# Working with CloudTrail event history CloudTrail is enabled by default for your AWS account and you automatically have access to the CloudTrail event history. The event history provides a viewable, searchable, downloadable, and immutable record of the past 90 days of management events in an AWS Region. These events capture activity made through the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. The event history records events in the AWS Region where the event happened. There are no CloudTrail charges for viewing the event history. You can look up events related to the creation, modification, or deletion of resources (such as IAM users or Amazon EC2 instances) in your AWS account on a by-Region basis on the CloudTrail console by viewing the **Event history** page. You can also look up these events by running the [https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/lookup-events.html](https://docs.aws.amazon.com/cli/latest/reference/cloudtrail/lookup-events.html) command or by using the [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html) API. You can use the **Event history** page on the CloudTrail console to view, search, download, archive, analyze, and respond to account activity across your AWS infrastructure. You can [customize the view](view-cloudtrail-events-console.md#displaying-cloudtrail-events) of the **Event history** page on the console by selecting how many events to display on each page and which columns to display or hide. You can also compare the details of events in event history side-by-side. You can programmatically [look up events](view-cloudtrail-events-cli.md) by using the AWS SDKs or AWS Command Line Interface. **Note** Over time, AWS services might add additional events. CloudTrail records these events in event history, but a full 90-day record of activity that includes added events won't be available until 90 days after it adds the events. The event history is separate from any trails or event data stores that you create for your account. Changes you make to your event data stores or trails do not affect the event history. The sections which follow describe how to look up recent management events by using the CloudTrail console and the AWS CLI, and describe how to download a file of events. For information about using the `LookupEvents` API to retrieve information from CloudTrail events, see [LookupEvents](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html) in the *AWS CloudTrail API Reference*. **Topics** + [Limitations of Event history](#event-history-limitations) + [Viewing recent management events with the console](view-cloudtrail-events-console.md) + [Viewing recent management events with the AWS CLI](view-cloudtrail-events-cli.md) ## Limitations of Event history The following limitations apply to the event history. + The **Event history** page on the CloudTrail console only shows management events. It does not show data events, Insights events, or network activity events. + The event history is limited to the past 90 days of events. For an ongoing record of events in your AWS account, create an [event data store](query-event-data-store-cloudtrail.md) or a [trail](cloudtrail-create-a-trail-using-the-console-first-time.md). + When you download events from the **Event history** page on the CloudTrail console, you can download up to 200,000 events in a single file. If you reach the 200,000 event limit, the CloudTrail console will provide the option to download additional files. + The event history doesn't provide organization level event aggregation. To record events across your organization, create an organization event data store or trail. + An event history search is limited to a single AWS account, only returns events from a single AWS Region, and cannot query multiple attributes. You can only apply one attribute filter and a time range filter. You can create a CloudTrail Lake event data store to query across multiple attributes and AWS Regions. You can also query across multiple AWS accounts in an AWS Organizations organization. In CloudTrail Lake, you can query multiple event types, including management events, data events, Insights events, AWS Config configuration items, Audit Manager evidence, and non-AWS events. CloudTrail Lake queries offer a deeper and more customizable view of events than simple key and value lookups on the **Event history** page, or by running `LookupEvents`. For more information, see [Working with AWS CloudTrail Lake](cloudtrail-lake.md) and [Create an event data store for CloudTrail events with the console](query-event-data-store-cloudtrail.md). + You cannot exclude AWS KMS or Amazon RDS Data API events from event history; settings that you apply to a trail or event data store do not apply to event history. # Viewing recent management events with the console You can use the **Event history** page in the CloudTrail console to view the last 90 days of management events in an AWS Region. You can also download a file with that information, or a subset of information based on the filter and time range you choose. You can customize your view of **Event history** by selecting how many events to display on each page and choosing which columns to display on the console. You can also look up and filter events by the resource types available for a particular service. You can select up to five events in **Event history** and compare their details side-by-side. Event history does not show data events. To view data events, create an [event data store](query-event-data-store-cloudtrail.md) or a [trail](cloudtrail-create-and-update-a-trail.md). After 90 days, events are no longer shown in event history. You cannot manually delete events from event history. You can learn more about the specifics of how CloudTrail logs events for a specific service by consulting the documentation for that service. For more information, see [AWS service topics for CloudTrail](cloudtrail-aws-service-specific-topics.md#cloudtrail-aws-service-specific-topics-list). **Note** For an ongoing record of activity and events past 90 days, create an [event data store](query-event-data-store-cloudtrail.md) or a [trail](cloudtrail-create-a-trail-using-the-console-first-time.md). **To view **Event history**** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the navigation pane, choose **Event history**. You see a filtered list of events, with the most recent events showing first. The default filter for events is **Read only**, set to **false**. You can clear that filter by choosing **X** at the right of the filter. 1. You can filter events on a single attribute, which you can choose from the drop-down list. To filter on an attribute, choose the attribute from the drop-down list and enter the full value for the attribute. For example, to view all console login events, choose the **Event name** filter, and specify **ConsoleLogin**. Or, to view recent S3 management events, choose the **Event source** filter, and specify `s3.amazonaws.com`. 1. To view a specific management event, choose the event name. On the event details page, you can view details about the event, see any referenced resources, and view the event record. 1. To compare events, select up to five events by filling their check boxes in the left margin of the **Event history** table. You can view details for the selected events side-by-side in the **Compare event details** table. 1. You can save event history by downloading it as a file in CSV or JSON format. Downloading your event history can take a few minutes. **Contents** + [ ## Navigating between pages ](#navigate-event-history) + [ ## Customizing the display ](#displaying-cloudtrail-events) + [ ## Filtering CloudTrail events ](#filtering-cloudtrail-events) + [ ## Viewing details for an event ](#viewing-details-for-an-event) + [ ## Downloading events ](#downloading-events) + [ ## Viewing resources referenced with AWS Config ](#viewing-resources-config) ## Navigating between pages You can navigate between pages in the **Event history** by choosing the page you want to view. You can also view the next and previous page in **Event history**. Choose **<** to view the previous page of **Event history**. Choose **>** to view the next page of **Event history**. ## Customizing the display You can customize the view of **Event history** on the CloudTrail console by selecting from the following preferences. + **Page size** - Choose whether you want to display 10, 25, or 50 events on each page. + **Wrap lines** - Wrap text so you can see all text for each event. + **Striped rows** - Shade every other row in the table. + **Event time display** - Choose whether to display the event time in UTC or the local time zone. + **Select visible columns** - Select which columns to display. By default, the following columns are displayed: + **Event name** + **Event time** + **User name** + **Event source** + **Resource type** + **Resource name** **Note** You cannot change the order of the columns, or manually delete events from **Event history**. **To customize the display** 1. Sign in to the AWS Management Console and open the CloudTrail console at [https://console.aws.amazon.com/cloudtrail/](https://console.aws.amazon.com/cloudtrail/). 1. In the navigation pane, choose **Event history**. 1. Choose the gear icon. 1. For **Page size**, choose the number of events to display on a page. 1. Choose **Wrap lines** to see all text for each event. 1. Choose **Striped rows** to shade every other row in the table. 1. For **Event time display**, choose whether to display the event time in UTC or the local time zone. By default, UTC is selected. 1. In **Select visible columns**, select the columns you want to display. Turn off columns you do not want to display. 1. When you have finished making your changes, choose **Confirm**. ## Filtering CloudTrail events The default display of events in **Event history** uses an attribute filter to exclude read-only events from the list of displayed events. This attribute filter is named **Read-only**, and it is set to **false**. You can remove this filter to display both read and write events. To view only **Read** events, you can change the filter value to **true**. You can also filter events by other attributes. You can additionally filter by time range. **Note** You can only apply one attribute filter and a time range filter. You cannot apply multiple attribute filters. ** AWS access key ** The AWS access key ID that was used to sign the request. If the request was made with temporary security credentials, this is the access key ID of the temporary credentials. ** Event ID ** The CloudTrail ID of the event. Each event has a unique ID. ** Event name ** The name of the event. For example, you can filter on IAM events, such as `CreatePolicy`, or Amazon EC2 events, such as `RunInstances`. ** Event source ** The AWS service to which the request was made, such as `iam.amazonaws.com` or `s3.amazonaws.com`. You can scroll through a list of event sources after you choose the **Event source** filter. ** Read only ** The read type of the event. Events are categorized as read events or write events. If set to **false**, read events are not included in the list of displayed events. By default, this attribute filter is applied and the value is set to **false**. ** Resource name ** The name or ID of the resource referenced by the event. For example, the resource name might be "auto-scaling-test-group" for an Auto Scaling group or "i-12345678910" for an EC2 instance. ** Resource type ** The type of resource referenced by the event. For example, a resource type can be `Instance` for EC2 or `DBInstance` for RDS. Resource types vary for each AWS service. ** Time range ** The time range in which you want to filter events. You can choose either a **Relative range** or an **Absolute range**. You can filter events for the last 90 days. ** User name ** The identity referenced by the event. For example, this can be a user, a role name, or a service role. If there are no events logged for the attribute or time that you choose, the results list is empty. You can apply only one attribute filter in addition to the time range. If you choose a different attribute filter, your specified time range is preserved. The following steps describe how to filter by attribute. **To filter by attribute** 1. To filter the results by an attribute, choose an attribute from the **Lookup attributes** drop-down list, and then type or choose a value for the attribute in the text box. 1. To remove an attribute filter, choose the **X** at the right of the attribute filter box. The following steps describe how to filter by a start and end date and time. **To filter by a start and end date and time** 1. To narrow the time range for the events that you want to see, choose a time range in the time range bar. You can choose either a **Relative range** or an **Absolute range**. Choose **Relative range** to select from a preset value or choose a custom range. Preset values are 30 minutes, 1 hour, 12 hours, or 1 day. To specify a custom time range, choose **Custom**. Choose **Absolute range** to specify a specific start and end time. You can also choose between the local time zone or UTC. 1. To remove a time range filter, choose **Clear and dismiss** in the time range bar. ## Viewing details for an event 1. Choose an event in the results list to show its details. 1. Resources referenced in the event are shown in the **Resources referenced** table on the event details page. 1. Some referenced resources have links. Choose the link to open the console for that resource. 1. Scroll to **Event record** on the details page to see the JSON event record, also called the event *payload*. 1. Choose **Event history** in the page breadcrumb to close the event details page and return to **Event history**. ## Downloading events You can download recorded event history as a file in CSV or JSON format. You can download up to 200,000 events in a single file. If you reach the 200,000 event limit, the CloudTrail console will provide the option to download additional files. Use filters and time ranges to reduce the size of the file you download. **Note** CloudTrail event history files are data files that contain information (such as resource names) that can be configured by individual users. Some data can potentially be interpreted as commands in programs used to read and analyze this data (CSV injection). For example, when CloudTrail events are exported to CSV and imported to a spreadsheet program, that program might warn you about security concerns. You should choose to disable this content to keep your system secure. Always disable links or macros from downloaded event history files. 1. Add a filter and time range for events in **Event history** that you want to download. For example, you can specify the event name, `StartInstances`, and specify a time range for the last three days of activity. 1. Choose **Download events**, and then choose **Download as CSV** or **Download as JSON**. The download starts immediately. **Note** Your download might take some time to complete. For faster results, before you start the download process, use a more specific filter or a shorter time range to narrow the results. You can cancel a download. If you cancel a download, a partial download including only some event data might be on your local computer. To download the full event history, restart the download. 1. After your download is complete, open the file to view the events that you specified. 1. To cancel your download, choose **Cancel**, and then confirm by choosing **Cancel download**. If you need to restart a download, wait until the earlier download is finished canceling. ## Viewing resources referenced with AWS Config AWS Config records configuration details, relationships, and changes to your AWS resources. On the **Resources referenced** pane, choose the ![\[AWS Config timeline icon\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/config-timeline.png) in the **AWS Config resource timeline** column to view the resource in the AWS Config console. If the ![\[Shows AWS Config timeline\]](http://docs.aws.amazon.com/awscloudtrail/latest/userguide/images/config-timeline-gray.png) icon is gray, AWS Config isn't turned on, or it's not recording the resource type. Choose the icon to go to the AWS Config console to turn on the service or start recording that resource type. For more information, see [Set Up AWS Config Using the Console](https://docs.aws.amazon.com/config/latest/developerguide/gs-console.html) in the *AWS Config Developer Guide*. If **Link not available** appears in the column, the resource can't be viewed for one of the following reasons: + AWS Config doesn't support the resource type. For more information, see [Supported Resources, Configuration Items, and Relationships](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html) in the *AWS Config Developer Guide*. + AWS Config recently added support for the resource type, but it's not yet available from the CloudTrail console. You can look up the resource in the AWS Config console to see the timeline for the resource. + The resource is owned by another AWS account. + The resource is owned by another AWS service, such as a managed IAM policy. + The resource was created and then deleted immediately. + The resource was recently created or updated. To grant users read-only permission to view resources in the AWS Config console, see [Granting permission to view AWS Config information on the CloudTrail console](security_iam_id-based-policy-examples.md#grant-aws-config-permissions-for-cloudtrail-users). For more information about AWS Config, see the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/). # Viewing recent management events with the AWS CLI Viewing recent management events with the AWS CLI You can look up CloudTrail management events for the last 90 days for the current AWS Region using the **aws cloudtrail lookup-events** command. The **aws cloudtrail lookup-events** command shows events in the AWS Region where they occurred. Lookup supports the following attributes for management events: + AWS access key + Event ID + Event name + Event source + Read only + Resource name + Resource type + User name All attributes are optional. The [https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/lookup-events.html](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/lookup-events.html) command includes the following options: + `--max-items` ** – The total number of items to return in the command's output. If the total number of items available is more than the value specified, a `NextToken` is provided in the command's output. To resume pagination, provide the `NextToken` value in the starting-token argument of a sub- sequent command. Do not use the `NextToken` response element directly outside of the AWS CLI. + `--start-time` ** – Specifies that only events that occur after or at the specified time are returned. If the specified start time is after the specified end time, an error is returned. + `--lookup-attributes` ** – Contains a list of lookup attributes. Currently the list can contain only one item. + `--generate-cli-skeleton` ** – Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for `--cli-input-json`. Similarly, if provided yaml-input it will print a sample input YAML that can be used with `--cli-input-yaml`. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated. + `--cli-input-json` ** – Reads arguments from the JSON string provided. The JSON string follows the format provided by the `--generate-cli-skeleton` parameter. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with the `--cli-input-yaml` parameter. For general information about using the AWS Command Line Interface, see the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/). **Contents** + [ ## Prerequisites ](#aws-cli-prerequisites-for-aws-cloudtrail) + [ ## Getting command line help ](#getting-command-line-help) + [ ## Looking up events ](#looking-up-events-with-the-aws-cli) + [ ## Specifying the number of events to return ](#specify-the-number-of-events-to-return) + [ ## Looking up events by time range ](#look-up-events-by-time-range) + [ ## Looking up events by attribute ](#look-up-events-by-attributes) + [ ### Attribute lookup examples ](#attribute-lookup-example) + [ ## Specifying the next page of results ](#specify-next-page-of-lookup-results) + [ ## Getting JSON input from a file ](#json-input-from-file) + [ ## Lookup output fields ](#view-cloudtrail-events-cli-output-fields) ## Prerequisites + To run AWS CLI commands, you must install the AWS CLI. For information, see [Get started with the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). + Make sure your AWS CLI version is greater than 1.6.6. To verify the CLI version, run **aws --version** on the command line. + To set the account, AWS Region, and default output format for an AWS CLI session, use the **aws configure** command. For more information, see [Configuring the AWS Command Line Interface](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html). **Note** The CloudTrail AWS CLI commands are case-sensitive. ## Getting command line help To see the command line help for `lookup-events`, type the following command: ``` aws cloudtrail lookup-events help ``` ## Looking up events **Important** The rate of lookup requests is limited to two per second, per account, per Region. If this limit is exceeded, a throttling error occurs. To see the ten latest events, type the following command: ``` aws cloudtrail lookup-events --max-items 10 ``` A returned event looks similar to the following fictitious example, which has been formatted for readability: ``` { "NextToken": "kbOt5LlZe++mErCebpy2TgaMgmDvF1kYGFcH64JSjIbZFjsuvrSqg66b5YGssKutDYIyII4lrP4IDbeQdiObkp9YAlju3oXd12juy3CIZW8=", "Events": [ { "EventId": "0ebbaee4-6e67-431d-8225-ba0d81df5972", "Username": "root", "EventTime": 1424476529.0, "CloudTrailEvent": "{ \"eventVersion\":\"1.02\", \"userIdentity\":{ \"type\":\"Root\", \"principalId\":\"111122223333\", \"arn\":\"arn:aws:iam::111122223333:root\", \"accountId\":\"111122223333\"}, \"eventTime\":\"2015-02-20T23:55:29Z\", \"eventSource\":\"signin.amazonaws.com\", \"eventName\":\"ConsoleLogin\", \"awsRegion\":\"us-east-2\", \"sourceIPAddress\":\"203.0.113.4\", \"userAgent\":\"Mozilla/5.0\", \"requestParameters\":null, \"responseElements\":{\"ConsoleLogin\":\"Success\"}, \"additionalEventData\":{ \"MobileVersion\":\"No\", \"LoginTo\":\"https://console.aws.amazon.com/console/home", \"MFAUsed\":\"No\"}, \"eventID\":\"0ebbaee4-6e67-431d-8225-ba0d81df5972\", \"eventType\":\"AwsApiCall\", \"recipientAccountId\":\"111122223333\"}", "EventName": "ConsoleLogin", "Resources": [] } ] } ``` For an explanation of the lookup-related fields in the output, see the section [Lookup output fields](#view-cloudtrail-events-cli-output-fields) later in this document. For an explanation of the fields in the CloudTrail event, see [CloudTrail record contents for management, data, and network activity events](cloudtrail-event-reference-record-contents.md). ## Specifying the number of events to return To specify the number of events to return, type the following command: ``` aws cloudtrail lookup-events --max-items ``` Possible values are 1 through 50. The following example returns one event. ``` aws cloudtrail lookup-events --max-items 1 ``` ## Looking up events by time range Events from the past 90 days are available for lookup. To specify a time range, type the following command: ``` aws cloudtrail lookup-events --start-time --end-time ``` `--start-time ` specifies, in UTC, that only events that occur after or at the specified time are returned. If the specified start time is after the specified end time, an error is returned. `--end-time ` specifies, in UTC, that only events that occur before or at the specified time are returned. If the specified end time is before the specified start time, an error is returned. The default start time is the earliest date that data is available within the last 90 days. The default end time is the time of the event that occurred closest to the current time. All timestamps are shown in UTC. ## Looking up events by attribute To filter by an attribute, type the following command: ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=,AttributeValue= ``` You can specify only one attribute key/value pair for each **lookup-events** command. The following are valid values for `AttributeKey`. Value names are case sensitive. + `AccessKeyId` + `EventId` + `EventName` + `EventSource` + `ReadOnly` + `ResourceName` + `ResourceType` + `Username` The maximum length for the `AttributeValue` is 2000 characters. The following characters ('`_`', '` `', '`,`', '`\\n`') count as two characters towards the 2000 character limit. ### Attribute lookup examples The following example command returns events in which the value of `AccessKeyId` is `AKIAIOSFODNN7EXAMPLE`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=AccessKeyId,AttributeValue=AKIAIOSFODNN7EXAMPLE ``` The following example command returns the event for the specified CloudTrail `EventId`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventId,AttributeValue=b5cc8c40-12ba-4d08-a8d9-2bceb9a3e002 ``` The following example command returns events in which the value of `EventName` is `RunInstances`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RunInstances ``` The following example command returns events in which the value of `EventSource` is `iam.amazonaws.com`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventSource,AttributeValue=iam.amazonaws.com ``` The following example command returns write events. It excludes read events such as `GetBucketLocation` and `DescribeStream`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false ``` The following example command returns events in which the value of `ResourceName` is `CloudTrail_CloudWatchLogs_Role`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=CloudTrail_CloudWatchLogs_Role ``` The following example command returns events in which the value of `ResourceType` is `AWS::S3::Bucket`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceType,AttributeValue=AWS::S3::Bucket ``` The following example command returns events in which the value of `Username` is `root`. ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root ``` ## Specifying the next page of results To get the next page of results from a `lookup-events` command, type the following command: ``` aws cloudtrail lookup-events --next-token= ``` where the value for ** is taken from the first field of the output of the previous command. When you use `--next-token` in a command, you must use the same parameters as in the previous command. For example, suppose you run the following command: ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root ``` To get the next page of results, your next command would look like this: ``` aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=root --next-token=kbOt5LlZe++mErCebpy2TgaMgmDvF1kYGFcH64JSjIbZFjsuvrSqg66b5YGssKutDYIyII4lrP4IDbeQdiObkp9YAlju3oXd12juy3CIZW8= ``` ## Getting JSON input from a file The AWS CLI for some AWS services has two parameters, `--generate-cli-skeleton` and `--cli-input-json`, that you can use to generate a JSON template which you can modify and use as input to the `--cli-input-json` parameter. This section describes how to use these parameters with `aws cloudtrail lookup-events`. For more general information, see [AWS CLI skeletons and input files](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-skeleton.html). **To look up CloudTrail events by getting JSON input from a file** 1. Create an input template for use with `lookup-events` by redirecting the `--generate-cli-skeleton` output to a file, as in the following example. ``` aws cloudtrail lookup-events --generate-cli-skeleton > LookupEvents.txt ``` The template file generated (in this case, LookupEvents.txt) looks like this: ``` { "LookupAttributes": [ { "AttributeKey": "", "AttributeValue": "" } ], "StartTime": null, "EndTime": null, "MaxResults": 0, "NextToken": "" } ``` 1. Use a text editor to modify the JSON as needed. The JSON input must contain only values that are specified. **Important** All empty or null values must be removed from the template before you can use it. The following example specifies a time range and maximum number of results to return. ``` { "StartTime": "2023-11-01", "EndTime": "2023-12-12", "MaxResults": 10 } ``` 1. To use the edited file as input, use the syntax `--cli-input-json file://`**, as in the following example: ``` aws cloudtrail lookup-events --cli-input-json file://LookupEvents.txt ``` **Note** You can use other arguments on the same command line as `--cli-input-json` . ## Lookup output fields **Events** A list of lookup events based on the lookup attribute and time range that were specified. The events list is sorted by time, with the latest event listed first. Each entry contains information about the lookup request and includes a string representation of the CloudTrail event that was retrieved. The following entries describe the fields in each lookup event. **CloudTrailEvent** A JSON string that contains an object representation of the event returned. For information about each of the elements returned, see [ Record Body Contents](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-record-contents.html). **EventId** A string that contains the GUID of the event returned. **EventName** A string that contains the name of the event returned. **EventSource** The AWS service that the request was made to. **EventTime** The date and time, in UNIX time format, of the event. **Resources** A list of resources referenced by the event that was returned. Each resource entry specifies a resource type and a resource name. **ResourceName** A string that contains the name of the resource referenced by the event. **ResourceType** A string that contains the type of a resource referenced by the event. When the resource type cannot be determined, null is returned. **Username** A string that contains the user name of the account for the event returned. **NextToken** A string to get the next page of results from a previous `lookup-events` command. To use the token, the parameters must be the same as those in the original command. If no `NextToken` entry appears in the output, there are no more results to return.