CloudTrail 日志文件示例 - Amazon CloudTrail
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

CloudTrail 日志文件示例

CloudTrail 监控您账户的事件。如果您创建跟踪,它会将这些事件作为日志文件传送至 Amazon S3 存储桶。请参阅下文,以了解更多有关日志文件的信息。

CloudTrail 日志文件名格式

CloudTrail 对其传送至 Amazon S3 存储桶的日志文件对象使用以下文件名称格式:

AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
  • YYYYMMDDHHmm 为日志文件传输时间中表示年、月、日、小时和分钟的数字。小时为 24 小时格式。Z 表示时间采用 UTC 格式。

    注意

    在特定时间传输的日志文件可包含在该时间前的任何时刻编写的记录。

  • 日志文件名称的 16 字符 UniqueString 部分用于防止覆盖文件。它没有意义,日志处理软件应忽略它。

  • FileNameFormat 为文件的编码。目前,这是 json.gz(一个采用压缩 gzip 格式的 JSON 文本文件)。

示例 CloudTrail 日志文件名

111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz

日志文件示例

一个日志文件包含一条或多条记录。以下是日志代码段的示例,其中显示开始日志文件创建的操作记录。

Amazon EC2 日志示例

Amazon Elastic Compute Cloud (Amazon EC2) 在Amazon云。您可以启动虚拟服务器、配置安全性和网络连接以及管理存储。Amazon EC2 还可快速进行缩放以应对需求变化或流行峰值,因而减少对服务器流量进行预测的需求。有关更多信息,请参阅 。适用于 Linux 实例的 Amazon EC2 用户指南

以下示例显示,名为 Alice 的 IAM 用户使用了Amazon CLI调用 Amazon EC2StartInstances操作,通过使用ec2-start-instances命令作为实例i-ebeaf9e2

{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21:22:54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-east-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": {"instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]}}, "responseElements": {"instancesSet": {"items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }]}} }]}

以下示例显示,名为 Alice 的 IAM 用户使用了Amazon CLI调用 Amazon EC2StopInstances操作,通过使用ec2-stop-instances

{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-06T21:01:59Z", "eventSource": "ec2.amazonaws.com", "eventName": "StopInstances", "awsRegion": "us-east-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": {"items": [{"instanceId": "i-ebeaf9e2"}]}, "force": false }, "responseElements": {"instancesSet": {"items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 64, "name": "stopping" }, "previousState": { "code": 16, "name": "running" } }]}} }]}

以下示例显示,Amazon EC2 控制台后端称为CreateKeyPair操作,以响应 IAM 用户 Alice 发起的请求。请注意,responseElements 包含密钥对的哈希,并且 Amazon 已删除该密钥材料。

{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-03-06T15:15:06Z" }} }, "eventTime": "2014-03-06T17:10:34Z", "eventSource": "ec2.amazonaws.com", "eventName": "CreateKeyPair", "awsRegion": "us-east-2", "sourceIPAddress": "72.21.198.64", "userAgent": "EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx", "requestParameters": {"keyName": "mykeypair"}, "responseElements": { "keyName": "mykeypair", "keyFingerprint": "30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21", "keyMaterial": "\u003csensitiveDataRemoved\u003e" } }]}

IAM 日志示例

Amazon Identity and Access Management(IAM) 是一项 Web 服务,可让Amazon客户管理用户和用户权限。借助 IAM,您可以管理用户、安全凭证(例如访问密钥)以及控制Amazon用户可以访问的资源。有关更多信息,请参阅 IAM 用户指南

以下示例显示 IAM 用户 Alice 使用了Amazon CLI调用CreateUser操作创建名为 Bob 的新用户。

{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-24T21:11:59Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateUser", "awsRegion": "us-east-2", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": {"userName": "Bob"}, "responseElements": {"user": { "createDate": "Mar 24, 2014 9:11:59 PM", "userName": "Bob", "arn": "arn:aws:iam::123456789012:user/Bob", "path": "/", "userId": "EXAMPLEUSERID" }} }]}

以下示例显示 IAM 用户 Alice 使用了Amazon Web Services Management Console调用AddUserToGroup操作将 Bob 添加到管理员组。

{"Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice", "sessionContext": {"attributes": { "mfaAuthenticated": "false", "creationDate": "2014-03-25T18:45:11Z" }} }, "eventTime": "2014-03-25T21:08:14Z", "eventSource": "iam.amazonaws.com", "eventName": "AddUserToGroup", "awsRegion": "us-east-2", "sourceIPAddress": "127.0.0.1", "userAgent": "AWSConsole", "requestParameters": { "userName": "Bob", "groupName": "admin" }, "responseElements": null }]}

以下示例显示 IAM 用户 Alice 使用了Amazon CLI调用CreateRole操作创建新的 IAM 角色。

{ "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2014-03-25T20:17:37Z", "eventSource": "iam.amazonaws.com", "eventName": "CreateRole", "awsRegion": "us-east-2", "sourceIPAddress": "127.0.0.1", "userAgent": "aws-cli/1.3.2 Python/2.7.5 Windows/7", "requestParameters": { "assumeRolePolicyDocument": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\", \n\"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::210987654321:root\"\n },\n \"Action\": \"sts:AssumeRole\"\n }\n ]\n}", "roleName": "TestRole" }, "responseElements": { "role": { "assumeRolePolicyDocument": "%7B%0A%20%20%22Version%22%3A%20%222012-10-17%22%2C%0A%20%20%22Statement%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22Sid%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22Effect%22%3A%20%22Allow%22%2C%0A%20%20%20%20%20%20%22Principal%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22AWS%22%3A%20%22arn%3Aaws%3Aiam%3A%3A803981987763%3Aroot%22%0A%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%22Action%22%3A%20%22sts%3AAssumeRole%22%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D", "roleName": "TestRole", "roleId": "AROAIUU2EOWSWPGX2UJUO", "arn": "arn:aws:iam::123456789012:role/TestRole", "createDate": "Mar 25, 2014 8:17:37 PM", "path": "/" } } }] }

示例错误代码及留言记录

以下示例显示 IAM 用户 Alice 使用了Amazon CLI调用UpdateTrail操作更新名为myTrail2,但找不到跟踪名称。日志在 errorCodeerrorMessage 中显示了此错误。

{"Records": [{ "eventVersion": "1.04", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accountId": "123456789012", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2016-07-14T19:15:45Z", "eventSource": "cloudtrail.amazonaws.com", "eventName": "UpdateTrail", "awsRegion": "us-east-2", "sourceIPAddress": "205.251.233.182", "userAgent": "aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22", "errorCode": "TrailNotFoundException", "errorMessage": "Unknown trail: myTrail2 for the user: 123456789012", "requestParameters": {"name": "myTrail2"}, "responseElements": null, "requestID": "5d40662a-49f7-11e6-97e4-d9cb6ff7d6a3", "eventID": "b7d4398e-b2f0-4faa-9c76-e2d316a8d67f", "eventType": "AwsApiCall", "recipientAccountId": "123456789012" }]}

CloudTrail 见解事件日志示例

以下示例显示了 CloudTrail 见解事件日志。实际上,见解事件是一对事件,它们标记异常的写管理 API 活动周期的开始和结束。state 字段显示是在异常活动期间的开始还是结束时记录事件。事件名称UpdateInstanceInformation的名称与Amazon Systems ManagerCloudTrail 对管理事件进行了分析以确定发生了异常活动的 API。尽管开始事件和结束事件具有唯一的 eventID 值,但它们也有一个由该对使用的 sharedEventID 值。见解事件显示 baseline、正常活动模式、insight 或触发开始见解事件的平均异常活动;在结束事件中,还显示见解事件持续时间内平均异常活动的 insight 值。有关 CloudTrail 见解的更多信息,请参阅记录跟踪的见解事件

{ "Records": [ { "eventVersion": "1.07", "eventTime": "2019-11-14T00:51:00Z", "awsRegion": "us-east-1", "eventID": "EXAMPLE8-9621-4d00-b913-beca2EXAMPLE", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "EXAMPLE2-1729-42f1-b735-5d8c0EXAMPLE", "insightDetails": { "state": "Start", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 85.4202380952 }, "insight": { "average": 664 } } } }, "eventCategory": "Insight" }, { "eventVersion": "1.07", "eventTime": "2019-11-14T00:52:00Z", "awsRegion": "us-east-1", "eventID": "EXAMPLEc-28be-486c-8928-49ce6EXAMPLE", "eventType": "AwsCloudTrailInsight", "recipientAccountId": "123456789012", "sharedEventID": "EXAMPLE2-1729-42f1-b735-5d8c0EXAMPLE", "insightDetails": { "state": "End", "eventSource": "ssm.amazonaws.com", "eventName": "UpdateInstanceInformation", "insightType": "ApiCallRateInsight", "insightContext": { "statistics": { "baseline": { "average": 85.4202380952 }, "insight": { "average": 664 }, "insightDuration": 1 } } }, "eventCategory": "Insight" } ] }