ActionTrail will add new fields, including eventRW, resourceName, and resourceType to event logs that are recorded after 00:00:00 on December 16, 2020. The eventRW field indicates whether an event is a read or write event. The resourceName field indicates the name of an event-associated resource. The resourceType field indicates the type of an event-associated resource. This change aims to improve the analysis performance and does not affect the event logs that are recorded before this change.
Description
The following table describes the three fields to be added to event logs.
| Field | Type | Description | Example |
|---|---|---|---|
| eventRW | String | The read/write type of the event. Valid values:
|
Read |
| resourceName | String | The name of the event-associated resource.
Compared with the existing referenceResources field, the resourceName field separately indicates the unique identifier of an event-associated resource. The resourceName field can be used as an index in Log Service to query event logs by resource name. |
Note The names of the resources of the same type are separated with commas (,). The names
of the resources of different types are separated with semicolons (;).
|
| resourceType | List | The type of the event-associated resource.
Compared with the existing referenceResources field, the resourceType field separately indicates the type of an event-associated resource. The resourceType field can be used as an index in Log Service to query event logs by resource type. |
Note Multiple resource types are separated with semicolons (;).
|
The following sample code shows specific fields of an event log before and after this change:
- Before the change
{ "referenceResources": { "ACS::ECS::Instance": [ "i-bp1fadfuy****", "i-bp1fadfad****" ] } } - After the change
{ "eventRW": "Read", "referenceResources": { "ACS::ECS::Instance": [ "i-bp1fadfuy****", "i-bp1fadfad****" ] }, "resourceName": "i-bp1fadfuy****,i-bp1fadfad****", "resourceType": "ACS::ECS::Instance" }
Impacts
The change does not affect the analysis of event logs that have been delivered to Log Service or Object Storage Service (OSS).
After the change takes effect, take note of the following impacts:
- For event logs that are delivered to Log Service Logstores or OSS buckets by using the existing trails or newly created trails, all event logs contain the newly added fields.
- For event logs that are delivered to Log Service Logstores by using the newly created trails, all event logs contain indexes of the newly added fields.
- For event logs that are delivered to Log Service Logstores by using the existing trails,
all event logs do not contain indexes of the newly added fields. If you need to analyze
the newly added fields, we recommend that you perform the following operations to
manually add indexes of these fields:
- Add indexes of the newly added fields in the Log Service console
- Log on to the Log Service console.
- In the Projects section, click the name of the project that you specify when you create the trail.
- Click the name of the Logstore that you want to manage. In the upper-right corner, choose .
- Click the plus sign (+) below the existing fields and add the eventRW, resourceName, and resourceType fields.
- Click OK.
- Add indexes of the newly added fields in Cloud Shell
Run the following command in Cloud Shell:
actiontrail-update-index [project] [logstore] [regionId]Replace the parameters with the values of the Project, Logstore, and RegionId parameters that are specified when you create a trail. The following code provides an example:
actiontrail-update-index actiontrail-ev**** actiontrail-test**** cn-hangzhou
- Add indexes of the newly added fields in the Log Service console