如何在SLS设置SQL语句查询操作审计的事件

操作审计(ActionTrail)帮助您监控阿里云账号的活动并记录最近90天的事件。当您需要分析更长时间的事件时,可以通过操作审计创建跟踪,将事件投递到日志服务SLS,使用SQL语句对事件进行查询和分析。本文为您介绍在如何在SLS设置SQL语句。

SQL语句语法

SQL(Structured Query Language)语句格式为:<查询语句> | <分析语句>

操作审计支持通过多种方式查询事件。不同查询方式对应的查询语句和分析语句如下表所示:

查询方式

查询语句

分析语句

事件查询

  • 读写类型:* AND "event.eventCategory": Management AND "event.eventRW": Write

  • 用户名:* AND "event.eventCategory": Management AND "event.userIdentity.userName": "xxx"

  • 事件名称:* AND "event.eventCategory": Management AND "event.eventName": "DescribeScalingGroups"

  • 资源类型:* AND "event.eventCategory": Management AND "event.resourceType": "ACS::ECS::Instance"

  • 资源名称:* AND "event.eventCategory": Management AND "event.resourceName": "i-xxx"

  • 服务名称:* AND "event.eventCategory": Management AND "event.serviceName": "Ecs"

  • AccessKey ID:* AND "event.eventCategory": Management "event.userIdentity.accessKeyId": "STS.xxxx"

select "event.acsRegion" as acsRegion, "event.apiVersion" as apiVersion, "event.eventId" as eventId, "event.eventName" as eventName, "event.eventRW" as eventRW, "event.eventSource" as eventSource, from_unixtime(__time__) as eventTime, "event.eventType" as eventType, "event.eventVersion" as eventVersion, "event.errorCode" as errorCode, "event.errorMessage" as errorMessage, "event.requestId" as requestId, "event.requestParameterJson" as requestParameterJson, "event.resourceName" as resourceName, "event.resourceType" as resourceType, "event.serviceName" as serviceName, "event.sourceIpAddress" as sourceIpAddress, "event.userAgent" as userAgent, "event.userIdentity.accessKeyId" as accessKeyId, "event.userIdentity.accountId" as accontId, "event.userIdentity.principalId" as principalId, "event.userIdentity.type" as type, "event.userIdentity.userName" as userName

事件聚合查询

  • 读写类型:* AND "event.eventCategory": Management AND "event.eventRW": Write

  • 事件名称:* AND "event.eventCategory": Management AND "event.eventName": "DescribeScalingGroups"

  • 服务名称:* AND "event.eventCategory": Management AND "event.serviceName": "Ecs"

  • AccessKey ID:* AND "event.eventCategory": Management "event.userIdentity.accessKeyId": "STS.xxxx"

SELECT"event.serviceName"AS servieName,"event.eventName"AS eventName,"event.eventRw"AS eventRw,"event.sourceIpAddress"AS sourceIpAddress,"event.resourceName"AS resourceName,"event.resourceType"AS resourceType,"event.userIdentity.userName"AS userName,"event.userIdentity.type"AS userType,"event.userIdentity.accessKeyId"AS accessKeyId,"event.acsRegion"AS eventRegion,COUNT("event.eventId")AS n, date_trunc('hour', __time__) AS time GROUP BY time, servieName, eventName, eventRw, sourceIpAddress, resourceType, resourceName, accessKeyId, userType, userName, eventRegion ORDER BY time DESC LIMIT 20

Insight事件查询

  • IP地址:* AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight AND "event.insightDetails.sourceIpAddress": "10.12.XX.XX"

  • Insight事件类型:* AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight

  • 事件ID:* AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight AND "event.eventId": 6CE5DBDE-5D18-4BF9-BD6A-E0D2E1BA****

select from_unixtime(__time__) as eventTime, "event.acsRegion" as eventRegion, "event.insightDetails.sourceIpAddress" as sourceIpAddress, "event.insightDetails.insightContext.statistics.insightCount" as count

SQL语句示例

  • 示例一:查询管控事件中的所有写事件

    * AND "event.eventCategory": Management AND "event.eventRW": Write | select "event.acsRegion" as acsRegion, "event.apiVersion" as apiVersion, "event.eventId" as eventId, "event.eventName" as eventName, "event.eventRW" as eventRW, "event.eventSource" as eventSource, from_unixtime(__time__) as eventTime, "event.eventType" as eventType, "event.eventVersion" as eventVersion, "event.errorCode" as errorCode, "event.errorMessage" as errorMessage, "event.requestId" as requestId, "event.requestParameterJson" as requestParameterJson, "event.resourceName" as resourceName, "event.resourceType" as resourceType, "event.serviceName" as serviceName, "event.sourceIpAddress" as sourceIpAddress, "event.userAgent" as userAgent, "event.userIdentity.accessKeyId" as accessKeyId, "event.userIdentity.accountId" as accontId, "event.userIdentity.principalId" as principalId, "event.userIdentity.type" as type, "event.userIdentity.userName" as userName

  • 示例二:查询管控事件中所有写事件的聚合情况

    说明

    如果设置的查询时间段较长,建议设置LIMIT N,返回N条事件。例如:设置LIMIT 20,返回20条事件。

    * AND "event.eventCategory": Management AND "event.eventRW": Write | SELECT"event.serviceName"AS servieName,"event.eventName"AS eventName,"event.eventRw"AS eventRw,"event.sourceIpAddress"AS sourceIpAddress,"event.resourceName"AS resourceName,"event.resourceType"AS resourceType,"event.userIdentity.userName"AS userName,"event.userIdentity.type"AS userType,"event.userIdentity.accessKeyId"AS accessKeyId,"event.acsRegion"AS eventRegion,COUNT("event.eventId")AS n, date_trunc('hour', __time__) AS time GROUP BY time, servieName, eventName, eventRw, sourceIpAddress, resourceType, resourceName, accessKeyId, userType, userName, eventRegion ORDER BY time DESC LIMIT 20

  • 示例三:查询Insight事件中所有IP异常事件

    * AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight | select from_unixtime(__time__) as eventTime, "event.acsRegion" as eventRegion, "event.insightDetails.sourceIpAddress" as sourceIpAddress, "event.insightDetails.insightContext.statistics.insightCount" as count