如何在SLS設定SQL語句查詢Action Trail的事件 - ActionTrail

Action Trail（ActionTrail）協助您監控阿里雲帳號的活動並記錄最近90天的事件。當您需要分析更長時間的事件時，可以通過Action Trail建立跟蹤，將事件投遞到Log ServiceSLS，使用SQL語句對事件進行查詢和分析。本文為您介紹在如何在SLS設定SQL語句。

SQL語句文法

SQL（Structured Query Language）語句格式為：<查詢語句> | <分析語句>。

Action Trail支援通過多種方式查詢事件。不同查詢方式對應的查詢語句和分析語句如下表所示：

查詢方式	查詢語句	分析語句
事件查詢	讀寫類型：`* AND "event.eventCategory": Management AND "event.eventRW": Write` 使用者名稱：`* AND "event.eventCategory": Management AND "event.userIdentity.userName": "xxx"` 事件名稱：`* AND "event.eventCategory": Management AND "event.eventName": "DescribeScalingGroups"` 資源類型：`* AND "event.eventCategory": Management AND "event.resourceType": "ACS::ECS::Instance"` 資源名稱：`* AND "event.eventCategory": Management AND "event.resourceName": "i-xxx"` 服務名稱：`* AND "event.eventCategory": Management AND "event.serviceName": "Ecs"` AccessKey ID：`* AND "event.eventCategory": Management "event.userIdentity.accessKeyId": "STS.xxxx"`	select "event.acsRegion" as acsRegion, "event.apiVersion" as apiVersion, "event.eventId" as eventId, "event.eventName" as eventName, "event.eventRW" as eventRW, "event.eventSource" as eventSource, from_unixtime(__time__) as eventTime, "event.eventType" as eventType, "event.eventVersion" as eventVersion, "event.errorCode" as errorCode, "event.errorMessage" as errorMessage, "event.requestId" as requestId, "event.requestParameterJson" as requestParameterJson, "event.resourceName" as resourceName, "event.resourceType" as resourceType, "event.serviceName" as serviceName, "event.sourceIpAddress" as sourceIpAddress, "event.userAgent" as userAgent, "event.userIdentity.accessKeyId" as accessKeyId, "event.userIdentity.accountId" as accontId, "event.userIdentity.principalId" as principalId, "event.userIdentity.type" as type, "event.userIdentity.userName" as userName
事件彙總查詢	讀寫類型：`* AND "event.eventCategory": Management AND "event.eventRW": Write` 事件名稱：`* AND "event.eventCategory": Management AND "event.eventName": "DescribeScalingGroups"` 服務名稱：`* AND "event.eventCategory": Management AND "event.serviceName": "Ecs"` AccessKey ID：`* AND "event.eventCategory": Management "event.userIdentity.accessKeyId": "STS.xxxx"`	SELECT"event.serviceName"AS servieName,"event.eventName"AS eventName,"event.eventRw"AS eventRw,"event.sourceIpAddress"AS sourceIpAddress,"event.resourceName"AS resourceName,"event.resourceType"AS resourceType,"event.userIdentity.userName"AS userName,"event.userIdentity.type"AS userType,"event.userIdentity.accessKeyId"AS accessKeyId,"event.acsRegion"AS eventRegion,COUNT("event.eventId")AS n, date_trunc('hour', __time__) AS time GROUP BY time, servieName, eventName, eventRw, sourceIpAddress, resourceType, resourceName, accessKeyId, userType, userName, eventRegion ORDER BY time DESC LIMIT 20
Insight事件查詢	IP地址：`* AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight AND "event.insightDetails.sourceIpAddress": "10.12.XX.XX"` Insight事件類型：`* AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight` 事件ID：`* AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight AND "event.eventId": 6CE5DBDE-5D18-4BF9-BD6A-E0D2E1BA****`	`select from_unixtime(__time__) as eventTime, "event.acsRegion" as eventRegion, "event.insightDetails.sourceIpAddress" as sourceIpAddress, "event.insightDetails.insightContext.statistics.insightCount" as count`

SQL語句樣本

樣本一：查詢管控事件中的所有寫事件
* AND "event.eventCategory": Management AND "event.eventRW": Write | select "event.acsRegion" as acsRegion, "event.apiVersion" as apiVersion, "event.eventId" as eventId, "event.eventName" as eventName, "event.eventRW" as eventRW, "event.eventSource" as eventSource, from_unixtime(__time__) as eventTime, "event.eventType" as eventType, "event.eventVersion" as eventVersion, "event.errorCode" as errorCode, "event.errorMessage" as errorMessage, "event.requestId" as requestId, "event.requestParameterJson" as requestParameterJson, "event.resourceName" as resourceName, "event.resourceType" as resourceType, "event.serviceName" as serviceName, "event.sourceIpAddress" as sourceIpAddress, "event.userAgent" as userAgent, "event.userIdentity.accessKeyId" as accessKeyId, "event.userIdentity.accountId" as accontId, "event.userIdentity.principalId" as principalId, "event.userIdentity.type" as type, "event.userIdentity.userName" as userName
樣本二：查詢管控事件中所有寫事件的彙總情況
說明
如果設定的查詢時間段較長，建議設定LIMIT N，返回N條事件。例如：設定LIMIT 20，返回20條事件。
* AND "event.eventCategory": Management AND "event.eventRW": Write | SELECT"event.serviceName"AS servieName,"event.eventName"AS eventName,"event.eventRw"AS eventRw,"event.sourceIpAddress"AS sourceIpAddress,"event.resourceName"AS resourceName,"event.resourceType"AS resourceType,"event.userIdentity.userName"AS userName,"event.userIdentity.type"AS userType,"event.userIdentity.accessKeyId"AS accessKeyId,"event.acsRegion"AS eventRegion,COUNT("event.eventId")AS n, date_trunc('hour', __time__) AS time GROUP BY time, servieName, eventName, eventRw, sourceIpAddress, resourceType, resourceName, accessKeyId, userType, userName, eventRegion ORDER BY time DESC LIMIT 20
樣本三：查詢Insight事件中所有IP例外狀況事件
* AND "event.eventCategory": Insight AND event.insightDetails.insightType: IpInsight | select from_unixtime(__time__) as eventTime, "event.acsRegion" as eventRegion, "event.insightDetails.sourceIpAddress" as sourceIpAddress, "event.insightDetails.insightContext.statistics.insightCount" as count