本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 使用 驗證 CloudTrail 日誌檔案完整性 AWS CLI
<a name="cloudtrail-log-file-validation-cli"></a>

若要使用 驗證日誌 AWS Command Line Interface，請使用 CloudTrail `validate-logs`命令。此命令會使用交付至您 Amazon S3 儲存貯體的摘要檔案來執行驗證。如需摘要檔案的資訊，請參閱「[CloudTrail 摘要檔案結構](cloudtrail-log-file-validation-digest-file-structure.md)」。

 AWS CLI 可讓您偵測下列類型的變更：
+ 修改或刪除 CloudTrail 日誌檔案
+ 修改或刪除 CloudTrail 摘要檔案
+ 修改或刪除上述兩者

**注意**  
只會 AWS CLI 驗證摘要檔案所參考的日誌檔案。如需詳細資訊，請參閱[檢查特定檔案是否由 CloudTrail 交付](#cloudtrail-log-file-validation-cli-validate-logs-check-file)。

## 先決條件
<a name="cloudtrail-log-file-validation-cli-prerequisites"></a>

若要使用 驗證日誌檔案完整性 AWS CLI，必須符合下列條件：
+ 您必須擁有 的線上連線 AWS。
+ 您必須具有包含摘要和日誌檔案之 Amazon S3 儲存貯體的讀取存取。
+ 在 CloudTrail 交付摘要和日誌檔案後，不得自原始的 Amazon S3 位置再行移動。
+ 執行命令的角色必須具有呼叫 `ListObjects`、 和 的許可`GetObject`，以`GetBucketLocation`用於追蹤所參考的每個 S3 儲存貯體。

**注意**  
無法使用 AWS CLI驗證已下載至本機磁碟的日誌檔案。如需建立您自己的工具進行驗證的指導方針，請參閱「[CloudTrail 日誌檔案完整性驗證的自訂實作](cloudtrail-log-file-custom-validation.md)」。

## validate-logs
<a name="cloudtrail-log-file-validation-cli-validate-logs"></a>

### 語法
<a name="cloudtrail-log-file-validation-cli-validate-logs-syntax"></a>

下列是 `validate-logs` 的語法。選用參數會以中括號顯示。

`aws cloudtrail validate-logs --trail-arn <trailARN> --start-time <start-time> [--end-time <end-time>] [--s3-bucket <amzn-s3-demo-bucket>] [--s3-prefix <prefix>] [--account-id <account-id>] [--verbose]` 

**注意**  
`validate-logs` 命令限特定區域使用。您必須指定`--region`全域選項來驗證特定 的日誌 AWS 區域。

### 選項
<a name="cloudtrail-log-file-validation-cli-validate-logs-options"></a>

下列是 `validate-logs` 的命令列選項。`--trail-arn` 和 `--start-time` 選項是必要的。組織追蹤額外需要 `--account-id` 選項。

`--start-time`  
指定將會驗證在指定的 UTC 時間戳記值或此值之後交付的日誌檔案。範例：`2015-01-08T05:21:42Z`。

`--end-time`  
選擇性指定將會驗證在指定的 UTC 時間戳記值或此值之前交付的日誌檔案。預設值是目前 UTC 時間 (`Date.now()`)。範例：`2015-01-08T12:31:41Z`。  
對於指定的時間範圍，`validate-logs` 命令只會檢查其對應摘要檔案中所參考的日誌檔案。不會檢查 Amazon S3 儲存貯體中的其他日誌檔案。如需詳細資訊，請參閱[檢查特定檔案是否由 CloudTrail 交付](#cloudtrail-log-file-validation-cli-validate-logs-check-file)。

`--s3-bucket`  
選擇性指定摘要檔案要存放的 Amazon S3 儲存貯體。如果未指定儲存貯體名稱， AWS CLI 會呼叫 來擷取它`DescribeTrails()`。

`--s3-prefix`  
選擇性指定摘要檔案要存放的 Amazon S3 前綴。如果未指定， AWS CLI 會呼叫 來擷取它`DescribeTrails()`。  
只有在目前的前綴與您所指定之時間範圍期間使用的前綴不同時，才應該使用此選項。

`--account-id`  
可選擇指定用於驗證日誌的帳戶。組織追蹤需要此參數，以驗證組織內特定帳戶的日誌。

`--trail-arn`  
指定要驗證之線索的 Amazon Resource Name (ARN)。線索 ARN 的格式如下。  

```
arn:aws:cloudtrail:us-east-2:111111111111:trail/MyTrailName
```
若要取得線索的線索 ARN，您可以在執行 `describe-trails` 之前使用 `validate-logs` 命令。  
如果日誌檔案已在所指定時間範圍內交付至多個儲存貯體，而且您要限制只驗證其中一個儲存貯體中的日誌檔案，則除了線索 ARN 之外，還建議您指定儲存貯體名稱和前綴。

`--verbose`  
選擇性地輸出所指定時間範圍內每個日誌或摘要檔案的驗證資訊。該輸出會指出檔案保持不變還是已進行修改或刪除。在非詳細資訊模式下 (預設)，僅於驗證失敗時才會傳回資訊。

### 範例
<a name="cloudtrail-log-file-validation-cli-validate-logs-example"></a>

下列範例會驗證自指定的時間開始到現在的日誌檔案，並使用針對目前線索所設定的 Amazon S3 儲存貯體，及指定詳細資訊輸出。

```
aws cloudtrail validate-logs --start-time 2015-08-27T00:00:00Z --end-time 2015-08-28T00:00:00Z --trail-arn arn:aws:cloudtrail:us-east-2:111111111111:trail/my-trail-name --verbose
```

### `validate-logs` 的運作方式
<a name="cloudtrail-log-file-validation-cli-validate-logs-how-it-works"></a>

`validate-logs` 命令始於驗證所指定之時間範圍內的最新摘要檔案。首先，命令會驗證已從宣告的所屬位置下載的摘要檔案。換言之，如果 CLI 從 S3 位置 `df1` 下載摘要檔案 `p1`，則 validate-logs 會驗證 `p1 == df1.digestS3Bucket + '/' + df1.digestS3Object`。

如果摘要檔案的簽章有效，則會檢查摘要檔案中所參考之每個日誌的雜湊值。此命令接著會回復，並連續驗證先前的摘要檔案和其參考的日誌檔案。它會持續直到到達指定的 `start-time` 值，或直到摘要鏈結束。如果摘要檔案遺失或無效，則會在輸出中指出無法驗證的時間範圍。`validate-logs` 命令會先在標準摘要鏈上操作。完成標準摘要驗證後，如果有，它會驗證回填摘要檔案。回填摘要會形成單獨的驗證鏈，並與標準摘要獨立處理。

## 驗證結果
<a name="cloudtrail-log-file-validation-cli-results"></a>

驗證結果會以摘要標頭開始，格式如下：

```
Validating log files for trail trail_ARN  between time_stamp and time_stamp
```

主輸出的每一行都包含單一摘要或日誌檔案的驗證結果，格式如下。字首為 的行`(backfill)`表示回填摘要檔案，這會與標準摘要檔案形成單獨的驗證鏈。

```
<optional (backfill)> <Digest file | Log file> <S3 path> <Validation Message>
```

下表說明日誌和摘要檔案的可能驗證訊息。


****  

| 檔案類型 | 驗證訊息 | Description | 
| --- | --- | --- | 
| Digest file | valid | 摘要檔案簽章有效。可以檢查其參考的日誌檔案。此訊息只會包含在詳細資訊模式。 | 
| Digest file | INVALID: has been moved from its original location | 從中擷取摘要檔案的 S3 儲存貯體或 S3 物件不符合摘要檔案本身所記錄的 S3 儲存貯體或 S3 物件位置。 | 
| Digest file | INVALID: invalid format | 摘要檔案的格式無效。無法驗證對應至摘要檔案所代表之時間範圍的日誌檔案。 | 
| Digest file | INVALID: not found | 找不到摘要檔案。無法驗證對應至摘要檔案所代表之時間範圍的日誌檔案。 | 
| Digest file | INVALID: public key not found for fingerprint fingerprint | 找不到對應至摘要檔案中所記錄之指紋的公有金鑰。無法驗證摘要檔案。 | 
| Digest file | INVALID: signature verification failed | 摘要檔案簽章無效。因為摘要檔案無效，所以無法驗證其參考的日誌檔案，而且不會宣告其中的 API 活動。 | 
| Digest file | INVALID: Unable to load PKCS \$11 key with fingerprint fingerprint | 因為無法載入 PKCS \$11 格式且具有指定之指紋的 DER 編碼公有金鑰，所以無法驗證摘要檔案。 | 
| Log file | valid | 日誌檔案已驗證，且自交付之後未經修改。此訊息只會包含在詳細資訊模式。 | 
| Log file | INVALID: hash value doesn't match | 日誌檔案的雜湊不符。在 CloudTrail 交付之後，日誌檔案已修改。 | 
| Log file | INVALID: invalid format | 日誌檔案的格式無效。無法驗證日誌檔案。 | 
| Log file | INVALID: not found | 找不到且無法驗證日誌檔案。 | 

輸出會包含所傳回結果的摘要資訊。

## 範例輸出
<a name="cloudtrail-log-file-validation-cli-results-examples"></a>

### 詳細資訊
<a name="cloudtrail-log-file-validation-cli-results-verbose"></a>

下列範例 `validate-logs` 指令使用 `--verbose` 標記並產生接下來的範例輸出。`[...]` 表示縮寫的範例輸出。

```
aws cloudtrail validate-logs --trail-arn arn:aws:cloudtrail:us-east-2:111111111111:trail/example-trail-name --start-time 2015-08-31T22:00:00Z --end-time 2015-09-01T19:17:29Z --verbose
```

```
Validating log files for trail arn:aws:cloudtrail:us-east-2:111111111111:trail/example-trail-name between 2015-08-31T22:00:00Z and 2015-09-01T19:17:29Z
                                       
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2015/09/01/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150901T201728Z.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1925Z_WZZw1RymnjCRjxXc.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1915Z_POuvV87nu6pfAV2W.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1930Z_l2QgXhAKVm1QXiIA.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1920Z_eQJteBBrfpBCqOqw.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1950Z_9g5A6qlR2B5KaRdq.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1920Z_i4DNCC12BuXd6Ru7.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1915Z_Sg5caf2RH6Jdx0EJ.json.gz	valid
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2015/09/01/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150901T191728Z.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/09/01/111111111111_CloudTrail_us-east-2_20150901T1910Z_YYSFiuFQk4nrtnEW.json.gz	valid
[...]
Log file       s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail/us-east-2/2015/09/01/144218288521_CloudTrail_us-east-2_20150901T1055Z_0Sfy6m9f6iBzmoPF.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail/us-east-2/2015/09/01/144218288521_CloudTrail_us-east-2_20150901T1040Z_lLa3QzVLpOed7igR.json.gz	valid

Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2015/09/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150901T101728Z.json.gz	INVALID: signature verification failed

Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2015/09/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150901T091728Z.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail/us-east-2/2015/09/01/144218288521_CloudTrail_us-east-2_20150901T0830Z_eaFvO3dwHo4NCqqc.json.gz	valid
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2015/09/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150901T081728Z.json.gz	valid
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2015/09/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150901T071728Z.json.gz	valid
[...]
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/08/31/111111111111_CloudTrail_us-east-2_20150831T2245Z_mbJkEO5kNcDnVhGh.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/08/31/111111111111_CloudTrail_us-east-2_20150831T2225Z_IQ6kXy8sKU03RSPr.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/08/31/111111111111_CloudTrail_us-east-2_20150831T2230Z_eRPVRTxHQ5498ROA.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2015/08/31/111111111111_CloudTrail_us-east-2_20150831T2255Z_IlWawYZGvTWB5vYN.json.gz	valid
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2015/08/31/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150831T221728Z.json.gz	valid

Results requested for 2015-08-31T22:00:00Z to 2015-09-01T19:17:29Z
Results found for 2015-08-31T22:17:28Z to 2015-09-01T20:17:28Z:

22/23 digest files valid, 1/23 digest files INVALID
63/63 log files valid
```

下列範例`validate-logs`命令會在存在回填摘要檔案的期間使用 `--verbose`旗標，並產生後續的範例輸出。回填摘要會以`(backfill)`字首顯示，並與標準摘要鏈分開驗證。 `[...]`表示範例輸出已縮寫。

```
aws cloudtrail validate-logs --trail-arn arn:aws:cloudtrail:us-east-2:111111111111:trail/example-trail-name --start-time 2024-07-31T22:00:00Z --end-time 2024-08-01T19:17:29Z --verbose
```

```
Validating log files for trail arn:aws:cloudtrail:us-east-2:111111111111:trail/example-trail-name between 2024-07-31T22:00:00Z and 2024-08-01T19:17:29Z

Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2024/08/01/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T201728Z.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1925Z_Xm3pK9vN2wQ5rT8h.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1915Z_Bj7cL4nM6pR9sU2v.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1930Z_Fy1dG8kN3qT6wX0z.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1920Z_Hn5jM2pQ7sV9yB4e.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1950Z_Kp8rN1tW4xZ7aC3f.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1920Z_Mq6sP9uX2yB5dE8g.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1915Z_Rt4vQ7wZ0aC3fG6h.json.gz	valid
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2024/08/01/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T191728Z.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/08/01/111111111111_CloudTrail_us-east-2_20240801T1910Z_Uw9xR2yB5dH8jK1m.json.gz	valid
[...]
Log file       s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail/us-east-2/2024/08/01/144218288521_CloudTrail_us-east-2_20240801T1055Z_Vz3aS6cE9fL2nP5q.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail/us-east-2/2024/08/01/144218288521_CloudTrail_us-east-2_20240801T1040Z_Xy7bT0dG3hM6pR9s.json.gz	valid

Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T101728Z.json.gz	INVALID: signature verification failed

Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T091728Z.json.gz	valid
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T081728Z.json.gz	valid
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T071728Z.json.gz	valid
[...]
Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2024/07/31/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240731T221728Z.json.gz	valid
(backfill) Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2024/08/01/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T201728Z_backfill.json.gz	valid
(backfill) Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2024/08/01/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T191728Z_backfill.json.gz	valid
[...]

(backfill) Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T101728Z_backfill.json.gz	INVALID: signature verification failed

(backfill) Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T091728Z_backfill.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail/us-east-2/2024/08/01/144218288521_CloudTrail_us-east-2_20240801T0830Z_Rn6uk0wY5aD9fJ3n.json.gz	valid
(backfill) Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T081728Z_backfill.json.gz	valid
(backfill) Digest file    s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T071728Z_backfill.json.gz	valid
[...]
(backfill) Digest file    s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail-Digest/us-east-2/2024/07/31/111111111111_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240731T221728Z_backfill.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/07/31/111111111111_CloudTrail_us-east-2_20240731T2145Z_Sp3vm7xZ2bE6gK0p.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/07/31/111111111111_CloudTrail_us-east-2_20240731T2125Z_Tq0wn4ya9cF3hL7q.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/07/31/111111111111_CloudTrail_us-east-2_20240731T2130Z_Ur7xp1zb6dG0jM4r.json.gz	valid
Log file       s3://amzn-s3-demo-bucket/AWSLogs/111111111111/CloudTrail/us-east-2/2024/07/31/111111111111_CloudTrail_us-east-2_20240731T2155Z_Vs4yq8ac3eH7kN1s.json.gz	valid

Results requested for 2024-07-31T22:00:00Z to 2024-08-01T19:17:29Z
Results found for 2024-07-31T22:17:28Z to 2024-08-01T20:17:28Z:

22/23 digest files valid, 1/23 digest files INVALID
22/23 backfill digest files valid, 1/23 backfill digest files INVALID
63/63 log files valid
```

### 非詳細資訊
<a name="cloudtrail-log-file-validation-cli-results-non-verbose"></a>

下列範例 `validate-logs` 命令未使用 `--verbose` 旗標。在下面的範例輸出中，發現一個錯誤。只會傳回標頭、錯誤和摘要資訊。

```
aws cloudtrail validate-logs --trail-arn arn:aws:cloudtrail:us-east-2:111111111111:trail/example-trail-name --start-time 2015-08-31T22:00:00Z --end-time 2015-09-01T19:17:29Z
```

```
Validating log files for trail arn:aws:cloudtrail:us-east-2:111111111111:trail/example-trail-name between 2015-08-31T22:00:00Z and 2015-09-01T19:17:29Z

Digest file	s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2015/09/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20150901T101728Z.json.gz	INVALID: signature verification failed

(backfill) Digest file	s3://amzn-s3-demo-bucket/AWSLogs/144218288521/CloudTrail-Digest/us-east-2/2024/08/01/144218288521_CloudTrail-Digest_us-east-2_example-trail-name_us-east-2_20240801T101728Z_backfill.json.gz	INVALID: signature verification failed

Results requested for 2015-08-31T22:00:00Z to 2015-09-01T19:17:29Z
Results found for 2015-08-31T22:17:28Z to 2015-09-01T20:17:28Z:

22/23 digest files valid, 1/23 digest files INVALID
22/23 backfill digest files valid, 1/23 backfill digest files INVALID
63/63 log files valid
```

## 檢查特定檔案是否由 CloudTrail 交付
<a name="cloudtrail-log-file-validation-cli-validate-logs-check-file"></a>

若要檢查儲存貯體中的特定檔案是否由 CloudTrail 交付，請在包含該檔案的期間以詳細資訊模式執行 `validate-logs`。如果檔案出現在 `validate-logs` 的輸出中，則該檔案確實是由 CloudTrail 交付。