All Products
Search

This Product

    ActionTrail:Logon events of RAM users

    Document Center

    ActionTrail:Logon events of RAM users

    Last Updated:Dec 12, 2024

    If you log on to the Alibaba Cloud Management Console as a RAM user, a logon event (ConsoleSignin) occurs. This topic describes the fields in sample event logs for logons as a RAM user.

    Example 1: Logon event in which MFA is disabled

    The following sample event log shows that the RAM user named Alice logged on to the Alibaba Cloud Management Console without multi-factor authentication (MFA) enabled at 08:00:00 on January 1, 2021, UTC+8. 

    {
  "requestId": "1.167_1627549154939_339a",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "159498693826****",
    "principalId": "23890260100229****",
    "type": "ram-user",
    "userName":  "Alice"
  },
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin",
  "eventSource": "signin.aliyun.com",
  "serviceName": "AasSub",
  "eventTime": "2021-01-01T00:00:00Z",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36",
  "eventId": "1.167_1627549154939_****",
  "additionalEventData": {
    "callbackUrl": "https://actiontrail.console.alibabacloud.com/cn-hangzhou/event-list?accounttraceid=******",
    "mfaChecked": "false"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

    The sample event log contains the following key fields:

    • eventType: the type of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.

    • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.

    • userIdentity.userName: the username of the RAM user.

    • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021. The time is in UTC+8.

    • additionalEventData.isMFAChecked: indicates whether MFA is enabled for the logon of the RAM user. The value in the sample event is false, which indicates that MFA is disabled.

    Example 2: Logon event in which MFA is enabled

    The following sample event log shows that the RAM user named Alice logged on to the Alibaba Cloud Management Console with MFA enabled at 08:00:00 on January 1, 2021, UTC+8. 

    {
  "requestId": "1.167_1627549154939_339a",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "159498693826****",
    "principalId": "23890260100229****",
    "type": "ram-user",
    "userName":  "Alice"
  },
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin",
  "eventSource": "signin.aliyun.com",
  "serviceName": "AasSub",
  "eventTime": "2021-01-01T00:00:00Z",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.164 Safari/537.36",
  "eventId": "1.167_1627549154939_****",
  "additionalEventData":{
    "callbackUrl": "https://actiontrail.console.alibabacloud.com/cn-hangzhou/event-list?accounttraceid=******",
    "mfaChecked": "true"
  },
  "errorCode": "",
  "errorMessage": "",
  "eventVersion": "1",
  "sourceIpAddress": "192.168.XX.XX"
}

    The sample event log contains the following key fields:

    • eventType: the type of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.

    • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.

    • userIdentity.userName: the username of the RAM user.

    • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021. The time is in UTC+8.

    • additionalEventData.isMFAChecked: indicates whether MFA is enabled for the logon of the RAM user. The value in the sample event is true, which indicates that MFA is enabled.

    Example 3: Failed logon event

    The following sample event log shows that the RAM user named Alice failed to log on to the Alibaba Cloud Management Console at 08:00:00 on January 1, 2021, UTC+8. 

    {
  "eventId": "1.167_1627549154939_****",
  "eventVersion": 1,
  "errorMessage": "Password is error",
  "eventSource": "signin.aliyun.com",
  "errorCode": "Authentication.Failed",
  "sourceIpAddress":"192.168.XX.XX",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36",
  "eventType": "ConsoleSignin",
  "userIdentity": {
    "accountId": "159498693826****",
    "principalId": "23890260100229****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "AasSub",
  "additionalEventData": {
    "callbackUrl": "https://actiontrail.console.alibabacloud.com/cn-hangzhou/event-list?accounttraceid=****",
    "mfaChecked": "false"
  },
  "requestId": "1.167_1627549154939_339a",
  "eventTime": "2021-01-01T00:00:00Z",
  "isGlobal": true,
  "acsRegion": "cn-hangzhou",
  "eventName": "ConsoleSignin"
}

    The sample event log contains the following key fields:

    • errorCode: the error code. The value is Authentication.Failed, which indicates that the logon failed.

    • ErrorMessage: the error message. The value in the sample event is Password is error, which indicates that the logon failure is caused by an invalid password.

    • eventType: the type of the event. The value in the sample event is ConsoleSignin, which indicates a console logon event.

    • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.

    • userIdentity.userName: the username of the RAM user.

    • eventTime: the time when the event is generated. The time is in UTC. The value in the sample event is 2021-01-01T00:00:00Z, which indicates that the event occurred at 08:00:00 on January 1, 2021. The time is in UTC+8.