本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# CloudTrail 日志文件示例
CloudTrail 监控您账户的事件。如果您创建跟踪,它会将这些事件作为日志文件传送到您的 Amazon S3 存储桶。如果您在 CloudTrail Lake 中创建事件数据存储,则事件将记录到您的事件数据存储中。事件数据存储不使用 S3 存储桶。
**Topics**
+ [CloudTrail 日志文件名格式](#cloudtrail-log-filename-format)
+ [日志文件示例](#cloudtrail-log-file-examples-section)
## CloudTrail 日志文件名格式
CloudTrail 对于传输到您的 Amazon S3 存储桶的日志文件对象,使用以下文件名格式:
```
AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
```
+ `YYYY`、`MM`、`DD`、`HH` 和 `mm` 为日志文件传输时间中表示年、月、日、小时和分钟的数字。小时为 24 小时格式。`Z` 表示时间采用 UTC 格式。
**注意**
在特定时间传输的日志文件可包含在该时间前的任何时刻编写的记录。
+ 日志文件名称的 16 字符 `UniqueString` 部分用于防止覆盖文件。它没有意义,日志处理软件应忽略它。
+ `FileNameFormat` 为文件的编码。目前,这是 `json.gz`(一个采用压缩 gzip 格式的 JSON 文本文件)。
**示例 CloudTrail 日志文件名**
```
111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz
```
## 日志文件示例
一个日志文件包含一条或多条记录。以下是日志代码段的示例,其中显示开始日志文件创建的操作记录。
有关 CloudTrail 事件记录字段的信息,请参见[CloudTrail 记录管理、数据和网络活动事件的内容](cloudtrail-event-reference-record-contents.md)。
**Contents**
+ [Amazon EC2 日志示例](#cloudtrail-log-file-examples-ec2)
+ [IAM 日志示例](#cloudtrail-log-file-examples-iam)
+ [示例错误代码及留言记录](#error-code-and-error-message)
+ [CloudTrail 洞察事件日志示例](#insights-event-example)
### Amazon EC2 日志示例
Amazon Elastic Compute Cloud(Amazon EC2)在 Amazon Web Services 云中提供大小可调的计算容量。您可以启动虚拟服务器,配置安全性和联网,并管理存储。Amazon EC2 还可快速扩展或缩减以处理需求变化或使用高峰,从而减少对预测服务器流量的需求。有关更多信息,请参阅[《Amazon EC2 用户指南》](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/)。
以下示例显示,一位名为 `Mateo` 的 IAM 用户对实例 `i-EXAMPLE56126103cb` 和 `i-EXAMPLEaff4840c22` 执行了 **aws ec2 start-instances** 命令,从而调用了 Amazon EC2 [https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_StartInstances.html](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_StartInstances.html) 操作。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::123456789012:user/Mateo",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mateo",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:17:28Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.start-instances",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLE56126103cb"
},
{
"instanceId": "i-EXAMPLEaff4840c22"
}
]
}
},
"responseElements": {
"requestId": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16",
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLEaff4840c22",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
},
{
"instanceId": "i-EXAMPLE56126103cb",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}
]
}
},
"requestID": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16",
"eventID": "e755e09c-42f9-4c5c-9064-EXAMPLE228c7",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
以下示例显示,一位名为 `Nikki` 的 IAM 用户执行了 **aws ec2 stop-instances** 命令,从而调用了 Amazon EC2 [https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_StopInstances.html](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_StopInstances.html) 操作,以停止两个实例。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::777788889999:user/Nikki",
"accountId": "777788889999",
"accessKeyId": "AKIAI44QH8DHBEXAMPLE",
"userName": "Nikki",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:14:20Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.stop-instances",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLE56126103cb"
},
{
"instanceId": "i-EXAMPLEaff4840c22"
}
]
},
"force": false
},
"responseElements": {
"requestId": "c308a950-e43e-444e-afc1-EXAMPLE73e49",
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLE56126103cb",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
},
{
"instanceId": "i-EXAMPLEaff4840c22",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}
]
}
},
"requestID": "c308a950-e43e-444e-afc1-EXAMPLE73e49",
"eventID": "9357a8cc-a0eb-46a1-b67e-EXAMPLE19b14",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "777788889999",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
以下示例显示,一位名为 `Arnav` 的 IAM 用户执行了 **aws ec2 create-key-pair** 命令,从而调用了 [https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_CreateKeyPair.html](https://docs.amazonaws.cn/AWSEC2/latest/APIReference/API_CreateKeyPair.html) 操作。请注意,`responseElements`包含密钥对的哈希值,并 Amazon 删除了密钥材料。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGIEXAMPLE",
"arn": "arn:aws:iam::444455556666:user/Arnav",
"accountId": "444455556666",
"accessKeyId": "AKIAI44QH8DHBEXAMPLE",
"userName": "Arnav",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:19:22Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateKeyPair",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.create-key-pair",
"requestParameters": {
"keyName": "my-key",
"keyType": "rsa",
"keyFormat": "pem"
},
"responseElements": {
"requestId": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196",
"keyName": "my-key",
"keyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f",
"keyPairId": "key-abcd12345eEXAMPLE",
"keyMaterial": ""
},
"requestID": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196",
"eventID": "2ae450ff-e72b-4de1-87b0-EXAMPLE5227cb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "444455556666",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
### IAM 日志示例
Amazon Identity and Access Management (IAM) 是一项 Web 服务,可帮助您安全地控制对 Amazon 资源的访问。借助 IAM,您可以集中管理控制用户可访问哪些 Amazon 资源的权限。可以使用 IAM 来控制谁通过了身份验证(准许登录)并获得授权(具有相应权限)来使用资源。有关更多信息,请参阅 [IAM 用户指南](https://docs.amazonaws.cn/IAM/latest/UserGuide/)。
以下示例显示,名为 `Mary` 的 IAM 用户执行了 **aws iam create-user** 命令,从而调用了 [https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateUser.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateUser.html) 操作,以创建名为 `Richard` 的新用户。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGITEXAMPLE",
"arn": "arn:aws:iam::888888888888:user/Mary",
"accountId": "888888888888",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:25:09Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user",
"requestParameters": {
"userName": "Richard"
},
"responseElements": {
"user": {
"path": "/",
"arn": "arn:aws:iam::888888888888:user/Richard",
"userId": "AIDA6ON6E4XEP7EXAMPLE",
"createDate": "Jul 19, 2023 9:25:09 PM",
"userName": "Richard"
}
},
"requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc",
"eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "888888888888",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
以下示例显示,名为 `Paulo` 的 IAM 用户执行了 **aws iam add-user-to-group** 命令,从而调用了 [https://docs.amazonaws.cn/IAM/latest/APIReference/API_AddUserToGroup.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_AddUserToGroup.html) 操作,以将名为 `Jane` 的用户添加到 `Admin` 组。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGIEXAMPLE",
"arn": "arn:aws:iam::555555555555:user/Paulo",
"accountId": "555555555555",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Paulo",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:25:09Z",
"eventSource": "iam.amazonaws.com",
"eventName": "AddUserToGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.add-user-to-group",
"requestParameters": {
"groupName": "Admin",
"userName": "Jane"
},
"responseElements": null,
"requestID": "ecd94349-b36f-44bf-b6f5-EXAMPLE9c463",
"eventID": "2939ba50-1d26-4a5a-83bd-EXAMPLE85850",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555555555555",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
以下示例显示,名为 `Saanvi` 的 IAM 用户执行了 **aws iam create-role** 命令,从而调用了 [https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateRole.html](https://docs.amazonaws.cn/IAM/latest/APIReference/API_CreateRole.html) 操作,以创建角色。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGITEXAMPLE",
"arn": "arn:aws:iam::777777777777:user/Saanvi",
"accountId": "777777777777",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Saanvi",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:29:12Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-role",
"requestParameters": {
"roleName": "TestRole",
"description": "Allows EC2 instances to call AWS services on your behalf.",
"assumeRolePolicyDocument": "{\"Version\":\"2012-10-17\", \"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"sts:AssumeRole\"],\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]}}]}"
},
"responseElements": {
"role": {
"assumeRolePolicyDocument": "{{policy-statement}}",
"arn": "arn:aws:iam::777777777777:role/TestRole",
"roleId": "AROA6ON6E4XEFFEXAMPLE",
"createDate": "Jul 19, 2023 9:29:12 PM",
"roleName": "TestRole",
"path": "/"
}
},
"requestID": "ff38f36e-ebd3-425b-9939-EXAMPLE1bbe",
"eventID": "9da77cd0-493f-4c89-8852-EXAMPLEa887c",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "777777777777",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
### 示例错误代码及留言记录
以下示例显示,名为 `Terry` 的 IAM 用户执行了 **aws cloudtrail update-trail** 命令,从而调用了 [https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_UpdateTrail.html](https://docs.amazonaws.cn/awscloudtrail/latest/APIReference/API_UpdateTrail.html) 操作,以更新名为 `myTrail2` 的跟踪,但未找到跟踪名称。日志在 `errorCode` 和 `errorMessage` 中显示了此错误。
```
{"Records": [{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGIEXAMPLE",
"arn": "arn:aws:iam::111122223333:user/Terry",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Terry",
"sessionContext": {
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:35:03Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "UpdateTrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.0 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.update-trail",
"errorCode": "TrailNotFoundException",
"errorMessage": "Unknown trail: arn:aws:cloudtrail:us-east-1:111122223333:trail/myTrail2 for the user: 111122223333",
"requestParameters": {
"name": "myTrail2",
"isMultiRegionTrail": true
},
"responseElements": null,
"requestID": "28d2faaf-3319-4649-998d-EXAMPLE72818",
"eventID": "694d604a-d190-4470-8dd1-EXAMPLEe20c1",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
### CloudTrail 洞察事件日志示例
以下示例显示了 CloudTrail Insights 事件日志。实际上,Insights 事件是一对事件,它们标记异常的写管理 API 活动或错误响应活动周期的开始和结束。`state` 字段显示是在异常活动期间的开始还是结束时记录事件。事件名称与 CloudTrail 分析管理事件以确定发生了异常活动的 Amazon Systems Manager API 的名称相同。`UpdateInstanceInformation`尽管开始事件和结束事件具有唯一的 `eventID` 值,但它们也有一个由该对使用的 `sharedEventID` 值。见解事件显示 `baseline`、正常活动模式、`insight` 或触发开始见解事件的平均异常活动;在结束事件中,还显示见解事件持续时间内平均异常活动的 `insight` 值。有关 CloudTrail Insights 的更多信息,请参阅[使用见 CloudTrail 解](logging-insights-events-with-cloudtrail.md)。
```
{
"Records": [{
"eventVersion": "1.08",
"eventTime": "2023-01-02T02:51:00Z",
"awsRegion": "us-east-1",
"eventID": "654a30ff-b0f3-4527-81b6-EXAMPLEf2393",
"eventType": "AwsCloudTrailInsight",
"recipientAccountId": "123456789012",
"sharedEventID": "bcbfc274-8559-4a56-beb0-EXAMPLEa6c34",
"insightDetails": {
"state": "Start",
"eventSource": "ssm.amazonaws.com",
"eventName": "UpdateInstanceInformation",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 84.410596421
},
"insight": {
"average": 669
}
}
}
},
"eventCategory": "Insight"
},
{
"eventVersion": "1.08",
"eventTime": "2023-01-02T00:22:00Z",
"awsRegion": "us-east-1",
"eventID": "258de2fb-e2a9-4fb5-aeb2-EXAMPLE449a4",
"eventType": "AwsCloudTrailInsight",
"recipientAccountId": "123456789012",
"sharedEventID": "8b74a7bc-d5d3-4d19-9d60-EXAMPLE08b51",
"insightDetails": {
"state": "End",
"eventSource": "ssm.amazonaws.com",
"eventName": "UpdateInstanceInformation",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 74.156423842
},
"insight": {
"average": 657
},
"insightDuration": 1
}
}
},
"eventCategory": "Insight"
}]
}
```