system, version, and IP address.

    Note

    To export the results, click the image icon in the upper-right corner. The records are exported as an Excel file and downloaded to your device.

1.3 Deliver user operation logs to an SLS Logstore

WUYING Workspace Enterprise Edition can deliver end user operation logs to a Simple Log Service (SLS) Logstore for auditing and alerting on suspicious operations to prevent information leakage.

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Security & Audits > Logs.

  3. Click the User Operation Logs tab, and then click Deliver to Logstore in the upper-right corner.

  4. If you are using this feature for the first time, click OK in the Elastic Desktop Service Service-linked Role dialog box.

  5. In the Deliver to Logstore panel, configure the Logstore. You can create a new Logstore or select an existing one. When you are finished, click OK.

1.4 File transfer logs

File transfer logs capture detailed records of files that end users move between cloud computers and their local devices — including transfers made through the clipboard and the file transfer module. Query the logs to spot abnormal behavior.

  • Default status: Enabled (cannot be disabled)

  • Configuration responsibility: Customer

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: View file transfer logs

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Security & Audits > Logs.

  3. In the top navigation bar, select a region.

  4. On the File Transfer Log tab, set the query conditions, values, and time range.

    Records that match your filters appear in the table below, with details such as username, cloud computer name and ID, and operation type.

    Note

    To export the results, click the image icon in the upper-right corner. The records are exported as an Excel file and downloaded to your device.

02 Session recording audit

2.1 Session recording audit policy

To meet your organization's security and audit requirements, you may need to audit operations on cloud computers. The screen recording audit feature, which is in public preview, allows you to use a cloud computer policy to capture user activities on cloud computers as videos for later playback.

Important

Screen recording may affect end user privacy. Before you enable this feature, ensure you have obtained the necessary authorization from them.

  • Default status: Disabled

  • Configuration responsibility: Customer

  • Feature fee:

    • Feature usage fees: This value-added feature is free of charge during the public preview. Charges will apply after the public preview ends, and billing details will be announced in advance.

    • Other related fees: Screen recordings can be saved only to Object Storage Service (OSS). The system automatically creates an OSS bucket for you. You are charged for the storage space consumed by the video files. For more information about billing, see OSS Billing Overview.

  • Dependencies: None

  • Limits:

    The screen recording audit feature applies only to cloud computers that meet all the following conditions:

    • They use the Adaptive Streaming Protocol (ASP). For more information, see Adaptive Streaming Protocol (ASP).

    • They run a Windows or Linux operating system.

    • They use a system image of version 0.1.0 or later, or a custom image created from such an image.

    By default, screen recordings are saved to an OSS bucket in the current region. If you use VPN-related software on a cloud computer, add*.aliyuncs.com to the whitelist to ensure successful file uploads.

  • Reference: Auditing rules

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose O&M Management > Policy.

  3. On the Policy page, click Create Policy.

  4. On the Create Policy page, enter a Policy Name as prompted, configure the policy settings as needed, and then click OK.

In the Screen Recording Audit section, turn on the Screen Recording Audit switch, read the Usage Notes on Screen Recording Audit, select I have read and agree to enable the feature, and configure the following parameters.

Parameter

Description

Recording type

Select a recording type:

  • Whole-process: Records the entire user session, from the moment an end user connects to the cloud computer until they disconnect.

  • Interval-based: Records only during a specified time interval. If the end user disconnects before the interval ends, the recording stops immediately. If you select this option, you must also configure the Interval.

  • Operation-triggered: If you select this option, select one or more trigger conditions in the Operation-triggered section. Multiple conditions are supported.

    • File Upload/Download-triggered: Recording is triggered when a file is uploaded to or downloaded from the cloud computer.

    • Command-triggered: Recording is triggered when a user provides input by using a device such as a keyboard, mouse, or graphics tablet.

    Note

    Recording starts immediately when a trigger condition is met. When the trigger condition is no longer met, the recording does not stop immediately but continues for another 10 minutes. If the same or another trigger condition is met again within this 10-minute period, the 10-minute delay timer is reset.

  • Listening of Session Lifecycle Screen Recording: Records the entire process from session creation to session logoff. This option is recommended for robotic process automation (RPA) scenarios.

    Note

    The difference between session lifecycle recording and whole-process recording is when the recording stops. Whole-process recording ends when the end user disconnects from the cloud computer. In contrast, session lifecycle recording ends when the session is logged off. A session is logged off when the end user shuts down the cloud computer or when the pre-configured keep-active duration is reached after the cloud computer is disconnected.

Audio

Select one of the following options: Video or Video and Audio.

Frame Rate

Supported frame rates: 2, 5, 10, and 15 frames per second (FPS).

A higher frame rate results in smoother video but requires more storage space. Select a frame rate that balances video quality and storage costs.

File Length

Supported values: 10, 20, 30, or 60 minutes. The recording is automatically split into segments of the specified length. If a segment file reaches 300 MB before the specified duration, a new segment is created.

Save To

By default, screen recordings are saved to an OSS bucket in the current region, which incurs OSS fees. For more information about billing, see OSS Billing Overview.

Important

If you use VPN-related software on a cloud computer, add*.aliyuncs.com to the whitelist to ensure successful file uploads.

After a recording is complete, you can view or download the video file in the console. For more information, see View or download screen recordings.

Retention Period

Default: 15 days. You can set the retention period to a value from 1 to 180 days.

Warning

Screen recordings are stored in the OSS bucket for the specified retention period. After this period expires, the recordings are permanently deleted from both the OSS bucket and the Screen Recordings tab in the console.

03 Monitoring and alerts

Monitoring and alerting covers workspace distribution, resource usage, session connections, and network status to help you discover and resolve issues proactively.

3.1 Configure alert rules

Monitoring shows workspace resource usage and session connection status. Alerting uses these metrics to report problems before they affect business.

An alert rule defines the conditions for triggering an alert, including the metric, threshold, severity, and effective time period.

  • Default status: Disabled

  • Configuration responsibility: Customer

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: Configure alert rules

Configuration and usage

  1. In the left-side navigation pane, choose Monitoring and Alerts > Notification and Alert Service.

  2. Click the Alert Rules & Records tab, and then click the Modify Alert Rule tab.

  3. Click Create Alert Rule. In the Create Alert Rule panel, configure the following parameters and click Confirm.

    Parameter

    Description

    Example

    Rule name

    The name of the alert rule.

    CPU utilization alert

    Alert source

    • Cloud Computer

    • Premium Bandwidth

    Cloud Computer

    Monitoring scope

    • All Resources: The rule applies to all cloud computers or Premium Bandwidth plans.

    • Cloud computer instance: The rule applies to selected cloud computers.

    • Premium Bandwidth: The rule applies to selected Premium Bandwidth plans.

    All Resources

    Metric type

    • Single Metric: Monitors only one metric. You can create multiple alert rules at different severity levels for the metric.

    • Multiple Metrics: Monitors multiple metrics. You can create a single alert rule with one severity level for all metrics by configuring composite trigger conditions.

    Single Metric

    Effective period

    The period during which the alert rule is active.

    08:00-09:59

    Mute period

    Prevents frequent notifications for a continuously triggered alert. After the mute period, a new notification is sent if the trigger condition is still met.

    30 minutes

    Alert contact group

    The contact group that receives alert notifications.

    O&M Group 1

    Parameters for a single-metric rule

    Metric

    The metric to be monitored.

    CPU utilization percentage.

    Severity & Metric Threshold

    The trigger conditions for different severity levels of the metric. You must configure a trigger condition for at least one severity level.

    Info

    Average > 80% for 3 consecutive periods

    Parameters for a multi-metric rule

    Severity

    The notification methods vary based on the severity level:

    • Critical: phone call, SMS message, email, and DingTalk

    • Warning: SMS message, email, and DingTalk

    • Info: email and DingTalk

    Info

    Multi-metric alert condition

    The trigger conditions for each metric. You can configure up to 10 conditions.

    • Average disk usage > 80%

    • Average memory usage > 60%

    Metric relationship

    • Trigger alert when all conditions are met: Triggers an alert only if all conditions are met (logical AND).

    • Trigger alert when any condition is met: Triggers an alert if any condition is met (logical OR).

    Trigger alert when any condition is met

    Times threshold must be reached

    The number of consecutive periods during which the composite trigger conditions must be met before an alert is triggered.

    3 consecutive periods

3.2 Monitoring dashboard

The monitoring dashboard displays aggregated metrics for your cloud computers, providing a high-level view of their usage, distribution, and overall resource health.

  • Default status: Enabled (cannot be disabled)

  • Configuration responsibility: Alibaba Cloud

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: View the monitoring dashboard

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Monitoring & Alerts > Dashboard.

  3. On the Monitoring page, you can view an overview of various cloud computer metrics, including the number of cloud computers, their status, sign-in duration, and network latency.

    Note

    In the upper-right corner of the Alert dialog box, click View More Alerts to view alert details.

3.3 Session monitoring

Session monitoring lets administrators view and manage end user sessions and provide remote assistance.

  • Default status: Enabled (cannot be disabled)

  • Configuration responsibility: Alibaba Cloud

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: View connection monitoring

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Monitoring and Alerts > Connection Monitoring.

  3. In the top navigation bar, select a region.

  4. The Connection Monitoring page shows connection details for Cloud Computer and Shared Cloud Computer. The details include the current connection status, the most recent connection time, and the connection duration within the specified time range. You can also use the following features.

    • Connection Monitoring

      Feature

      Description

      Actions

      Export

      Export detailed connection records to a file.

      Click the image icon in the upper-right corner of the page.

      Disconnect

      Disconnect a user's active session. The user can reconnect to the same session later.

      Select one or more sessions and click disconnect at the bottom of the session list.

      Session logoff

      Log off a user session. Unsaved data will be lost. When the user reconnects, a new session is created.

      Select one or more sessions and click session logoff at the bottom of the session list.

      Send message

      Send a message to a user who is in a session.

      Select one or more sessions, click Send Message at the bottom of the session list, and enter a Topic and Message.

      App Management

      View and manage applications and processes running on the user's cloud computer.

      In the Actions column for the target session, click App Management to view all applications running on the cloud computer, including their names and status.

      To close an application or process, on the Apps panel, click End Application in the Actions column for the application.

      Remote Assistance

      Remotely control a user's cloud computer to help troubleshoot issues. Both administrators and end users can initiate remote assistance. For more information about this feature, see Collaboration rules.

      • Administrator-initiated

        In the Actions column for the target session, click Remote Assistance and wait for the user to grant permission.

      • User-initiated

        If a user requests assistance, a message appears in the User Request History column for the corresponding session. Click Remote Assistance in the Actions column and follow the on-screen prompts to accept the request and complete the assistance tasks.

      Note

      For security and compliance purposes, all actions performed by both the administrator and the user during a remote assistance session are logged for auditing. To view the audit logs, see View operation log.

    • Connection failure records

      On the Connection Failure Records tab, you can view failed connection attempts for both Cloud Computer and Shared Cloud Computer. To diagnose a failure, click Diagnosis and Query in the Actions column for the target record.

      Note

      The system retains connection failure records for the last three months. You can query a maximum of three days of records at a time.

The Sessions page includes the following metrics:

  • Username: The name of the user connected to the cloud computer.

  • Cloud computer ID/name: The ID and name of the cloud computer associated with the session.

  • Session status: The current status of the session. Valid values: Connected and Disconnected.

  • Last connected at: The time the user last connected to the cloud computer.

  • User request history: A record of remote assistance requests initiated by the user from the client.

  • Last connection duration: The duration of the user's last session, from the time they connected until they disconnected.

  • Resource group: The name of the resource group to which the cloud computer belongs.

  • Billing method: The billing method of the cloud computer. Examples: pay-as-you-go, or monthly subscription with unlimited, 250, or 120 hours of usage.

  • Total idle duration: The cumulative idle time during sessions within the selected time range. Idle time is a period with no keyboard or mouse input.

  • Total connection duration: The cumulative connection duration within the selected time range.

  • Office network ID/name: The ID and name of the office network to which the cloud computer belongs.

  • Operating system: The operating system of the cloud computer.

  • Terminal type: The type of WUYING terminal used by the user.

  • Terminal SN: The unique serial number (SN) of the WUYING terminal device.

  • Terminal UUID: A unique identifier for each terminal device in Elastic Desktop Service.

  • Terminal IP: The local IP address of the WUYING terminal used by the user.

  • Version: The client version of the WUYING terminal used by the user.

3.4 Real-time monitoring

Note

Real-time monitoring shows end user logon data: online user count, top ten users by online duration, average logon time, and workspace network latency distribution. It also surfaces fault warnings for resource, network, or external operation issues.

  • Default status: Enabled (cannot be disabled)

  • Configuration responsibility: Alibaba Cloud

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: View real-time monitoring

Procedure

  1. In the left-side navigation pane, choose Monitoring & Alerts > Real-time Monitoring.

  2. On the Real-time Monitoring page, you can view data about end-user sign-ins, cloud computer network latency, and fault alerts.

3.5 Workspace monitoring

Metric graphs show how cloud computer metrics change over a specified period.

Note

Monitoring charts track workspace metric changes over time.

  • Default status: Enabled (cannot be disabled)

  • Configuration responsibility: Alibaba Cloud

  • Feature fee: Free

  • Dependencies: None

  • Limits: None

  • Reference: View workspace monitoring information

Procedure

  1. Log on to the EDS enterprise console.

  2. In the left-side navigation pane, choose Monitoring & Alerts > Performance Monitoring & Diagnosis.

  3. In the top navigation bar, select a region.

  4. On the Performance Monitoring & Diagnosis page, use one of the following methods to view metrics:

    Cloud computer

    1. On the Performance Monitoring & Diagnosis page, click the Cloud Computer tab.

    2. Find the cloud computer and click Performance Monitoring in the Actions column.

    3. On the Performance Monitoring page, select a preset or custom time range to view metric graphs for the cloud computer. The graphs include Load Score, CPU usage, memory usage, and disk-related parameters.

    Shared cloud computers

    1. On the Performance Monitoring & Diagnosis page, click the Shares tab.

    2. Find the shared cloud computer and click Monitoring Chart in the Actions column.

    3. On the Monitoring Details page that opens, you can select a preset or custom time range to view metric graphs for the shared cloud computer. The graphs include Load Score, CPU usage, memory usage, and disk-related parameters.

    Top 50 resources

    1. On the Performance Monitoring & Diagnosis page, click the Top 50 Resources tab.

    2. Find the cloud computer and click Monitoring Chart in the Actions column.

    3. On the Monitoring Details page, select a preset or custom time range to view metric graphs for the cloud computer. The graphs include Load Score, CPU usage, memory usage, and disk-related parameters.