This topic lists the fields of logs collected from Alibaba Cloud services.

ActionTrail

  • Field details
    Log field Description
    __topic__ The topic of the log entry. Valid values: actiontrail_event.
    owner_id The ID of the Alibaba Cloud account.
    event The log event in the JSON format. The content of this field varies depending on the log event.
    event.eventId The unique ID of the event.
    event.eventName The name of the event.
    event.eventSource The source of the event.
    event.eventType The type of the event.
    event.eventVersion The data format version of the event. Valid values: 1.
    event.acsRegion The region where the event occurs.
    event.requestId The ID of the API request.
    event.apiVersion The version of the API.
    event.errorMessage The error message of the event.
    event.serviceName The name of the Alibaba Cloud service associated with the event.
    event.sourceIpAddress The source IP address that is associated with the event.
    event.userAgent The client that introduces the event.
    event.requestParameters.HostId The ID of the host from which the request originates.
    event.requestParameters.Name The name of the request parameter.
    event.requestParameters.Region The region from which the request originates
    event.userIdentity.accessKeyId The AccessKey ID of the logon account.
    event.userIdentity.accountId The ID of the Alibaba Cloud account.
    event.userIdentity.principalId The ID of the logon account.
    event.userIdentity.type The identity type of the logon account.
    event.userIdentity.userName The username of the logon account.
    event.errorCode The error code of the event.
    addionalEventData.isMFAChecked Indicates whether MFA is enabled for the logon account that is used to log on to Log Service.
    addionalEventData.loginAccount The account used to log on to Log Service.
  • Sample log entry
    {
      "acsRegion": "cn-hangzhou",
      "additionalEventData": {
        "isMFAChecked": "false",
        "loginAccount": "test1234@aliyun.com"
      },
      "eventId": "7be1e173-1234-44a1-b135-1234",
      "eventName": "ConsoleSignin",
      "eventSource": "http://account.aliyun.com:443/login/login_aliyun.htm",
      "eventTime": "2018-07-12T06:14:50Z",
      "eventType": "ConsoleSignin",
      "eventVersion": "1",
      "requestId": "7be1e173-1234-44a1-b135-1234",
      "serviceName": "AasCustomer",
      "sourceIpAddress": "42.120.75.137",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
      "userIdentity": {
        "accessKeyId": "25****************",
        "accountId": "1234",
        "principalId": "1234",
        "type": "root-account",
        "userName": "root"
      }
    }
    
                        

Server Load Balancer (SLB)

Log field Description
owner_id The ID of the Alibaba Cloud account.
region The region where the instance resides.
instance_id The ID of the instance.
instance_name The name of the instance.
network_type The type of network. Valid values: VPC and Classic.
vpc_id VPC ID
body_bytes_sent The size of the HTTP response message body sent to the client. Unit: bytes.
client_ip The IP address of the client.
client_port The port of the client.
host The IP address of the server. The value is obtained from the request parameters first. If no value is obtained, the value is obtained from the host header field. If the value still cannot be obtained, the IP address of the backend server that processes the request is obtained as the field value.
http_host The host HTTP header in the request message.
http_referer The Referer HTTP header in the request message received by the proxy.
http_user_agent The User-Agent HTTP header in the request message received by the proxy.
http_x_forwarded_for The x-forwarded-for HTTP header in the request message received by the proxy.
http_x_real_ip The real IP address of the client.
read_request_time The time when the proxy reads the request message. Unit: milliseconds.
request_length The length of the request message, which includes the start-line, HTTP headers, and HTTP body.
request_method The request method.
request_time The duration between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds.
request_uri The request URI received by the proxy.
scheme The protocol of the request, for example, HTTP and HTTPS.
server_protocol The HTTP version, for example, HTTP/1.0 and HTTP/1.1.
slb_vport The listening port of the SLB instance.
slbid The ID of the SLB instance.
ssl_cipher The cipher suite used, for example, ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol The protocol used to establish an SSL connection, for example, TLSv1.2.
status The HTTP status code sent from the proxy.
tcpinfo_rtt The RTT of TCP packets. Unit: milliseconds.
time The time when the log entry was recorded.
upstream_addr The IP address and port number of the backend server.
upstream_response_time The duration of the connection between the proxy and backend server. Unit: seconds.
upstream_status The HTTP status code received by the proxy from the backend server.
vip_addr The virtual IP address.
write_response_time The response duration of the proxy. Unit: milliseconds.

API Gateway

Log field Description
owner_id The ID of the account that the API belongs.
apiGroupUid The ID of the group that the API belongs.
apiGroupName The name of the group that the API belongs.
apiUid API ID
apiName The name of the API.
apiStageUid The stage ID of the API.
apiStageName The stage name of the API.
httpMethod The HTTP method of the request.
path The request URL path.
domain The domain name of the requested resources.
statusCode The HTTP status code.
errorMessage The returned error message.
appId The ID of the client that sends the request.
appName The name of the client that sends the request.
clientIp The IP address of the client that sends the request.
exception The specific error message returned by the backend server.
region The ID of the region, for example, cn-hangzhou.
requestHandleTime The time when the request is sent. The time is in GMT.
requestId The request ID. The ID is globally unique.
requestSize The size of the request message. Unit: bytes.
responseSize The size of the response message. Unit: bytes.
serviceLatency The response latency of the backend server. Unit: milliseconds.

Web Application Firewall (WAF)

Field Description
__topic__ The topic of the log entry. Valid values: waf_access_log.
owner_id The ID of the Alibaba Cloud account.
acl_action The action taken by WAF to respond to the request based on the HTTP ACL policies, for example, pass, drop, and captcha.
Note Null values or hyphens (-) also indicate the pass action.
acl_blocks Indicates whether the request is blocked based on the HTTP ACL policies. A value of 1 indicates that the request is blocked. Other values indicate that the request is allowed.
antibot The type of the Anti-Bot Service protection strategy that applies. Valid values:
  • ratelimit: Frequency control-based protection
  • sdk: APP protection
  • algorithm: Algorithm-based protection
  • intelligence: Bot intelligence-based protection
  • acl: HTTP ACL policy-based protection
  • blacklist: Blacklist-based protection
antibot_action The action taken by WAF based on the Anti-Bot Service protection strategy. Valid values:
  • challenge: Verify by using an embedded JavaScript script
  • drop: Block
  • report: Log the access event
  • captcha: Verify by using a slider captcha
block_action The type of the WAF protection feature that implements blocks. Valid values:
  • tmd: Protection against HTTP flood attacks
  • waf: Protection against Web application attacks
  • acl: HTTP ACL policy
  • geo: Block regions
  • antifraud: Data risk control
  • antibot: Anti-bot
body_bytes_sent The size of the HTTP response message body sent to the client. Unit: bytes.
cc_action The action taken to protect against HTTP flood attacks. Valid values: none, challenge, pass, close, captcha, wait, and login.
cc_blocks Indicates whether the request is blocked by the HTTP flood attack protection feature. A value of 1 indicates that the request is blocked by the HTTP flood attack protection feature. Other values indicate that the request is not blocked.
cc_phase The HTTP flood attack protection strategy that is activated. Valid values: seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax.
content_type The media type of the requested resource.
host The origin server.
http_cookie The Cookie HTTP header. The field includes information about the client.
http_referer The Referer HTTP header. The field includes the source URL information. If no source URL information is logged, the value of the log field is a hyphen (-).
http_user_agent The User-Agent request header. The field contains information such as the client and the operating system.
http_x_forwarded_for The X-Forwarded-For (XFF) HTTP header. The field identifies the original IP address of the client that connects to the web server by using an HTTP proxy or load balancing.
https Indicates whether the request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
matched_host The matched domain names that are protected by WAF. If no domain name can be matched, the value of the log field is a hyphen (-).
querystring The query string in the request URL.
real_client_ip The real IP address of the client. If the real IP address cannot be obtained, the value of the log field is a hyphen (-).
region The region where the WAF instance resides.
remote_addr The IP address of the client.
remote_port The port of the client.
request_length The size of the request message. Unit: bytes.
request_method The HTTP request method.
request_path The relative path of the request.
request_time_msec The request time. Unit: millseconds.
request_traceid The unique ID of the request that is recorded by WAF.
server_protocol The response protocol and the version number of the origin server.
status The HTTP status code returned by WAF.
time The time when the request occurs.
ua_browser The information about the browser that sends the request.
ua_browser_family The family of the browser.
ua_browser_type The type of the browser.
ua_browser_version The version of the browser.
ua_device_type The type of the client device.
ua_os The client operating system.
ua_os_family The family of the client operating system.
upstream_addr A list of origin server IP addresses. Each IP address is in the IP:Port format, separated by commas (,).
upstream_ip The IP address of the origin server where the requested resource resides. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance.
upstream_response_time The time that the origin server takes to respond to the request from WAF. Unit: seconds. If the value of the field is a hyphen (-), it indicates that the response times out.
upstream_status The HTTP status code that WAF receives from the origin server. If the value of the field is a hyphen (-), it indicates that the request is blocked by WAF.
user_id The ID of the Alibaba Cloud account.
waf_action The action that is taken to protect against web attacks. The value bloc indicates the request is blocked. Other values indicate that the request is allowed.
web_attack_type The type of the web attack. The values include xss, code_exec, webshell, sqli, lfilei, rfilei, and other.
waf_rule_id The ID of the matched WAF rule.

Security Center

  • Network logs
    • DNS logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: sas-log-dns.
      owner_id The ID of the Alibaba Cloud account.
      additional The fields in the additional section. Each field is separated by a vertical bar (|).
      additional_num The number of fields in the additional section.
      answer The DNS answers. Each DNS answer is separated by a vertical bar (|).
      answer_num The number of DNS answers.
      authority The fields in the authority section.
      authority_num The number of fields in the authority section.
      client_subnet The subnet where the client resides.
      dst_ip The destination IP address.
      dst_port The destination port.
      in_out The direction of data flows. Valid values:
      • in: inbound data flows
      • out: outbound data flows
      qid The ID of the query.
      qname The domain name to be queried.
      qtype The type of the resource to be queried.
      query_datetime The timestamp of the query. Unit: milliseconds.
      rcode The code of the response.
      region The ID of the source region. Valid values:
      • 1: Beijing
      • 2: Qingdao
      • 3: Hangzhou
      • 4: Shanghai
      • 5: Shenzhen
      • 6: Others
      response_datetime The timestamp of the response. The timestamp is in the datetime format.
      src_ip The source IP address.
      src_port The source port.
    • Local DNS logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: local-dns.
      owner_id The ID of the Alibaba Cloud account.
      answer_rda The DNS answers. Each DNS answer is separated by a vertical bar (|).
      answer_ttl The TTL of resource records in the DNS answers. Each value is separated by a vertical bar (|).
      answer_type The types of resource records in the DNS answers. Each value is separated by a vertical bar (|).
      anwser_name The domain names in the DNS answers. Each value is separated by a vertical bar (|).
      dest_ip The destination IP address.
      dest_port The destination port.
      group_id The ID of the group to which the host belongs.
      hostname The hostname.
      id The IP address of the host.
      instance_id The ID of the ECS instance.
      internet_ip The public IP address of the host.
      ip_ttl The TTL of the data packets sent by the host.
      query_name The domain name to be queried.
      query_type The type of the resource to be queried.
      src_ip The source IP address.
      src_port The source port.
      time The time of the query. The time is in the UNIX timestamp format.
      time_usecond The response duration. Unit: microseconds.
      tunnel_id The ID of the DNS tunnel.
    • Network session logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: sas-log-session.
      owner_id The ID of the Alibaba Cloud account.
      asset_type The type of the associated Alibaba Cloud service, for example, ECS, SLB, and ApsaraDB for RDS.
      dst_ip The destination IP address.
      dst_port The destination port.
      proto The type of the transport layer protocol, for example, TCP and UDP.
      session_time The time of the TCP session.
      src_ip The source IP address.
      src_port The source port.
    • Web logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: sas-log-http.
      owner_id The ID of the Alibaba Cloud account.
      content_length The content length of the HTTP request message.
      dst_ip The destination IP address.
      dst_port The destination port.
      host The hostname of the web server.
      jump_location The HTTP redirect.
      method The HTTP request method.
      referer The Referer HTTP header. The field contains the address of the web page which is linked to the resource being requested.
      request_datetime The time of the request. The time is in the datetime format.
      ret_code The HTTP status code.
      rqs_content_type The content type of the HTTP request message.
      rsp_content_type The content type of the HTTP response message.
      src_ip The source IP address.
      src_port The source port.
      uri The request URI.
      user_agent The client that initiates the request.
      x_forward_for The x-forwarded-for HTTP header.
  • Security logs
    • Vulnerability logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: sas-vul-log.
      owner_id The ID of the Alibaba Cloud account.
      name The name of the vulnerability.
      alias_name The alias of the vulnerability.
      op The action about the vulnerability.
      • new: A new vulnerability is detected.
      • verify: Verifies the vulnerability.
      • fix: Fixes the vulnerability.
      status The status of the vulnerability. For more information, see Table 2.
      tag The vulnerability tag, for example, oval, system, and cms. The field can be used to distinguish emergency (EMG) vulnerabilities.
      type The type of the vulnerability.
      • sys: Windows vulnerability
      • cve: Linux vulnerability
      • cms: Web CMS vulnerability
      • EMG: Emergency vulnerability
      uuid The UUID of the client.
    • Baseline logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: sas-hc-log.
      owner_id The ID of the Alibaba Cloud account.
      level The level of the baseline check. Valid values: low, medium, and high.
      op The action about the vulnerability.
      • new: A new vulnerability is detected.
      • verify: Verifies the baseline check.
      risk_name The name of the check item.
      status The status of the check item. For more information, see Table 2.
      sub_type_alias The subtype alias of the check item.
      sub_type_name The subtype of the check item.
      type_name The type of the check item.
      type_alias The type alias of the check item.
      uuid The UUID of the client.
      Table 1. Types and subtypes of check items
      type_name sub_type_name
      system baseline
      weak_password postsql_weak_password
      database redis_check
      account system_account_security
      account system_account_security
      weak_password mysq_weak_password
      weak_password ftp_anonymous
      weak_password rdp_weak_password
      system group_policy
      system register
      account system_account_security
      weak_password sqlserver_weak_password
      system register
      weak_password ssh_weak_password
      weak_password ftp_weak_password
      cis centos7
      cis tomcat7
      cis memcached-check
      cis mongodb-check
      cis ubuntu14
      cis win2008_r2
      system file_integrity_mon
      cis linux-httpd-2.2-cis
      cis linux-docker-1.6-cis
      cis SUSE11
      cis redhat6
      cis bind9.9
      cis centos6
      cis debain8
      cis redhat7
      cis SUSE12
      cis ubuntu16
      Table 2. Status codes of security logs
      Status code Description
      1 Unfixed.
      2 Fix failed.
      3 Rollback failed.
      4 Fixing.
      5 Rolling back.
      6 Verifying.
      7 Fixed.
      8 Fixed. To be restarted.
      9 Rollback succeeded.
      10 Ignored.
      11 Rollback succeeded. To be restarted.
      12 Does not exist.
      20 Expired.
    • Security alert logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: sas-security-log.
      owner_id The ID of the Alibaba Cloud account.
      data_source The source of the data. For more information, see Table 3.
      level The severity of the alert.
      name The name of the alert, for example, Suspicious Process-SSH-based Remote Execution of Non-interactive Commands.
      op The action about the vulnerability.
      • new: An alert is triggered.
      • dealing: The alert is being processed.
      status The status of the alert. For more information, see Table 2.
      uuid The UUID of the client.
      Table 3. Values of the data_source field in security alert logs
      Value Description
      aegis_suspicious_event Server exceptions
      aegis_suspicious_file_v2 Webshell
      aegis_login_log Suspicious logon
      security_event Security Center exceptions
  • Host logs
    • Process initiation logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: aegis-log-process.
      owner_id The ID of the Alibaba Cloud account.
      uuid The UUID of the client.
      ip The IP address of the client.
      cmdline The full command line to start the process.
      username The username.
      uid The ID of the user.
      pid The ID of the process.
      filename The name of the process file.
      filepath The full path of the process file.
      groupname The name of the user group.
      ppid The ID of the parent process.
      pfilename The name of the parent process file.
      pfilepath The full path of the parent process file.
    • Process snapshot logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: aegis-snapshot-process.
      owner_id The ID of the Alibaba Cloud account.
      uuid The UUID of the client.
      ip The IP address of the client.
      cmdline The full command line to start the process.
      pid The ID of the process.
      name The name of the process file.
      path The full path of the process file.
      md5 The MD5 hash of the process file. The MD5 hash is not performed if the process file exceeds 1 MB.
      pname The file name of the parent process.
      start_time The time when the process starts. This field is a built-in field.
      user The username.
      uid The ID of the user.
    • Logon logs
      Logon attempts within one minute are recorded in one log entry.
      Log field Description
      __topic__ The topic of the log entry. Valid values: aegis-log-login.
      owner_id The ID of the Alibaba Cloud account.
      uuid The UUID of the client.
      ip The IP address of the client.
      warn_ip The source IP address.
      warn_port The logon port.
      warn_type The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
      warn_user The logon username.
      warn_count The number of logon attempts. A value of 3 indicates that two logon requests are sent one minute before the current logon.
    • Brute-force cracking logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: aegis-log-crack.
      owner_id The ID of the Alibaba Cloud account.
      uuid The UUID of the client.
      ip The IP address of the client.
      warn_ip The source IP address.
      warn_port The logon port.
      warn_type The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
      warn_user The logon username.
      warn_count The number of failed logon attempts.
    • Network connection logs
      Changes in network connections are collected on the host every 10 seconds to 1 minute.
      Log field Description
      __topic__ The topic of the log entry. Valid values: aegis-log-network.
      owner_id The ID of the Alibaba Cloud account.
      uuid The UUID of the client.
      ip The IP address of the client.
      src_ip The source IP address.
      src_port The source port.
      dst_ip The destination IP address.
      dst_port The destination port.
      proc_name The name of the process.
      proc_path The path of the process file.
      proto The protocol used to establish a network connection, for example, TCP, UDP, and raw (raw socket).
      status The connection status. For more information, see Table 4.
      Table 4. Status codes of network connections
      Status code Description
      1 closed
      2 listen
      3 syn send
      4 syn recv
      5 establisted
      6 close wait
      7 closing
      8 fin_wait1
      9 fin_wait2
      10 time_wait
      11 delete_tcb
    • Port listening snapshot logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: aegis-snapshot-port.
      owner_id The ID of the Alibaba Cloud account.
      uuid The UUID of the client.
      ip The IP address of the client.
      proto The protocol that is used to establish a network connection, for example, TCP, UDP, and raw (raw socket).
      src_ip The IP address of the listener port.
      src_port The listener port.
      pid The ID of the process.
      proc_name The name of the process.
    • Account snapshot logs
      Log field Description
      __topic__ The topic of the log entry. Valid values: aegis-snapshot-host.
      owner_id The ID of the Alibaba Cloud account.
      name The name of the vulnerability.
      alias_name The alias of the vulnerability.
      op The action about the vulnerability.
      • new: A new vulnerability is detected.
      • verify: Verifies the vulnerability.
      • fix: Fixes the vulnerability.
      status The status of the account. For more information, see Table 4.
      tag The vulnerability tag, for example, oval, system, and cms. The field can be used to distinguish emergency (EMG) vulnerabilities.
      type The type of the vulnerability.
      • sys: Windows vulnerability
      • cve: Linux vulnerability
      • cms: Web CMS vulnerability
      • EMG: Emergency vulnerability
      uuid The UUID of the client.

Distributed Relational Database Service

Field Description
__topic__ The topic of the log entry. Valid values: drds_audit_log.
instance_id The ID of the PolarDB-X instance.
instance_name The name of the PolarDB-X instance.
owner_id The ID of the Alibaba Cloud account.
region The region where the PolarDB-X instance resides.
db_name The name of the PolarDB-X database.
user The name of the user who executes the SQL statement.
client_ip The client IP address used to access the PolarDB-X instance.
client_port The client port used to access the PolarDB-X instance.
sql The SQL statement.
trace_id The trace ID of the SQL statement when it is executed. If a transaction is executed, it is tracked by an ID that consists of the trace ID, a hyphen, and a number, for example, drdsabcdxyz-1 and drdsabcdxyz-2.
sql_code The hash value of the template SQL statement.
hint The hint that is used to optimize the SQL query.
table_name The name of the table involved in the query. Separate multiple tables with commas (,).
sql_type The type of the SQL statement. Valid values: Select, Insert, Update, Delete, Set, Alter, Create, Drop, Truncate, Replace, and Other.
sql_type_detail The name of the SQL parser.
response_time The response duration. Unit: milliseconds.
affect_rows The number of affected or returned rows when the SQL statement is executed.
fail Indicates whether the SQL statement failed to be executed. Valid values:
  • 0: succeeded
  • 1: failed
sql_time The time when the SQL statement starts to be executed.

Cloud Firewall

Log field Description
__topic__ The topic of the log entry. Valid values: cloudfirewall_access_log.
owner_id The ID of the Alibaba Cloud account.
log_type The type of the log entry.
app_name The layer 7 protocol over which data traffic is sent. Valid values: HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.
direction The direction of the traffic.
  • in: inbound traffic
  • out: outbound traffic
domain The domain name of the target server.
dst_ip The destination IP address.
dst_port The destination port.
end_time The time when the network session ended. The time is in the UNIX timestamp format.
in_bps The inbound traffic rate. Unit: bits/s.
in_packet_bytes The total size of the inbound traffic. Unit: bytes.
in_packet_count The total number of inbound data packets.
in_pps The transmission rate of inbound data packets. Unit: packets/s.
ip_protocol The layer 4 protocol over which data is sent. Valid values: TCP and UDP.
out_bps The outbound traffic rate. Unit: bits/s.
out_packet_bytes The total size of the outbound traffic. Unit: bytes.
out_packet_count The total number of outbound data packets.
out_pps The transmission rate of outbound data packets. Unit: packets/s.
region_id The region where the data traffic is sent.
rule_result The action that the access control policy uses to process data packets.
  • pass: Data packets are allowed to pass Cloud Firewall.
  • alert: An alert is triggered when data packets attempt to pass Cloud Firewall.
  • drop: Data packets are dropped.
src_ip The source IP address.
src_port The source port.
start_time The start time of the network session. The time is in the UNIX timestamp format.
start_time_min The start time of the network session. The time is in the UNIX timestamp format, in minutes.
tcp_seq The sequence number of the TCP segment.
total_bps The total inbound and outbound traffic rate. Unit: bits/s.
total_packet_bytes The total size of the inbound and outbound traffic. Unit: bytes.
total_packet_count The total number of data packets.
total_pps The total transmission rate of inbound and outbound packets. Unit: packets/s.
src_private_ip The source private IP address.
vul_level The severity of the vulnerability. Valid values:
  • 1: low
  • 2: moderate
  • 3: high
url The URL of the requested resource.
acl_rule_id The ID of the matched access control list (ACL) policy.
ips_rule_id The ID of the matched intrusion prevention system (IPS) policy.
ips_ai_rule_id The ID of the matched intelligent policy.

Bastionhost

Log field Description
__topic__ Log topics
owner_id The ID of the Alibaba Cloud account.
content The content of the log entry.
event_type The type of the event. For more information, see Table 5.
instance_id The ID of the Bastionhost instance.
log_level The severity of the log entry.
resource_address The address of the server where the resource resides.
resource_name The name of the resource on which the operation is performed.
result The result of the operation.
session_id The ID of the session.
user_client_ip The source IP address.
user_id The ID of the user.
user_name The username.
Table 5. Event types
Event type Description
cmd.Command The CMD commands.
file.Upload Uploads the file.
file.Download Downloads the file.
file.Rename Renames the file.
file.Delete Deletes the file.
file.DeleteDir Deletes the directory.
file.CreateDir Creates the directory.
graph.Text Text event.
graph.Keyboard Keyboard event.

OSS

Log type Description
Access logs Records access to OSS buckets. The logs are collected in real time.
Batch deletion logs Records information about deleted objects. The logs are collected in real time.
Note When you call the DeleteObjects API operation, a request record is generated in an access log. The information about the deleted objects is stored in the HTTP body of a request. A hyphen (-) is used to indicate the deleted objects in the access log. To retrieve the deleted objects, you can use the request-id parameter to query the deleted objects in the batch deletion log.
Hourly metering logs Records the hourly metering statistics of a specific bucket. A latency of several hours exists in log collection.
Table 6. Bucket storage classes
Storage Type Description
standard Standard
archive Archive
infrequent_access IA
For more information about relevant API operations, see API overview.
Table 7. Access types
Operation Description
AbortMultiPartUpload Terminates the multipart upload.
AppendObject Appends the object.
CommitTransition Commits the transition.
CompleteUploadPart Completes the multipart upload.
CopyObject Copies the object.
DeleteBucket Deletes the bucket.
DeleteLiveChannel Deletes the LiveChannel.
DeleteObject Deletes the object.
DeleteObjects Deletes multiple objects.
ExpireObject Makes the object expire.
GetBucket Queries the objects of the bucket.
GetBucketAcl Obtains permissions on the bucket.
GetBucketCors Queries the cross-origin resource sharing (CORS) rules of the bucket.
GetBucketEventNotification Queries the notification configurations of the bucket.
GetBucketInfo Queries the information about the bucket.
GetBucketLifecycle Queries the lifecycle configurations of the bucket.
GetBucketLocation Queries the region where the bucket resides.
GetBucketLog Queries the access log configurations of the bucket.
GetBucketReferer Queries the hotlink protection configurations of the bucket.
GetBucketReplication Queries the cross-region replication configurations.
GetBucketReplicationProgress Queries the progress of the cross-region replication.
GetBucketStat Queries the information about the bucket.
GetBucketWebSite Queries the static website hosting status of the bucket.
GetLiveChannelStat Queries the status of the LiveChannel.
GetObject Reads the object.
GetObjectAcl Obtains the ACL of the object.
GetObjectInfo Queries the information about the object.
GetObjectMeta Queries the metadata of the object.
GetObjectSymlink Queries the details of the object to which the symbolic link is referenced.
GetPartData Queries the data in all parts of the object.
GetPartInfo Queries the information about all parts of the object.
GetProcessConfiguration Queries the image processing configurations of the bucket.
GetService Queries buckets.
HeadBucket Queries the information about the bucket.
HeadObject Queries the information about the object.
InitiateMultipartUpload Initializes the object for multipart upload.
ListMultiPartUploads Queries multipart upload events.
ListParts Queries the status of all parts of the object.
Options Queries the options.
PostObject Uploads the object by using the form.
PostProcessTask Commits data processing operations, such as taking snapshots.
PostVodPlaylist Creates a video-on-demand (VOD) playlist of the LiveChannel.
ProcessImage Processes the image.
PutBucket Creates the bucket.
PutBucketCors Specifies the CORS rule for the bucket.
PutBucketLifecycle Configures the lifecycle of the bucket.
PutBucketLog Specifies the access log for the bucket.
PutBucketWebSite Specifies the static website hosting mode for the bucket.
PutLiveChannel Creates the LiveChannel.
PutLiveChannelStatus Specifies the status of the LiveChannel.
PutObject Uploads the object.
PutObjectAcl Modifies the ACL of the object.
PutObjectSymlink Creates the object by using a symbolic link.
RedirectBucket Redirects the request to the bucket endpoint.
RestoreObject Restores the object.
UploadPart Resumes uploading the object from a checkpoint.
UploadPartCopy Duplicates the part.
get_image_exif Queries the exchangeable image file format (Exif) data of the image.
get_image_info Queries the length and width of the image.
get_image_infoexif Queries the length, width, and Exif data of the image.
get_style Queries the picture processing rule of the bucket.
list_style Queries all picture processing rules of the bucket.
put_style Creates a picture processing rule for the bucket.
Table 8. Synchronization request types
Synchronization request type Description
- General requests
cdn CDN back-to-origin requests
For more information about signatures, see Verify user signatures.
Table 9. Signature types
Signature type Description
NotSign Indicates that a request was unsigned.
NormalSign Indicates that a request was signed with a regular signature.
UriSign Indicates that a request was signed with a URL signature.
AdminSign Indicates that the request was signed with an administrator account.
  • Access logs
    Log field Description
    __topic__ The topic of the log entry. Valid values: oss_access_log.
    owner_id The ID of the Alibaba Cloud account.
    region The region where the bucket resides.
    access_id The AccessKey ID of the Alibaba Cloud account.
    time The time when OSS receives a request. Use the value of __time__ if a timestamp is required.
    owner_id The Alibaba Cloud account ID of the bucket owner.
    User-Agent The HTTP User-Agent header.
    logging_flag Indicates whether logging has been enabled to periodically export logs to OSS buckets.
    bucket The name of the bucket.
    content_length_in The value of the request Content-Length header. Unit: bytes.
    content_length_out The value of response Content-Length header. Unit: bytes.
    object The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
    object_size The size of a requested object. Unit: bytes.
    operation The API operation. For more information, see Table 7.
    request_uri The URL-encoded URI of a request, including the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
    error_code The error code returned by OSS. For more information, see OSS error response.
    request_length The size of the HTTP request message. Unit: bytes.
    client_ip The IP address from which a request originates. The IP address can be the IP address of the client, firewall, or proxy.
    response_body_length The size of the HTTP response body.
    http_method The HTTP request method.
    referer The Referer HTTP header.
    requester_id The ID of the Alibaba Cloud account. The value of this field is a hyphen (-) if you use anonymous logon.
    request_id The ID of the request.
    response_time The response duration. Unit: milliseconds.
    server_cost_time The time that the OSS server consumes to process a request. Unit: milliseconds.
    http_type The protocol of an HTTP request. Valid values: HTTP and HTTPS.
    sign_type The type of the signature. For more information, see Table 9.
    http_status The HTTP status code returned by the OSS server.
    sync_request The type of the synchronization request. For more information, see Table 8.
    bucket_storage_type The OSS storage class. For more information, see Table 6.
    host The domain name of the OSS server from which resources are requested.
    vpc_addr The VPC IP address of the OSS server. The IP address is resolved from the domain name of the server.
    vpc_id VPC ID
    delta_data_size The size change of the object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) if the request is not an upload request.
    acc_access_region For a transfer acceleration request, this field is the ID of the region where the requested access point resides. Otherwise, The value of this field is a hyphen (-).
  • Batch deletion logs
    Log field Description
    __topic__ The topic of the log entry. Valid values: oss_batch_delete_log.
    owner_id The ID of the Alibaba Cloud account.
    region The region where the bucket resides.
    client_ip The IP address from which a request originates. The IP address can be the IP address of the client, firewall, or proxy.
    user_agent The HTTP User-Agent header.
    bucket The name of the bucket.
    error_code The error code returned by OSS. For more information, see OSS error response.
    request_length The size of the HTTP request message. Unit: bytes.
    response_body_length The size of the HTTP response body.
    object The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
    object_size The size of the requested object. Unit: bytes.
    operation The API operation. For more information, see Table 7.
    bucket_location The cluster to which the bucket belongs.
    http_method The HTTP request method.
    referer The Referer HTTP header.
    request_id The ID of the request.
    http_status The HTTP status code that OSS returns.
    sync_request The type of the synchronization request. For more information, see Table 8.
    request_uri The URL-encoded URI of a request, including the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
    host The domain name of the OSS server from which resources are requested.
    logging_flag Indicates whether logging has been enabled to periodically export logs to OSS buckets.
    server_cost_time The time that the OSS server consumes to process a request. Unit: milliseconds.
    owner_id The Alibaba Cloud account ID of the bucket owner.
    requester_id The Alibaba Cloud ID of the requester. The value of this field is a hyphen (-) for anonymous requests.
    delta_data_size The variation of the size of the object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) if the request is not an upload request.
  • Hourly metering logs
    Log field Description
    __topic__ The topic of the log entry. Valid values: oss_metering_log.
    owner_id The Alibaba Cloud account ID of the bucket owner.
    bucket The name of the bucket.
    cdn_in The inbound traffic from CDN. Unit: bytes.
    cdn_out The outbound traffic to CDN. Unit: bytes.
    get_request The number of GET requests.
    intranet_in The inbound traffic from the internal network. Unit: bytes.
    intranet_out The outbound traffic of the internal network. Unit: bytes.
    network_in The inbound traffic from the public network. Unit: bytes.
    network_out The outbound traffic to the public network. Unit: bytes.
    put_request The number of PUT requests.
    storage_type The OSS storage class. For more information, see Table 6.
    storage The storage usage of the bucket. Unit: bytes.
    metering_datasize The size of metering data in non-standard storage.
    process_img_size The size of the processed image. Unit: bytes.
    process_img The processed image.
    sync_in The inbound synchronization traffic. Unit: bytes.
    sync_out The outbound synchronization traffic. Unit: bytes.
    start_time The time when a metering operation starts. The time is in the UNIX timestamp format.
    end_time The time when a metering operation ends. The time is in the UNIX timestamp format.
    region The region where the bucket resides.

ApsaraDB for RDS

Log field Description
__topic__ The topic of the log entry. Valid values: rds_audit_log.
owner_id The ID of the Alibaba Cloud account.
region The region where the ApsaraDB for RDS instance resides.
instance_name The name of the ApsaraDB for RDS instance.
instance_id The ID of the ApsaraDB for RDS instance.
db_type The type of the ApsaraDB for RDS instance, for example, mysql, mssql, and pgsql.
db_version The version of the ApsaraDB for RDS instance.
check_rows The number of scanned rows.
db The name of the database in the instance.
fail Indicates whether the SQL statement failed to be executed. Valid values:
  • 0: succeeded
  • 1: failed
client_ip The IP address of the client that accesses the ApsaraDB for RDS instance.
latency The network latency. Unit: microseconds.
origin_time The time when the SQL statement is executed. The time is in the UNIX timestamp format, in microseconds.
return_rows The number of returned rows.
sql The SQL statement.
thread_id The ID of the thread.
user The name of the user who executes the SQL statement.
update_rows The number of updated rows.

Apsara File Storage NAS

Log field Description
owner_id The ID of the Alibaba Cloud account.
ArgIno The inode number of the file system.
AuthRc The authorization return code.
NFSProtocolRc The NFS return code.
OpList The NFSv4 procedure number.
Proc The NFSv3 procedure number.
RWSize The size of the read/write data. Unit: bytes.
RequestId The ID of the request.
ResIno The inode number of lookup resources.
SourceIp The IP address of the client.
Vers The version number of the NFS protocol.
Vip The IP address of the server.
Volume The ID of the file system.
microtime The time when the request is sent. The time is in the UNIX timestamp format, in microseconds.

Alibaba Cloud Mobile Push

Log field Description
__topic__ The topic of the log entry. Valid values: cps_callback_event.
owner_id The ID of the Alibaba Cloud account.
app_key AppKey
message_id The message ID.
event_time The time when the callback event occurs.
event_type The type of the callback event.
device_id The ID of the device.
device_type The type of the device.
last_active_time The last time when the device is active.
app_version The version of the application.
client_ip The IP address of the client.
brand The brand of the device.
network_type The network type of the device.
os The operating system of the device.
os_version The version of the operating system.
isp The ISP of the device.
job_key The key of the job.