ActionTrail event logs

limits

• In the ActionTrail console, you can query only the events that are delivered by single-account trails. You can perform queries at most twice per second. You cannot query the events that are delivered by multi-account trails in the ActionTrail console. To query such events, go to the required Object Storage Service (OSS) bucket or Simple Log Service Logstore. For more information, see Create a multi-account trail.

• You can use the event query feature to query only the events that are generated in the current region in the last 90 days.

  • To query the events that were generated in the current region 90 days ago, you must create a single-account trail to deliver the events to OSS or Simple Log Service. Otherwise, you cannot query the events that were generated 90 days ago. For more information, see Create a single-account trail.

  • To query the events that were generated in multiple regions 90 days ago or filter and query events based on multiple conditions, you can use the advanced event query feature. For more information, see Perform custom event queries.

• After an event is generated within your Alibaba Cloud account, you must wait 10 minutes before you can query the event in the ActionTrail console.

Billing

For information about ActionTrail billing, see Billing.

View ActionTrail event logs

1. Log on to the ActionTrail console.

2. In the left-side navigation pane, choose Events > Event Query.

3. In the top navigation bar, select the region of the event that you want to query from the drop-down list.

4. On the Event Detail Query page, enter search criteria, specify a time range, and then click the icon.

   Note

   You can filter events by a single search condition, such as Read/Write Type, username, service name, event name, resource type, resource name, AccessKeyId, Sensitive Operation, or EventId.

5. Find the desired event and click View Details in the Actions column to view the details and record code.

   The following sample code shows the event details for ApsaraDB for ClickHouse:

   {
     "ApiVersion": "2019-11-11",
     "RequestId": "76BEA6CF-****-****-****-12393F559EFF",
     "EventType": "ApiCall",
     "UserIdentity": {
       "Type": "ram-user",
       "InvokedBy": "",
       "AccountId": "",
       "UserName": "",
       "PrincipalId": "20**************95",
       "AccessKeyId": "TMP.**********4K99m",
       "Arn": ""
     },
     "AcsRegion": "cn-shenzhen",
     "EventName": "CreateAccountAndAuthority",
     "IsBlack": false,
     "RequestParameters": {
       "AcsHost": "clickhouse-share.aliyuncs.com",
       "RequestId": "76BEA6CF-****-****-****-12393F559EFF",
       "DBClusterId": "cc-2z*********7q",
       "HostId": "clickhouse-share.aliyuncs.com",
       "AllowDatabases": "sh*****g",
       "AccountPassword": "***************",
       "DdlAuthority": true,
       "DmlAuthority": "all",
       "AcsProduct": "clickhouse",
       "TotalDatabases": "de***lt,sh***g",
       "TotalDictionaries": "",
       "AllowDictionaries": "",
       "AcceptLanguage": "zh-CN",
       " charset": "UTF-8",
       "AccountName": "root"
     },
     "EventSource": "clickhouse-share.aliyuncs.com",
     "ServiceName": "ClickHouse",
     "EventTime": "2021-06-08T08:28:57.497+0000",
     "ReferencedResources": {},
     "UserAgent": "clickhouse.console.aliyun.com",
     "EventId": "76BEA6CF-****-****-****-12393F559EFF",
     "ResponseElements": {
       "RequestId": "76BEA6CF-****-****-****-12393F559EFF"
     },
     "ErrorCode": "",
     "ErrorMessage": "",
     "EventVersion": "",
     "SourceIpAddress": "11*.*.*.*7"
   }

   Note

   For more information about the fields in an event, see Management event structure.

Related operations

To deliver ActionTrail event logs to Log Service or OSS, see Query events in the Log Service or OSS console.