Log field details - Application| Alibaba Cloud Documentation Center

ActionTrail

Field details


Log fields	Description
__topic__	Log topic. Fixed value: actiontrail_event.
owner_id	Tenant Account ID.
event	The event body, in the JSON format. The content of the event body varies with the event.
event.eventId	The unique ID of the event.
event.eventName	Event Name.
event.eventSource	Event Source.
event.eventType	Event type.
event.eventVersion	The data format version of ActionTrail, which is fixed at 1.
event.acsRegion	The region of the event.
event.requestId	The request ID that is used to operate a cloud service.
event.apiVersion	The version of the API.
event.errorMessage	The error message of the event failure.
event.serviceName	Event-related service name.
event.sourceIpAddress	The source IP address of the event.
event.userAgent	Event-related client Agent.
event.requestParameters.HostId	The host ID in the request-related parameter.
event.requestParameters.Name	Name in request-related parameters.
event.requestParameters.Region	The domain in the request-related parameter.
event.userIdentity.accessKeyId	The AccessKey ID used by the request.
event.userIdentity.accountId	The ID of the account requested.
event.userIdentity.principalId	The voucher ID of the account requested.
event.userIdentity.type	Type of account requested.
event.userIdentity.userName	Type of account requested.
event.errorCode	The error code of the event failure.
addionalEventData.isMFAChecked	Indicates whether MFA is enabled for the logon account.
addionalEventData.loginAccount	Logon credentials.

Sample log entry

{
  "acsRegion": "cn-hangzhou",
  "additionalEventData": {
    "isMFAChecked": "false",
    "loginAccount": "test1234@aliyun.com"
  },
  "eventId": "7be1e173-1234-44a1-b135-1234",
  "eventName": "ConsoleSignin",
  "eventSource": "http://account.aliyun.com:443/login/login_aliyun.htm",
  "eventTime": "2018-07-12T06:14:50Z",
  "eventType": "ConsoleSignin",
  "eventVersion": "1",
  "requestId": "7be1e173-1234-44a1-b135-1234",
  "serviceName": "AasCustomer",
  "sourceIpAddress": "42.120.75.137",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
  "userIdentity": {
    "accessKeyId": "25****************",
    "accountId": "1234",
    "principalId": "1234",
    "type": "root-account",
    "userName": "root"
  }
}

Server Load Balancer (SLB)


Log field	Description
owner_id	Tenant Account ID
region	The region where the instance is located.
instance_id	Instance ID.
instance_name	The ID of the instance.
network_type	The type of network.
vpc_id	VPC ID
body_bytes_sent	The number of bytes of the HTTP message body sent to the client.
client_ip	Request client IP address.
client_port	Request client port.
host	The hostname. Obtain the value from the request parameters first. If no value is obtained, obtain it from the host header. If the value still cannot be obtained, use the IP address of the backend server that processes the request as the hostname.
http_host	The host header in the request message.
http_referer	The HTTP referer header in the request message received by the proxy.
http_user_agent	The HTTP user-agent header in the request message received by the proxy.
http_x_forwarded_for	The x-forwarded-for content in the request message received by the proxy.
http_x_real_ip	The actual IP address of the client.
read_request_time	The time when the proxy reads the request message. Unit: ms.
request_length	The length of the request message, including the start-line, HTTP headers, and HTTP body.
request_method	The request method.
request_time	The interval between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds.
request_uri	The URI of the request message received by the proxy.
scheme	The schema of the request, for example, http or https.
server_protocol	The HTTP version received by the proxy, such as "HTTP/1.0" or "HTTP/1.1".
slb_vport	The listening port of the SLB instance.
slbid	The ID of the SLB instance.
ssl_cipher	The cipher suite used, such as ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol	The protocol used to establish an SSL connection, such as TLSv1.2.
status	The status of the proxy response message.
tcpinfo_rtt	The tcp rtt of the client. Unit: microseconds.
time	The time when the log entry was created.
upstream_addr	The IP address and port number of the backend server.
upstream_response_time	The total time taken by the SLB instance to establish a connection to the backend server, receive data, and then close the connection. Unit: seconds.
upstream_status	The status code response received by the proxy from the backend server.
vip_addr	vip address.
write_response_time	The response time written by the proxy. Unit: milliseconds.

API Gateway


Log fields	Description
owner_id	The account ID of the API provider.
apiGroupUid	The ID of the API group.
apiGroupName	The name of the API group.
apiUid	API ID
apiName	The name of the API operation.
apiStageUid	The ID of the API stage.
apiStageName	The name of the API stage.
httpMethod	The HTTP method of the request.
path	The request path.
domain	The domain name that sends the request.
statusCode	The HTTP status code.
errorMessage	Error message
appId	The ID of the application that sends the request.
appName	The name of the application that sends the request.
clientIp	The IP address of the client that sends the request.
exception	The specific error message returned by the backend server.
region	The ID of the region, such as cn-hangzhou.
requestHandleTime	The time when the request is sent. It must be in GMT.
requestId	The request ID. It must be globally unique.
requestSize	The size of the request message. Unit: bytes.
responseSize	The size of the response message. Unit: bytes.
serviceLatency	The backend latency. Unit: ms.

Web Application Firewall (WAF)


Field	Description
__topic__	The subject of the log. Set this parameter to waf_access_log.
owner_id	The ID of the Alibaba Cloud account.
acl_action	The action generated by the WAF HTTP ACL policy to the request, such as pass, drop, and captcha. Note Null values or hyphens (-) also indicate pass.
acl_blocks	Indicates whether the HTTP ACL policy is enabled. A value of 1 indicates that the HTTP ACL policy is enabled. A value of 1 indicates that the HTTP ACL policy is enabled.
antibot	The type of the Anti-Bot Service protection strategy that applies, which includes: ratelimit: Frequency control sdk: APP protection algorithm: algorithm model. intelligence: bot intelligence. acl: HTTP ACL policy. blacklist: Blacklist.
antibot_action	The action performed by the Anti-Bot Service protection strategy, which includes: challenge: Verifying using an embedded JavaScript script. drop: Blocking. report: Logging the access event. captcha: Verifying using a slider captcha.
block_action	The type of the WAF protection that is activated, which includes: tmd: Protection against CC attacks. waf: Protection against Web application attacks. acl: HTTP ACL policy. geo: Blocking regions. antifraud: Risk control for data. antibot: Blocking Web crawlers.
body_bytes_sent	The number of bytes of the HTTP message body sent to the client.
cc_action	The anti-HTTP flood protection action. Valid values include none, challenge, pass, close, captcha, wait, and login.
cc_blocks	Indicates whether the HTTP flood protection function is enabled. A value of 1 indicates that the HTTP flood protection function is enabled.
cc_phase	The CC protection strategy that is activated, which can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.
content_type	The content type of the access request.
host	The source website.
http_cookie	The client-side cookie, which is included in the request header.
http_referer	The URL information of the request source, which is included in the request header. If no source URL information is displayed, a hyphen (-) is used.
http_user_agent	The User Agent field in the request header, which contains information such as the client browser and the operating system.
http_x_forwarded_for	The X-Forwarded-For (XFF) information in the request header, which identifies the original IP address of the client that connects to the Web server using a HTTP proxy or load balancing.
https	Indicates whether the request is an HTTPS request. true: the request is an HTTPS request. false: the request is an HTTP request.
matched_host	The matched domain name (extensive domain name) that is protected by WAF. If the related domain name configuration cannot be matched, a hyphen (-) is displayed.
querystring	The query string in the request.
real_client_ip	The real IP address of the client. If it cannot be obtained, it is displayed as a dash (-).
region	The information of the region where the WAF instance is located.
remote_addr	The IP address of the client that sends the access request.
remote_port	The port of the client that sends the access request.
request_length	The size of the request, measured in bytes.
request_method	The HTTP request method used in the access request.
request_path	The relative path of the request. The query string is not included.
request_time_msec	The request time, which is measured in microseconds.
request_traceid	The unique ID of the access request that is recorded by WAF.
server_protocol	The response protocol and the version number of the origin server.
status	The status of the HTTP response to the client returned by WAF.
time	The time when the access request occurs.
ua_browser	The information of the browser that sends the request.
ua_browser_family	The family of the browser that the sent the request.
ua_browser_type	The type of the browser that the sent the request.
ua_browser_version	The version of the browser that sends the request.
ua_device_type	The type of the client device that sends the request.
ua_os	The operating system used by the client that sends the request.
ua_os_family	The family of the operating system used by the client.
upstream_addr	A list of origin addresses, separated by commas. The format of an address is IP:Port.
upstream_ip	The origin IP address that corresponds to the access request. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance.
upstream_response_time	The time that the origin site takes to respond to the WAF request, which is measured in seconds. If a hyphen (-) is returned, the response times out.
upstream_status	The response status that WAF receives from the origin server. A hyphen (-) is returned, indicating that there is no response. For example, the request was intercepted by WAF.
user_id	The ID of the Alibaba Cloud account.
waf_action	The Web attack protection policies. Block indicates interception. If you set this parameter to bypass, the attack is blocked.
web_attack_type	The Web attack type such as xss, code_exec, webshell, sqli, lfilei, rfilei, and other.
waf_rule_id	The ID of the WAF rule.

Security Center

Network logs

DNS logs


Log fields	Description
__topic__	Theme, fixed to sas-log-dns.
owner_id	The ID of the Alibaba Cloud account.
additional	The additional field. Separated with vertical bars (\|).
additional_num	The number of additional fields.
answer	DNS response. Separated with vertical bars (\|).
answer_num	The number of DNS responses.
authority	The authority field.
authority_num	The number of authority fields.
client_subnet	Client subnet.
dst_ip	The destination IP address.
dst_port	The destination port.
in_out	Data transmission direction. in: inbound mode. out: outbound.
qid	Query ID.
qname	The domain name to be queried.
qtype	Query type.
query_datetime	The end timestamp of the query. Unit: milliseconds.
rcode	Response code.
region	Source region ID. 1: Beijing 2: Qingdao 3: Hangzhou 4: Shanghai 5: Shenzhen 6: Others
response_datetime	Response date.
src_ip	Source IP address.
src_port	Source port.

Local DNS logs.


Log field	Description
__topic__	Theme, fixed to local-dns.
owner_id	The ID of the Alibaba Cloud account.
answer_rda	DNS response. Separated with vertical bars (\|).
answer_ttl	The interval of DNS responses. Separated with vertical bars (\|).
answer_type	The types of DNS responses. Separated with vertical bars (\|).
anwser_name	The names of DNS responses. Separated with vertical bars (\|).
dest_ip	The destination IP address.
dest_port	The destination port.
group_id	Group ID.
hostname	Hostname.
id	Host IP address.
instance_id	Instance ID.
internet_ip	Internet IP address.
ip_ttl	Time-to-live.
query_name	The domain name to be queried.
query_type	Query Type.
src_ip	Source IP address.
src_port	Source port.
time	The timestamp of the query. Unit: seconds.
time_usecond	The response time. Unit: microseconds.
tunnel_id	Tunnel ID.

Network session log


Log fields	Description
__topic__	Log topic. Fixed value: sas-log-session.
owner_id	The ID of the Alibaba Cloud account.
asset_type	The associated asset type, such as ECS, SLB, and RDS.
dst_ip	Destination IP address.
dst_port	Destination port.
proto	Protocol type, such as tcp and udp.
session_time	Session date.
src_ip	Source IP address.
src_port	Source port.

Web log


Log fields	Description
__topic__	Log topic. Fixed value: sas-log-http.
owner_id	The ID of the Alibaba Cloud account.
content_length	Content length.
dst_ip	Destination IP address.
dst_port	Destination port.
host	Destination host name.
jump_location	Redirected address.
method	HTTP access.
referer	The HTTP referer when the client sends a request to the server, which informs the server of the HTTP link from which the request is initiated.
request_datetime	Request date.
ret_code	Response value.
rqs_content_type	Request content type.
rsp_content_type	Response type.
src_ip	Source IP address.
src_port	Source port.
uri	Request URI.
user_agent	Sends a request to the user client.
x_forward_for	Redirecting information.

Security logs

Vulnerability logs


Log fields	Description
__topic__	Log topic. Fixed value: sas-vul-log.
owner_id	The ID of the Alibaba Cloud account.
name	Vulnerability name.
alias_name	Vulnerability alias.
op	Operation information. new: New. verify: Verify. fix: Repair.
status	For more information, see Table 2.
tag	The vulnerability tag, such as oval, system, and cms. It is used to distinguish emergency (EMG) vulnerabilities.
type	The type of the vulnerability. sys: Windows vulnerabilities cve: Linux vulnerabilities cms: Web CMS vulnerabilities EMG: Emergency vulnerability
uuid	Client UUID.

Baseline logs


Log fields	Description
__topic__	Log topic. Fixed value: sas-hc-log.
owner_id	The ID of the Alibaba Cloud account.
level	Level, for example, low, medium, or high.
op	Operation information. new: New. verify: Verify.
risk_name	Risk name.
status	For more information, see Table 2.
sub_type_alias	Sub-type alias, Chinese.
sub_type_name	Sub-type name.
type_name	Type.
type_alias	Type alias
uuid	Client UUID.

Table 1. Baseline type-sub-type list.
type_name	sub_type_name
system	baseline
weak_password	postsql_weak_password
database	redis_check
account	system_account_security
account	system_account_security
weak_password	mysq_weak_password
weak_password	ftp_anonymous
weak_password	rdp_weak_password
system	group_policy
system	register
account	system_account_security
weak_password	sqlserver_weak_password
system	register
weak_password	ssh_weak_password
weak_password	ftp_weak_password
cis	centos7
cis	tomcat7
cis	memcached-check
cis	mongodb-check
cis	ubuntu14
cis	win2008_r2
system	file_integrity_mon
cis	linux-httpd-2.2-cis
cis	linux-docker-1.6-cis
cis	SUSE11
cis	redhat6
cis	bind9.9
cis	centos6
cis	debain8
cis	redhat7
cis	SUSE12
cis	ubuntu16

Table 2. Security log status codes
Status value	Description
1	Unrepaired.
2	Repair failed.
3	Rollback failed.
4	Fix vulnerabilities.
5	Rolling back.
6	Verifying.
7	Repair succeeded.
8	Repair succeeded. Preparing to restart.
9	Rollback succeeded.
10	Ignore.
11	Rollback succeeded. Preparing to restart.
12	Does not exist.
20	Expired.

Security alert logs


Log fields	Description
__topic__	Log topic. Fixed value: sas-security-log.
owner_id	The ID of the Alibaba Cloud account.
data_source	Data Source. For more information, see Table 3.
level	Alert level.
name	Name. Example: Suspicious Process-SSH-based Remote Execution of Non-interactive Commands.
op	Operation information. new: New. dealing: Process.
status	The status information. For more information, see Table 2.
uuid	Client UUID.

Table 3. Data_source list of security alerts
Value	The description of the response.
aegis_suspicious_event	Host suspicion.
aegis_suspicious_file_v2	Webshell
aegis_login_log	Suspicious logon.
security_event	Security Center exception events

Host logs

Process initiation logs


Log fields	Description
__topic__	Log topic. Fixed value: aegis-log-process.
owner_id	The ID of the Alibaba Cloud account.
uuid	Client UUID.
ip	The IP address of the client.
cmdline	The netstat command.
username	User name.
uid	User ID.
pid	Process ID.
filename	Process filename.
filepath	Full path of the process file.
groupname	The name of the user group.
ppid	Parent process ID.
pfilename	Parent process filename.
pfilepath	Full path of the parent process file.

Process snapshot logs


Log fields	Description
__topic__	Log topic. Fixed value: aegis-snapshot-process.
owner_id	The ID of the Alibaba Cloud account.
uuid	Client UUID.
ip	The IP address of the client.
cmdline	The netstat command.
pid	Process ID.
name	Process filename.
path	Full path of the process file.
md5	Process files are calculated based on the MD5 algorithm. Process files exceeding 1MB are not calculated.
pname	The file name of the parent process.
start_time	Process start time and built-in field
user	User Name
uid	User ID.

Logon logs

Repeated logons in one minute are saved into one log.


Log fields	Description
__topic__	Log topic. Fixed value: aegis-log-login.
owner_id	The ID of the Alibaba Cloud account.
uuid	Client UUID.
ip	The IP address of the client.
warn_ip	Source IP address.
warn_port	Logon port.
warn_type	The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
warn_user	Logon username.
warn_count	Number of logons. For example, three times indicates that two logon requests are sent within one minute before the current logon.

Brute-force cracking log


Log field	Description
__topic__	Log topic. Fixed value: aegis-log-crack.
owner_id	The ID of the Alibaba Cloud account.
uuid	Client UUID.
ip	The IP address of the client.
warn_ip	Source IP address.
warn_port	Logon port.
warn_type	The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
warn_user	Logon username.
warn_count	Number of failed logon attempts.

Network connection logs

Changes in network connections are collected on the host every 10 seconds to 1 minute.


Log fields	Description
__topic__	Log topic. Fixed value: aegis-log-network.
owner_id	The ID of the Alibaba Cloud account.
uuid	Client UUID.
ip	The IP address of the client.
src_ip	Source IP address.
src_port	Source port.
dst_ip	The destination IP address.
dst_port	The destination port.
proc_name	Process name.
proc_path	Process path.
proto	Possible protocols are TCP, UDP, and raw (raw socket).
status	The connection status. For more information, see Table 4.

Table 4. Network connection status and description
Status	The description of the response.
1	closed
2	listen
3	syn send
4	syn recv
5	establisted
6	close wait
7	closing
8	fin_wait1
9	fin_wait2
10	time_wait
11	delete_tcb

Port listening snapshot


Log fields	Description
__topic__	Topic. Fixed to aegis-snapshot-port.
owner_id	The ID of the Alibaba Cloud account.
uuid	Client UUID.
ip	Client machine IP address.
proto	Possible protocols are TCP, UDP, and raw (raw socket).
src_ip	Listening IP address.
src_port	Listening port.
pid	Process ID.
proc_name	Process name.

Account snapshots


Log fields	Description
__topic__	Log topic. Fixed value: aegis-snapshot-host.
owner_id	The ID of the Alibaba Cloud account.
name	Vulnerability name.
alias_name	Vulnerability alias.
op	Operation information. new: New. verify: Verify. fix: Repair.
status	The connection status. For more information, see Table 4.
tag	Vulnerability labels. The labels include oval, system, cms. These labels are used to distinguish emergency (EMG) vulnerabilities.
type	The type of the vulnerability. sys: Windows vulnerabilities cve: Linux vulnerabilities cms: Web CMS vulnerabilities EMG: Emergency vulnerability
uuid	Client UUID.

Distributed Relational Database Service


Field	Description
__topic__	The topic of the log. The value is rds_audit_log.
instance_id	The ID of the DRDS instance.
instance_name	DRDS instance name.
owner_id	The ID of the Alibaba Cloud account.
region	The region where the ApsaraDB for RDS instance resides.
db_name	The name of the DRDS database.
user	The username used to run the SQL statement.
client_ip	The client IP address used to access the DRDS instance.
client_port	The client port used to access the DRDS instance.
sql	The SQL statement that was run.
trace_id	The ID of the TRACE TRACE that is run. A transaction is processed with the tracking ID, hyphen (-), and number, such as drdsabcdxyz-1 or drdsabcdxyz-2.
sql_code	The HASH value of SQL statements in the template.
hint	Specifies the HINT used to run SQL statements.
table_name	The name of the table involved in the query. Separate multiple tables with commas (,).
sql_type	SQL type. Valid values: Select, Insert, Update, Delete, Set, Alter, Create, Drop, Truncate, Replace, and Other.
sql_type_detail	The name of the SQL parser.
response_time	The response latency. Unit: ms.
affect_rows	The number of rows returned when the SQL statement is executed. The number of rows affected when the operation is added, deleted, or modified is configured as a query statement.
fail	Indicates whether the SQL statement failed to be run. Valid values: 0: successful 1: failed
sql_time	The start time of SQL execution.

Cloud Firewall


Log fields	Description
__topic__	The value is always cloudfirewall_access_log.
owner_id	The ID of the Alibaba Cloud account.
log_type	The type of the log entry.
app_name	Possible values include HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.
direction	The direction of the traffic. in: inbound out: outbound
domain	The domain name of the consortium member.
dst_ip	The destination IP address.
dst_port	The destination port.
end_time	Session end time, in seconds (Unix timestamp)
in_bps	The size of the inbound traffic. Unit: bps.
in_packet_bytes	The total number of bytes of inbound traffic.
in_packet_count	The total number of packets of inbound traffic.
in_pps	The size of the inbound traffic. Unit: bps.
ip_protocol	The protocol can be TCP or UDP.
out_bps	The size of outbound traffic. Unit: bps.
out_packet_bytes	The total number of bytes of outbound traffic.
out_packet_count	The total number of packets of outbound traffic.
out_pps	The size of outbound traffic. Unit: pps.
region_id	The region of the traffic.
rule_result	The action that the access control policy uses to process packets. pass: The check task returned positive results. alert: Alert. drop: Discard.
src_ip	Source IP address.
src_port	The source port.
start_time	The start time of a session. Unit: Unix timestamp.
start_time_min	Session start time, integer in minutes, unit: Seconds (Unix timestamp).
tcp_seq	The TCP serial number.
total_bps	The total inbound and outbound traffic. Unit: bps.
total_packet_bytes	The total inbound and outbound traffic. Unit: bytes.
total_packet_count	The total number of packets.
total_pps	The total inbound and outbound traffic. Unit: bps.
src_private_ip	The private IP address.
vul_level	The risk level of the vulnerability. 1: low 2: moderate 3: high-risk
url	URL.
acl_rule_id	The ID of the rule that hits the ACL.
ips_rule_id	The ID of the rule that hits the IPS.
ips_ai_rule_id	The ID of the rule that hits the AI job.

Bastionhost


Log fields	Description
__topic__	Log topics
owner_id	The ID of the Alibaba Cloud account.
content	The log content.
event_type	Event type. For more information, see Table 5.
instance_id	The ID of the Bastionhost instance.
log_level	Log Level
resource_address	Resource address.
resource_name	Resource name.
result	Result.
session_id	The ID of the session.
user_client_ip	User source IP address.
user_id	The ID of the user.
user_name	User name.

Table 5. Event type
Example	Description
cmd.Command	Character command
file.Upload	Upload objects
file.Download	Download objects
file.Rename	Rename
file.Delete	Delete
file.DeleteDir	Delete a category
file.CreateDir	Create a directory
graph.Text	Graphic text
graph.Keyboard	Keyboard events

OSS


Log types	Description
Access logs	Record all access to the corresponding OSS buckets.
Batch deletion logs	Record the deletion information in batch deletion logs and collect the information in real time. Note When you call the DeleteObjects API operation, a request record is generated in an access log. The information about the objects that you requested to delete is stored in the HTTP body of a request. Therefore, a hyphen (-) is used to indicate the corresponding object in the access log. To retrieve a list of the deleted objects, check the corresponding batch deletion log. You can use the request_id parameter to associate the batch deletion request with the objects that you want to delete.
Hourly metering log	Record hourly metering statistics in a specific bucket to support analysis. A delay of several hours exists between log generation and log collection.

Table 6. Bucket storage classes
Storage Type	The description of the response.
standard	Standard
archive	Archive
infrequent_access	IA

For more information about each operation, see API overview.

Table 7. Access type
Operation	The description of the response.
AbortMultiPartUpload	Aborts a resumable Upload.
AppendObject	Appends an object.
CommitTransition	Commits a transition.
CompleteUploadPart	Completes a multipart upload.
CopyObject	Copies an object.
DeleteBucket	Deletes a bucket.
DeleteLiveChannel	Deletes a LiveChannel.
DeleteObject	Deletes an object.
DeleteObjects	Deletes multiple objects.
ExpireObject	Makes an object expire.
GetBucket	Queries objects.
GetBucketAcl	Obtains permissions of a bucket.
GetBucketCors	Queries the cross-origin resource sharing (CORS) rules of a bucket.
GetBucketEventNotification	Queries the notification configurations of a bucket.
GetBucketInfo	Queries the information about a bucket.
GetBucketLifecycle	Queries the lifecycle configurations of a bucket.
GetBucketLocation	Queries the region where a bucket is located.
GetBucketLog	Queries the access log configurations of a bucket.
GetBucketReferer	Queries the hotlink protection configurations of a bucket.
GetBucketReplication	Queries the cross-region replication configurations.
GetBucketReplicationProgress	Queries the progress of a cross-region replication.
GetBucketStat	Queries the information about a bucket.
GetBucketWebSite	Queries the static website hosting status of a bucket.
GetLiveChannelStat	Queries the status of a LiveChannel.
GetObject	Reads an object.
GetObjectAcl	Obtains the access control list (ACL) of an object.
GetObjectInfo	Queries the information about an object.
GetObjectMeta	Queries the metadata of an object.
GetObjectSymlink	Queries the details of the object that a symbolic link refers to.
GetPartData	Queries the data in all parts of an object.
GetPartInfo	Queries the information about all parts of an object.
GetProcessConfiguration	Queries the image processing configurations of a bucket.
GetService	Queries buckets.
HeadBucket	Queries the information about a bucket.
HeadObject	Queries the information about an object.
InitiateMultipartUpload	Initializes the object for multipart upload.
ListMultiPartUploads	Queries multipart upload events.
ListParts	Queries status of all parts of an object.
Options	Queries the options.
PostObject	Uploads an object by using a form.
PostProcessTask	Commits data processing operations, such as taking snapshots.
PostVodPlaylist	Creates a video-on-demand (VOD) playlist of a LiveChannel.
ProcessImage	Processes an image.
PutBucket	Creates a bucket.
PutBucketCors	Specifies the CORS rule for a bucket.
PutBucketLifecycle	Specifies the lifecycle configurations of a bucket.
PutBucketLog	Specifies the access log for a bucket.
PutBucketWebSite	Specifies the static website hosting mode for a bucket.
PutLiveChannel	Creates a LiveChannel.
PutLiveChannelStatus	Specifies the status of a LiveChannel.
PutObject	Uploads an object.
PutObjectAcl	Modifies the ACL of an object.
PutObjectSymlink	Creates the object by using the symbolic link.
RedirectBucket	Redirects the request to a bucket endpoint.
RestoreObject	Restores an object.
UploadPart	Resumes uploading an object from a checkpoint.
UploadPartCopy	Copies a part.
get_image_exif	Queries the exchangeable image file format (Exif) data of an image.
get_image_info	Queries the length and width of an image.
get_image_infoexif	Queries the length, width, and Exif data of an image.
get_style	Queries the picture processing rule of a bucket.
list_style	Queries all picture processing rules of a bucket.
put_style	Creates a picture processing rule for a bucket.

Table 8. Synchronization request type
Synchronization request type	The description of the response.
-	General request
cdn	CDN back-to-origin

For more information about signatures, seeVerify user signatures

Table 9. Signature type
Signature type	The description of the response.
NotSign	Not signed.
NormalSign	Indicates that a request was signed with a normal signature.
UriSign	Indicates that a request was signed with a URL signature.
AdminSign	Administrator account

Access logs


Log fields	Description
__topic__	The name of the topic in a log. The value of this field is fixed to oss_access_log.
owner_id	The ID of the Alibaba Cloud account.
region	The region where a bucket is located.
access_id	The AccessKey ID of the user's Alibaba Cloud account.
time	The time when OSS receives a request. Use the value of __time__ if a timestamp is required.
owner_id	The user ID of the bucket owner.
User-Agent	The HTTP User-Agent header.
logging_flag	Indicates whether the feature for periodically exporting logs to OSS buckets is enabled.
bucket	Bucket Name
content_length_in	The value of Content-Length in a request header, in bytes.
content_length_out	The value of Content-Length in a response header, in bytes.
object	The URL encoded object of the request. You can use select url_decode(object) to decode the object when querying logs.
object_size	The size of a requested object, in bytes.
operation	The access type. For more information, see Table 7.
request_uri	The URL encoded URI of a request, including the query-string parameter. You can use select url_decode(request_uri) to decode the URI when querying logs.
error_code	The error code returned by OSS. For more information, see OSS error response.
request_length	The size of an HTTP request, including the size of the header. Unit: bytes.
client_ip	The IP address from which a request originates.
response_body_length	The size of the body in an HTTP response, excluding the header.
http_method	HTTP request methods
referer	Requested TTP Referer
requester_id	The ID of the Alibaba Cloud account of the requester. A hyphen (-) is used in an anonymous access.
request_id	The ID of the request.
response_time	The response time of a request, in milliseconds.
server_cost_time	The time consumed by the OSS server to process a request, in milliseconds.
http_type	The type of an HTTP request. The value of this field is HTTP or HTTPS.
sign_type	The signature type. For more information, see Table 9.
http_status	The status code of an HTTP connection returned by the OSS server.
sync_request	The synchronization request type. For more information, see Table 8.
bucket_storage_type	Bucket storage type. For more information, see Table 6.
host	The domain name to access.
vpc_addr	The VPC IP address corresponding to the OSS endpoint.
vpc_id	VPC ID
delta_data_size	The variation of the size of an object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) for requests other than uploads.
acc_access_region	For a request in CDN, this field is the domain name corresponding to the region where the requested access point is located. Otherwise, The value of this field is a hyphen (-).

Batch deletion logs


Log fields	Description
__topic__	The name of the topic in a log. The value of this field is oss_batch_delete_log.
owner_id	The ID of the Alibaba Cloud account.
region	The region where a bucket is located.
client_ip	The IP address from which a request originates.
user_agent	The HTTP User-Agent header.
bucket	Bucket Name.
error_code	The error code returned by OSS. For more information, see OSS error response.
request_length	The size of an HTTP request, including the header. Unit: bytes.
response_body_length	The size of the body in an HTTP response, excluding the header.
object	The URL encoded object of the request. You can use select url_decode(object) to decode the object when querying logs.
object_size	The size of the request object. Unit: bytes.
operation	The access type. For more information, see Table 7.
bucket_location	The cluster of the Bucket.
http_method	HTTP request methods
referer	Requested TTP Referer
request_id	The ID of the request.
http_status	The HTTP status code that OSS returns.
sync_request	The synchronization request type. For more information, see Table 8.
request_uri	The URL encoded URI of a request, including the query-string parameter. You can use select url_decode(request_uri) to decode the URI when querying logs.
host	The domain name to access.
logging_flag	Indicates whether logging has been enabled to periodically export logs to OSS buckets.
server_cost_time	The time consumed by the OSS server to process a request, in milliseconds.
owner_id	The ID of the Alibaba Cloud account of the Bucket owner.
requester_id	The Alibaba Cloud ID of the requester. The value of this field is a hyphen (-) for anonymous access.
delta_data_size	The variation of the size of an object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) for requests other than uploads.

Hourly metering log


Log fields	Description
__topic__	The name of the topic in a log. The value of this field is oss_metering_log.
owner_id	The ID of the Alibaba Cloud account of the Bucket owner.
bucket	Bucket Name.
cdn_in	The CDN traffic volume. Unit: bytes.
cdn_out	The CDN of the outbound traffic. Unit: bytes.
get_request	The number of GET requests.
intranet_in	The inbound traffic of the internal network. Unit: bytes.
intranet_out	The internal network outbound traffic. Unit: Byte.
network_in	The inbound traffic from the public network. Unit: bytes.
network_out	The outbound traffic of the public network. Unit: bytes.
put_request	The number of PUT requests.
storage_type	Bucket storage type. For more information, see Table 6.
storage	The storage usage of the Bucket. Unit: bytes.
metering_datasize	The size of metering data in non-standard storage.
process_img_size	The size of a processed image file. Unit: bytes.
process_img	Processed image
sync_in	The amount of synchronized data. Unit: bytes.
sync_out	The synchronization outbound traffic. Unit: bytes.
start_time	The timestamp when a metering operation starts.
end_time	Metering end timestamp
region	The region where a bucket is located.

ApsaraDB for RDS


Log fields	Description
__topic__	The topic of the log. The value is rds_audit_log.
owner_id	The ID of the Alibaba Cloud account.
region	The region where the instance is located.
instance_name	RDS Instance Name.
instance_id	RDS Instance ID
db_type	The type of the RDS instance, such as mysql, mssql, and pgsql.
db_version	The version of the instance.
check_rows	The number of scanned rows.
db	The name of the database.
fail	Indicates whether the SQL statement failed to be run. Valid values: 0: successful 1: failed
client_ip	The IP address of the client that accessed the RDS instance.
latency	Delay, in microseconds.
origin_time	The duration for which the SQL statement was run, in microseconds.
return_rows	Returns the number of rows.
sql	The SQL statement that was run.
thread_id	The ID of the thread.
user	The username used to run the SQL statement.
update_rows	Updated rows.

Apsara File Storage NAS


Log fields	Description
owner_id	The ID of the Alibaba Cloud account.
ArgIno	The inode number of the file system.
AuthRc	The authorization return code.
NFSProtocolRc	The NFS return code.
OpList	The NFSv4 procedure number.
Proc	The NFSv3 procedure number.
RWSize	The size of the specified plugin package. Unit: bytes.
RequestId	Request ID.
ResIno	The inode number of lookup resources.
SourceIp	Client IP Address
Vers	The version number of the NFS protocol.
Vip	Server IP address.
Volume	File System ID
microtime	The time when the request was sent, in microseconds.

Alibaba Cloud Mobile Push


Log fields	Description
__topic__	Log topic. Fixed value: cps_callback_event.
owner_id	The ID of the Alibaba Cloud account.
app_key	AppKey
message_id	The message ID
event_time	Receipt event time.
event_type	Receipt event type.
device_id	The ID of the device.
device_type	Device Type
last_active_time	The last time when the device was activated.
app_version	The version of the application that is running on EDAS Container.
client_ip	Client IP Address.
brand	Device Brand.
network_type	Device Network type.
os	Operating system of your local machine.
os_version	Version
isp	Operator.
job_key	Task Key