MaxCompute records all user actions and pushes operational logs to Alibaba Cloud ActionTrail in real time. You can create a single-account trail of ActionTrail to deliver the logs to your Simple Log Service project or a specific Object Storage Service (OSS) bucket. This way, you can perform real-time log auditing and problem backtracking. This topic describes the scenarios and scope of audit logs.
Flowchart
The following figure shows how to deliver the logs to Simple Log Service and OSS.
Scenarios
MaxCompute delivers operational logs to ActionTrail in real time. You can perform the following operations in the ActionTrail console:
Query historical events and their detailed information
On the Event Query page in the ActionTrail console, query historical events of various services, such as MaxCompute. For more information, see Query events in the ActionTrail console.
Analyze events in real time
On the Trails page in the ActionTrail console, deliver events to an OSS bucket for archiving and analysis. You can also use a trail to deliver events to your Simple Log Service project for real-time log analysis, such as log analysis triggered by alerts that are generated in the case of unauthorized access to sensitive data. For more information, see Create a single-account trail.
Scope
ActionTrail audits events that are related to instances, tables, users, roles, and permissions. For more information about events, see Audit events of MaxCompute. The following table describes the events that are audited by ActionTrail.
Event type | Event name | Event description |
A MaxCompute job is submitted. | ||
The status of a MaxCompute job is changed. For example, a job succeeds or is terminated. | ||
Data is downloaded from a table by using Tunnel commands. | ||
Data is uploaded to a table by using Tunnel commands. | ||
The execution result of an instance is downloaded. For example, this event is triggered when you execute a SELECT statement. | ||
A role is created. | ||
A role is dropped. | ||
A user is added. | ||
A user is removed. | ||
A table is created. | ||
The schema of a table is modified. For example, this event is triggered when you execute the ALTER TABLE statement to modify the schema of a table. | ||
A table is dropped. | ||
The schema of a table is queried by using the DESC TABLE statement. | ||
Table data is read. | ||
Table data is modified. For example, this event is triggered when you execute a statement such as INSERT INTO, INSERT OVERWRITE, or TRUNCATE, or when you import table data by using Tunnel commands. | ||
Role-based permissions are granted. | ||
Role-based permissions are revoked. | ||
ACL-based permissions are granted. | ||
ACL-based permissions are revoked. | ||
Label-based permissions are granted. | ||
Label-based permissions are revoked. | ||
A policy that is attached to a MaxCompute role is added. | ||
A policy is configured for a project. | ||
A label is configured for a column in a table. | ||
A label is configured for a user. | ||
A MaxCompute project is created. | ||
A MaxCompute project is updated. | ||
A MaxCompute project is deleted. |
Event fields
Fields are provided to record specific actions for different types of events. You can view and analyze the fields for event auditing. The following table describes the common fields that are included in events.
Field | Description | Example |
eventId | The globally unique identifier (GUID) that ActionTrail generates for each event. | 918510a4-7b63-47d2-b053-8f9db82c431a |
acsRegion | The ID of the region where the event log was recorded. | cn-hangzhou |
eventName | The name of the event. | InsertJob |
eventTime | The time when the event occurred, in UTC. | 2020-01-09T12:12:14Z |
eventType | The type of the event. | JobEvent |
errorCode | The error code reported when an error occurs. | ODPS-10000 |
errorMessage | The error description. | ODPS-0130161:[1,18] Parse exception - invalid token 'bigstring' |
requestId | The ID of the API request. | 6df41e8c-cfd0-4beb-8dd0-13b8490fdf5b |
serviceName | The name of the Alibaba Cloud service to which the event belongs. | MaxCompute |
sourceIpAddress | The source IP address of the API request. | 47.100.XX.XX |
userAgent | The user agent that sends the API request. |
|
userIdentity | The identity information about the requester. The information includes the accountId, principalId, type, and userName parameters. |
|
referencedResources | The resources that are involved in an event, such as InstanceId in JobEvent and TableName in TableEvent. This field is unique for each event. |
|
additionalEventData | The additional information that is specific to the event, such as the job status and query statements. This field is unique for each event. |
|
JobEvent
InsertJob
Field
Description
Example
referencedResources
The ID of the job that is involved in an InsertJob event.
"referencedResources": { // The resources affected by the event. "Instance": ["2020102713575683gc2j****" ] }additionalEventData
The additional information about an InsertJob event. The additional information includes the following parameters:
ProjectName: the name of the project to which the job belongs.
TaskName: the name of the task to which the job belongs.
InstanceId: the ID of the job.
TaskType: the type of the job. Valid values: SQL, LOT, and CUPID.
OperationText: the statement that is executed.
"additionalEventData": { "ProjectName": "meta", "TaskName": "console_query_task_1603807075919", "InstanceId": "2020102713575683gc2j****", "TaskType": "SQL", "OperationText": "create table a(a string);" }JobChange
Field
Description
Example
referencedResources
The ID of the job that is involved in a JobChange event.
"referencedResources": { // The resources affected by the event. "Instance": ["2020102713575683gc2j****" ] }additionalEventData
The additional information about a JobChange event. The additional information includes the following parameters:
Status: the status of the job.
ProjectName: the name of the project to which the job belongs.
TaskName: the name of the task to which the job belongs.
InstanceId: the ID of the job.
TaskType: the type of the job. Valid values: SQL, LOT, and CUPID.
OperationText: the statement that is executed.
"additionalEventData": { "Status": "Failed", "ProjectName": "meta", "TaskName": "console_query_task_1603807075919", "InstanceId": "2020102713575683gc2j****", "TaskType": "SQL", "OperationText": "create table a(a string);" }
TunnelEvent
DownloadTable
Field
Description
Example
referencedResources
The name of the table that is involved in a DownloadTable event.
"referencedResources": { // The resources affected by the event. "Table": [ "source_xml_instid_flt_2" ] }additionalEventData
The additional information about a DownloadTable event. The additional information includes the following parameters:
TableName: the name of the table.
Partition: the partition information.
CurrentProject: the name of the project in which the download operation is initiated.
ProjectName: the name of the project to which the downloaded table belongs.
SesssionId: the ID of the tunnel session.
"additionalEventData": { "TableName": "source_xml_instid_flt_2", "Partition": "projectname=inst_200233,ds=20201027", "CurrentProject": "project1", "ProjectName": "project2", "SesssionId": "20201027200931a3baca0b037518a7" }UploadTable
Field
Description
Example
referencedResources
The name of the table that is involved in an UploadTable event.
"referencedResources": { // The resources affected by the event. "Table": [ "source_xml_instid_flt_2" ] }additionalEventData
The additional information about an UploadTable event. The additional information includes the following parameters:
TableName: the name of the table.
Partition: the partition information.
ProjectName: the name of the project to which the uploaded table belongs.
SesssionId: the ID of the tunnel session.
"additionalEventData": { "TableName": "m_rt_privilege_event", "Partition": "ds=20201027,hh=22,mm=00", "ProjectName": "meta2", "SesssionId": "202010272209332231f60b08182dfb" }InstanceTunnel
Field
Description
Example
referencedResources
The ID of the job that is involved in an InstanceTunnel event.
"referencedResources": { // The resources affected by the event. "Instance": [ "20201027080131990gf23****"] }additionalEventData
The additional information about an InstanceTunnel event. The additional information includes the following parameters:
CurrentProject: the name of the project in which the instance download operation is initiated.
ProjectName: the name of the project to which the downloaded instance belongs.
InstanceId: the ID of the instance.
SesssionId: the ID of the tunnel session.
"additionalEventData": { "CurrentProject": "meta", "ProjectName": "meta", "InstanceId": "20201027080131990gf23****", "SesssionId": "2020102716014017c4ca0b036850f6" }
RoleEvent
CreateRole
Field
Description
Example
referencedResources
The name of the role that is involved in a CreateRole event.
"referencedResources": { // The resources affected by the event. "Role": [ "test1" ] }additionalEventData
The additional information about a CreateRole event. The additional information includes the following parameters:
RoleName: the name of the role that you created.
CurrentProject: the name of the project in which the role creation operation is initiated.
ProjectName: the name of the project to which the role belongs.
OperationText: the statement that is executed.
"additionalEventData": { "RoleName": "test1", "CurrentProject": "meta_dev", "ProjectName": "dev1", "OperationText": "create role test1;" }DropRole
Field
Description
Example
referencedResources
The name of the role that is involved in a DropRole event.
"referencedResources": { // The resources affected by the event. "Role": [ "test1" ] }additionalEventData
The additional information about a DropRole event. The additional information includes the following parameters:
RoleName: the name of the role that you dropped.
CurrentProject: the name of the project in which the role drop operation is initiated.
ProjectName: the name of the project to which the role belongs.
OperationText: the statement that is executed.
"additionalEventData": { "RoleName": "test1", "CurrentProject": "meta_dev", "ProjectName": "dev1", "OperationText": "drop role test1;" }
UserEvent
AddUser
Field
Description
Example
referencedResources
The name of the user that is involved in an AddUser event.
"referencedResources": { // The resources affected by the event. "User": [ "ram$xxxx@aliyun.com:sub" ] }additionalEventData
The additional information about an AddUser event. The additional information includes the following parameters:
UserName: the name of the user that you added.
ProjectName: the name of the project to which the user belongs.
OperationText: the statement that is executed.
"additionalEventData": { "UserName": "ram$xxxx@aliyun.com:sub", "ProjectName": "project1", "OperationText": "add user RAM$xxxx@aliyun.com:sub;" }RemoveUser
Field
Description
Example
referencedResources
The name of the user that is involved in a RemoveUser event.
"referencedResources": { // The resources affected by the event. "User": [ "ram$xxxx@aliyun.com:sub" ] }additionalEventData
The additional information about a RemoveUser event. The additional information includes the following parameters:
UserName: the name of the user that you removed.
ProjectName: the name of the project to which the user belongs.
OperationText: the statement that is executed.
"additionalEventData": { "UserName": "ram$xxxx@aliyun.com:sub", "ProjectName": "project1", "OperationText": "remove user RAM$xxxx@aliyun.com:sub;" }
TableEvent
CreateTable
Field
Description
Example
referencedResources
The name of the table that is involved in a CreateTable event.
"referencedResources": { // The resources affected by the event. "Table": [ "ttt" ] }additionalEventData
The additional information about a CreateTable event. The additional information includes the following parameters:
TableName: the name of the table that you created.
ProjectName: the name of the project to which the table belongs.
CorrelationId: used with Source. If the value of Source is INSTANCE, the job ID is used for this parameter. If the value of Source is TUNNEL, the tunnel ID is used for this parameter.
Source: the source. Valid values: INSTANCE and TUNNEL.
OperationText: The value of this parameter is CREATE_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "CREATE_TABLE" }DropTable
Field
Description
Example
referencedResources
The name of the table that is involved in a DropTable event.
"referencedResources": { // The resources affected by the event. "Table": [ "ttt" ] }additionalEventData
The additional information about a DropTable event. The additional information includes the following parameters:
TableName: the name of the table that you dropped.
ProjectName: the name of the project to which the table belongs.
CorrelationId: used with Source. If the value of Source is INSTANCE, the job ID is used for this parameter. If the value of Source is TUNNEL, the tunnel ID is used for this parameter.
Source: the source. Valid values: INSTANCE and TUNNEL.
OperationText: The value of this parameter can be DROP_TABLE or RECYCLE_TABLE. If the value of this parameter is DROP_TABLE, the table is dropped by a user. If the value of this parameter is RECYCLE_TABLE, the table is reclaimed by the system when the lifecycle of the table ends.
"additionalEventData": { "TableName": "hot_user_hs_top30", "ProjectName": "prj1", "CorrelationId": "20201023024002372giqvmv21", "Source": "INSTANCE", "OperationText": "DROP_TABLE" }ChangeTable
Field
Description
Example
referencedResources
The name of the table that is involved in a ChangeTable event.
"referencedResources": { // The resources affected by the event. "Table": [ "ttt" ] }additionalEventData
The additional information about a ChangeTable event. The additional information includes the following parameters:
TableName: the name of the table whose data you changed.
ProjectName: the name of the project to which the table belongs.
CorrelationId: used with Source. If the value of Source is INSTANCE, the job ID is used for this parameter. If the value of Source is TUNNEL, the tunnel ID is used for this parameter.
Source: the source. Valid values: INSTANCE and TUNNEL.
OperationText: The value of this parameter can be ALTER_TABLE_RENAME, ADD_PARTITION, ALTER_TABLE_ADD_COLUMNS, ALTER_TABLE_CHANGE_LIFECYCLE, ALTER_TABLE_DROP_PARTITION, or ALTER_PARTITION.
"additionalEventData": { "TableName": "ttt", "ProjectName": "proj1", "CorrelationId": "20201028161651750g05e0tsa", "Source": "INSTANCE", "OperationText": "ADD_PARTITION" }DescribeTable
Field
Description
Example
referencedResources
The name of the table that is involved in a DescribeTable event.
"referencedResources": { // The resources affected by the event. "Table": [ "ttt" ] }additionalEventData
The additional information about a DescribeTable event. The additional information includes the following parameters:
TableName: the name of the table that you viewed.
ProjectName: the name of the project to which the table belongs.
"additionalEventData": { "TableName": "ttt", "ProjectName": "prj1", }ChangeTableData
Field
Description
Example
referencedResources
The name of the table that is involved in a ChangeTableData event.
"referencedResources": { // The resources affected by the event. "Table": [ "ttt" ] }additionalEventData
The additional information about a ChangeTableData event. The additional information includes the following parameters:
TableName: the name of the table whose data you changed.
ProjectName: the name of the project to which the table belongs.
CorrelationId: used with Source. If the value of Source is INSTANCE, the job ID is used for this parameter. If the value of Source is TUNNEL, the tunnel ID is used for this parameter.
Source: the source. Valid values: INSTANCE and TUNNEL.
OperationText: The value of this parameter can be TRUNCATE_TABLE, INSERT_OVERWRITE_TABLE, INSERT_OVERWRITE_PARTITION, INSERT_PARTITION, or INSERT_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "DATA_INGESTION" }ReadTableData
Field
Description
Example
referencedResources
None.
None.
additionalEventData
The additional information about a ReadTableData event. The additional information includes the following parameters:
TableName: the name of the table from which data is read.
ProjectName: the name of the project to which the table belongs.
CorrelationId: used with Source. If the value of Source is INSTANCE, the job ID is used for this parameter. If the value of Source is TUNNEL, the tunnel ID is used for this parameter.
Source: the source. Valid values: INSTANCE and TUNNEL.
OperationText: The value of this parameter is READ_TABLE.
"additionalEventData": { "TableName": "ttt", "ProjectName": "meta_dev", "CorrelationId": "20201027083345196gsjgpv21", "Source": "INSTANCE", "OperationText": "READ_TABLE" }
PrivilegeEvent
GrantRole
Field
Description
Example
referencedResources
The name of the Alibaba Cloud account that is involved in a GrantRole event.
"referencedResources": { // The resources affected by the event. "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
The additional information about a GrantRole event. The additional information includes the following parameters:
UserName: the name of the Alibaba Cloud account to which role-based permissions are granted.
ProjectName: the name of the project to which the Alibaba Cloud account belongs.
OperationText: the statement that is executed.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "grant test_role to ALIYUN$xxx@aliyun.com" }RevokeRole
Field
Description
Example
referencedResources
The name of the Alibaba Cloud account that is involved in a RevokeRole event.
"referencedResources": { // The resources affected by the event. "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
The additional information about a RevokeRole event. The additional information includes the following parameters:
UserName: the name of the Alibaba Cloud account from which role-based permissions are revoked.
ProjectName: the name of the project to which the Alibaba Cloud account belongs.
OperationText: the statement that is executed.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "revoke test_role from ALIYUN$xxx@aliyun.com" }GrantACL
Field
Description
Example
referencedResources
The name of the Alibaba Cloud account that is involved in a GrantACL event.
"referencedResources": { // The resources affected by the event. "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
The additional information about a GrantACL event. The additional information includes the following parameters:
ObjectType: the type of the object on which ACL-based permissions are granted. Valid values: PROJECT, RESOURCE, TABLE, and FUNCTION.
CurrentProject: the name of the project in which the ACL-based authorization is initiated.
UserName: the name of the Alibaba Cloud account to which role-based permissions are granted.
ProjectName: the name of the project to which the Alibaba Cloud account belongs.
OperationText: the statement that is executed.
ObjectName: the name of the object on which label-based permissions are granted.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "grant createtable on project meta to ALIYUN$xxx@aliyun.com;", "ObjectName": "meta" }RevokeACL
Field
Description
Example
referencedResources
The name of the Alibaba Cloud account that is involved in a RevokeACL event.
"referencedResources": { // The resources affected by the event. "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
The additional information about a RevokeACL event. The additional information includes the following parameters:
ObjectType: the type of the object on which ACL-based permissions are revoked. Valid values: PROJECT, RESOURCE, TABLE, and FUNCTION.
CurrentProject: the name of the project in which revocation of ACL-based permissions is initiated.
UserName: the name of the Alibaba Cloud account from which ACL-based permissions are revoked.
ProjectName: the name of the project to which the Alibaba Cloud account belongs.
OperationText: the statement that is executed.
ObjectName: the name of the object on which label-based permissions are revoked.
"additionalEventData": { "ObjectType": "PROJECT", "CurrentProject": "meta", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "project1", "OperationText": "revoke createtable on project project1 from ALIYUN$xxx@aliyun.com;", "ObjectName": "project1" }GrantLabel
Field
Description
Example
referencedResources
The name of the Alibaba Cloud account that is involved in a GrantLabel event.
"referencedResources": { // The resources affected by the event. "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
The additional information about a GrantLabel event. The additional information includes the following parameters:
ObjectType: the type of the object on which label-based permissions are granted. The value of this parameter is TABLE.
UserName: the name of the Alibaba Cloud account to which role-based permissions are granted.
ProjectName: the name of the project to which the Alibaba Cloud account belongs.
OperationText: the statement that is executed.
ObjectName: the name of the object on which label-based permissions are granted.
"additionalEventData": { "ObjectType": "TABLE", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "GRANT LABEL 4 ON TABLE t1 TO USER ALIYUN$xxx@aliyun.com;", "ObjectName": "meta" }RevokeLabel
Field
Description
Example
referencedResources
The name of the Alibaba Cloud account that is involved in a RevokeLabel event.
"referencedResources": { // The resources affected by the event. "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
The additional information about a RevokeLabel event. The additional information includes the following parameters:
ObjectType: the type of the object on which label-based permissions are revoked. Valid values: PROJECT, RESOURCE, TABLE, and FUNCTION.
UserName: the name of the Alibaba Cloud account from which role-based permissions are revoked.
ProjectName: the name of the project to which the Alibaba Cloud account belongs.
OperationText: the statement that is executed.
ObjectName: the name of the object on which label-based permissions are revoked.
"additionalEventData": { "ObjectType": "TABLE", "UserName": "aliyun$xxx@aliyun.com", "ProjectName": "meta", "OperationText": "Revoke LABEL 4 ON TABLE t1 from USER ALIYUN$xxx@aliyun.com;", "ObjectName": "t1" }PutRolePolicy
Field
Description
Example
referencedResources
The name of the role that is involved in a PutRolePolicy event.
"referencedResources": { // The resources affected by the event. "Role": [ "test1_role" ] }additionalEventData
The additional information about a PutRolePolicy event. The additional information includes the following parameters:
RoleName: the name of the role.
CurrentProject: the name of the project in which the role-level policy-based authorization is initiated.
ProjectName: the name of the project to which the role belongs.
OperationText: the document of the policy.
"additionalEventData": { "RoleName": "test1_role", "CurrentProject": "meta_dev", "ProjectName": "meta_dev", "OperationText": "{\n \"Statement\": [{\n \"Action\": [\"odps:Read\",\n \"odps:List\"],\n \"Effect\": \"Allow\",\n \"Resource\": [\"acs:odps:*:projects/p1\"]},\n {\n \"Action\": [\"odps:Describe\",\n \"odps:Select\"],\n \"Effect\": \"Allow\",\n \"Resource\": [\"acs:odps:*:projects/p1/tables/m_*\"]}],\n \"Version\": \"1\"}" }SetProjectPolicy
Field
Description
Example
referencedResources
None.
None.
additionalEventData
The additional information about a SetProjectPolicy event. CurrentProject: the name of the project in which the project-level policy-based authorization is initiated.
"additionalEventData": { "CurrentProject": "test_prj"}" }SetTableLabel
Field
Description
Example
referencedResources
None.
None.
additionalEventData
The additional information about a SetTableLabel event. The additional information includes the following parameters:
ObjectType: the type of the object. The value of this parameter is TABLE.
OperationText: the statement that is executed.
ObjectName: the name of the object.
"additionalEventData": { "ObjectType": "TABLE", "OperationText": "SET LABEL 3 TO TABLE t1test(col1);", "ObjectName": "t1test" }SetUserLabel
Field
Description
Example
referencedResources
The name of the Alibaba Cloud account that is involved in a SetUserLabel event.
"referencedResources": { // The resources affected by the event. "User": [ "aliyun$xxxx@aliyun.com" ] }additionalEventData
The additional information about a SetUserLabel event. UserName: the name of the Alibaba Cloud account that configures label-based permissions for the user.
"additionalEventData": { "UserName": "aliyun$xxxx@aliyun.com" }
AdminEvent
CreateProject
Field
Description
Example
referencedResources
None.
None.
additionalEventData
The additional information about a CreateProject event. ProjectName: the name of the MaxCompute project that you created.
"additionalEventData": { "ProjectName": "xxxx" }UpdateProject
Field
Description
Example
referencedResources
None.
None.
additionalEventData
The additional information about an UpdateProject event. The additional information includes the following parameters:
ProjectName: the name of the MaxCompute project that you updated.
Properties: the flag that you updated.
State: optional. The project status. Valid values: FROZEN and AVAILABLE.
"additionalEventData": { "ProjectName": "xxx", "Properties": "{\"odps.sql.decimal.odps2\":\"true\",\"odps.sql.hive.compatible\":\"false\",\"odps.sql.type.system.odps2\":\"true\"}" }DeleteProject
Field
Description
Example
referencedResources
None.
None.
additionalEventData
The additional information about a DeleteProject event. ProjectName: the name of the MaxCompute project that you deleted.
"additionalEventData": { "ProjectName": "xxxx" }