本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# CloudTrail 日誌檔案範例
CloudTrail 會監控您帳戶的事件。如果您建立追蹤,其會將這些事件做為日誌檔案交付至您的 Amazon S3 儲存貯體。如果您在 CloudTrail Lake 中建立事件資料存放區,事件會記錄到事件資料存放區中。事件資料存放區不會使用 S3 儲存貯體。
**Topics**
+ [CloudTrail 記錄檔名稱格式](#cloudtrail-log-filename-format)
+ [日誌檔案範例](#cloudtrail-log-file-examples-section)
## CloudTrail 記錄檔名稱格式
CloudTrail 會將下列檔案名稱格式用於它交付至您 Amazon S3 儲存貯體的日誌檔案物件:
```
AccountID_CloudTrail_RegionName_YYYYMMDDTHHmmZ_UniqueString.FileNameFormat
```
+ `YYYY`、`MM`、`DD`、`HH` 和 `mm` 是交付日誌檔案之年、月、日、時和分的數字。小時為 24 小時格式。`Z` 指出時間為 UTC 時間。
**注意**
在特定時間交付的日誌檔案,會包含該時間之前的任何時間點所寫入之記錄。
+ 日誌檔案名稱的 16 字元 `UniqueString` 元件是為了避免覆寫檔案。它沒有任何意義,所以日誌處理軟體應會忽略它。
+ `FileNameFormat` 是檔案的編碼。目前,這是 `json.gz`,即壓縮 gzip 格式的 JSON 文字檔。
**CloudTrail 日誌檔案名稱**
```
111122223333_CloudTrail_us-east-2_20150801T0210Z_Mu0KsOhtH1ar15ZZ.json.gz
```
## 日誌檔案範例
日誌檔案包含一或多筆記錄。下列範例是日誌的程式碼片段,可顯示開始建立日誌檔案之動作的記錄。
如需有關 CloudTrail 事件記錄欄位的資訊,請參閱 [CloudTrail 記錄管理、資料和網路活動事件的內容](cloudtrail-event-reference-record-contents.md)。
**Contents**
+ [Amazon EC2 日誌範例](#cloudtrail-log-file-examples-ec2)
+ [IAM 日誌範例](#cloudtrail-log-file-examples-iam)
+ [錯誤代碼和訊息日誌範例](#error-code-and-error-message)
+ [CloudTrail Insights 事件記錄範例](#insights-event-example)
### Amazon EC2 日誌範例
Amazon Elastic Compute Cloud (Amazon EC2) 在 AWS 雲端中提供可調整大小的運算容量。您可以啟動虛擬伺服器、設定安全和聯網功能,以及管理儲存。Amazon EC2 也可以迅速擴展與縮減規模,以處理需求或熱門高峰的變更,從而降低您預測伺服器流量的需求。如需詳細資訊,請參閱《[Amazon EC2 使用者指南](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/)》。
下列範例顯示名為 `Mateo` 的 IAM 使用者執行 **aws ec2 start-instances** 命令,為執行個體 `i-EXAMPLE56126103cb` 和 `i-EXAMPLEaff4840c22` 呼叫 Amazon EC2 [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StartInstances.html) 動作。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::123456789012:user/Mateo",
"accountId": "123456789012",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mateo",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:17:28Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StartInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.start-instances",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLE56126103cb"
},
{
"instanceId": "i-EXAMPLEaff4840c22"
}
]
}
},
"responseElements": {
"requestId": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16",
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLEaff4840c22",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
},
{
"instanceId": "i-EXAMPLE56126103cb",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}
]
}
},
"requestID": "e4336db0-149f-4a6b-844d-EXAMPLEb9d16",
"eventID": "e755e09c-42f9-4c5c-9064-EXAMPLE228c7",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "123456789012",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
下列範例顯示名為 `Nikki` 的 IAM 使用者執行 **aws ec2 stop-instances** 命令,呼叫 Amazon EC2 [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_StopInstances.html) 動作以停止兩個執行個體。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EXAMPLE6E4XEGITWATV6R",
"arn": "arn:aws:iam::777788889999:user/Nikki",
"accountId": "777788889999",
"accessKeyId": "AKIAI44QH8DHBEXAMPLE",
"userName": "Nikki",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:14:20Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "StopInstances",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.stop-instances",
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLE56126103cb"
},
{
"instanceId": "i-EXAMPLEaff4840c22"
}
]
},
"force": false
},
"responseElements": {
"requestId": "c308a950-e43e-444e-afc1-EXAMPLE73e49",
"instancesSet": {
"items": [
{
"instanceId": "i-EXAMPLE56126103cb",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
},
{
"instanceId": "i-EXAMPLEaff4840c22",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}
]
}
},
"requestID": "c308a950-e43e-444e-afc1-EXAMPLE73e49",
"eventID": "9357a8cc-a0eb-46a1-b67e-EXAMPLE19b14",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "777788889999",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
下列範例顯示名為 `Arnav` 的 IAM 使用者執行 **aws ec2 create-key-pair** 命令,以呼叫 [https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateKeyPair.html) 動作。請注意, `responseElements`包含金鑰對的雜湊,並 AWS 移除金鑰材料。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGIEXAMPLE",
"arn": "arn:aws:iam::444455556666:user/Arnav",
"accountId": "444455556666",
"accessKeyId": "AKIAI44QH8DHBEXAMPLE",
"userName": "Arnav",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:19:22Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateKeyPair",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/ec2.create-key-pair",
"requestParameters": {
"keyName": "my-key",
"keyType": "rsa",
"keyFormat": "pem"
},
"responseElements": {
"requestId": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196",
"keyName": "my-key",
"keyFingerprint": "1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f",
"keyPairId": "key-abcd12345eEXAMPLE",
"keyMaterial": ""
},
"requestID": "9aa4938f-720f-4f4b-9637-EXAMPLE9a196",
"eventID": "2ae450ff-e72b-4de1-87b0-EXAMPLE5227cb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "444455556666",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "ec2.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
### IAM 日誌範例
AWS Identity and Access Management (IAM) 是一種 Web 服務,可協助您安全地控制對 資源的 AWS 存取。使用 IAM,您可以集中管理控制使用者可以存取哪些 AWS 資源的許可。您可以使用 IAM 來控制能通過身分驗證 (登入) 和授權使用資源的 (具有許可) 的人員。如需詳細資訊,請參閱《IAM 使用者指南》[https://docs.aws.amazon.com/IAM/latest/UserGuide/](https://docs.aws.amazon.com/IAM/latest/UserGuide/)。
下列範例顯示名為 `Mary` 的 IAM 使用者執行 **aws iam create-user** 命令,呼叫 [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html) 動作以建立名為 `Richard` 的新使用者。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGITEXAMPLE",
"arn": "arn:aws:iam::888888888888:user/Mary",
"accountId": "888888888888",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Mary",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:25:09Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateUser",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-user",
"requestParameters": {
"userName": "Richard"
},
"responseElements": {
"user": {
"path": "/",
"arn": "arn:aws:iam::888888888888:user/Richard",
"userId": "AIDA6ON6E4XEP7EXAMPLE",
"createDate": "Jul 19, 2023 9:25:09 PM",
"userName": "Richard"
}
},
"requestID": "2d528c76-329e-410b-9516-EXAMPLE565dc",
"eventID": "ba0801a1-87ec-4d26-be87-EXAMPLE75bbb",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "888888888888",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
下列範例顯示名為 `Paulo` 的 IAM 使用者執行 **aws iam add-user-to-group** 命令,呼叫 [https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html) 動作以新增名為 `Jane` 的使用者至 `Admin` 群組。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGIEXAMPLE",
"arn": "arn:aws:iam::555555555555:user/Paulo",
"accountId": "555555555555",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Paulo",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:25:09Z",
"eventSource": "iam.amazonaws.com",
"eventName": "AddUserToGroup",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.add-user-to-group",
"requestParameters": {
"groupName": "Admin",
"userName": "Jane"
},
"responseElements": null,
"requestID": "ecd94349-b36f-44bf-b6f5-EXAMPLE9c463",
"eventID": "2939ba50-1d26-4a5a-83bd-EXAMPLE85850",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555555555555",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
下列範例顯示名為 `Saanvi` 的 IAM 使用者執行 **aws iam create-role** 命令,呼叫 [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateRole.html) 動作以建立一個角色。
```
{"Records": [{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGITEXAMPLE",
"arn": "arn:aws:iam::777777777777:user/Saanvi",
"accountId": "777777777777",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Saanvi",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:29:12Z",
"eventSource": "iam.amazonaws.com",
"eventName": "CreateRole",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.5 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/iam.create-role",
"requestParameters": {
"roleName": "TestRole",
"description": "Allows EC2 instances to call AWS services on your behalf.",
"assumeRolePolicyDocument": "{\"Version\":\"2012-10-17\", \"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"sts:AssumeRole\"],\"Principal\":{\"Service\":[\"ec2.amazonaws.com\"]}}]}"
},
"responseElements": {
"role": {
"assumeRolePolicyDocument": "{{policy-statement}}",
"arn": "arn:aws:iam::777777777777:role/TestRole",
"roleId": "AROA6ON6E4XEFFEXAMPLE",
"createDate": "Jul 19, 2023 9:29:12 PM",
"roleName": "TestRole",
"path": "/"
}
},
"requestID": "ff38f36e-ebd3-425b-9939-EXAMPLE1bbe",
"eventID": "9da77cd0-493f-4c89-8852-EXAMPLEa887c",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "777777777777",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "iam.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
### 錯誤代碼和訊息日誌範例
下列範例顯示名為 `Terry` 的 IAM 使用者執行 **aws cloudtrail update-trail** 命令來呼叫 [https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html) 動作以更新名為 `myTrail2` 的追蹤,但找不到該追蹤名稱。日誌會顯示 `errorCode` 和 `errorMessage` 元素中的這個錯誤。
```
{"Records": [{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDA6ON6E4XEGIEXAMPLE",
"arn": "arn:aws:iam::111122223333:user/Terry",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"userName": "Terry",
"sessionContext": {
"attributes": {
"creationDate": "2023-07-19T21:11:57Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-07-19T21:35:03Z",
"eventSource": "cloudtrail.amazonaws.com",
"eventName": "UpdateTrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-cli/2.13.0 Python/3.11.4 Linux/4.14.255-314-253.539.amzn2.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off command/cloudtrail.update-trail",
"errorCode": "TrailNotFoundException",
"errorMessage": "Unknown trail: arn:aws:cloudtrail:us-east-1:111122223333:trail/myTrail2 for the user: 111122223333",
"requestParameters": {
"name": "myTrail2",
"isMultiRegionTrail": true
},
"responseElements": null,
"requestID": "28d2faaf-3319-4649-998d-EXAMPLE72818",
"eventID": "694d604a-d190-4470-8dd1-EXAMPLEe20c1",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "cloudtrail.us-east-1.amazonaws.com"
},
"sessionCredentialFromConsole": "true"
}]}
```
### CloudTrail Insights 事件記錄範例
下列範例顯示 CloudTrail Insights 事件日誌。Insights 事件實際上是一組事件,標記異常寫入管理 API 活動或錯誤回應活動的一段時間的開始和結束。`state` 欄位會顯示事件是在異常活動期間的開始還是結束時記錄的。事件名稱 `UpdateInstanceInformation` 與 CloudTrail 分析管理事件以判斷發生異常活動的 AWS Systems Manager API 名稱相同。雖然開始和結束事件具有唯一的 `eventID` 值,但它們也具有由該組使用的 `sharedEventID` 值。Insights 事件會顯示 `baseline` (活動的正常模式)、`insight` (觸發開始 Insights 事件的或平均異常活動),以及在結束事件中,顯示 Insights 事件期間平均異常活動的 `insight` 值。如需使用 CloudTrail Insights 的詳細資訊,請參閱 [使用 CloudTrail Insights](logging-insights-events-with-cloudtrail.md)。
```
{
"Records": [{
"eventVersion": "1.08",
"eventTime": "2023-01-02T02:51:00Z",
"awsRegion": "us-east-1",
"eventID": "654a30ff-b0f3-4527-81b6-EXAMPLEf2393",
"eventType": "AwsCloudTrailInsight",
"recipientAccountId": "123456789012",
"sharedEventID": "bcbfc274-8559-4a56-beb0-EXAMPLEa6c34",
"insightDetails": {
"state": "Start",
"eventSource": "ssm.amazonaws.com",
"eventName": "UpdateInstanceInformation",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 84.410596421
},
"insight": {
"average": 669
}
}
}
},
"eventCategory": "Insight"
},
{
"eventVersion": "1.08",
"eventTime": "2023-01-02T00:22:00Z",
"awsRegion": "us-east-1",
"eventID": "258de2fb-e2a9-4fb5-aeb2-EXAMPLE449a4",
"eventType": "AwsCloudTrailInsight",
"recipientAccountId": "123456789012",
"sharedEventID": "8b74a7bc-d5d3-4d19-9d60-EXAMPLE08b51",
"insightDetails": {
"state": "End",
"eventSource": "ssm.amazonaws.com",
"eventName": "UpdateInstanceInformation",
"insightType": "ApiCallRateInsight",
"insightContext": {
"statistics": {
"baseline": {
"average": 74.156423842
},
"insight": {
"average": 657
},
"insightDuration": 1
}
}
},
"eventCategory": "Insight"
}]
}
```