This topic describes the fields of log entries that are collected from Alibaba Cloud services.

ActionTrail

Log field Description
__topic__ The topic of a log entry. Valid value: actiontrail_event.
owner_id The ID of an Alibaba Cloud account.
event The log event in the JSON format. The content of this field varies based on the log event.
event.eventId The ID of an event.
event.eventName The name of an event.
event.eventSource The source of an event.
event.eventType The type of an event.
event.eventVersion The data format version of an event. Valid value: 1.
event.acsRegion The region where an event occurs.
event.requestId The ID of an API request.
event.apiVersion The version of an API operation.
event.errorMessage The error message of an event.
event.serviceName The name of the Alibaba Cloud service that is associated with an event.
event.sourceIpAddress The source IP address that is associated with an event.
event.userAgent The User-Agent HTTP header that is associated with an event.
event.requestParameters.HostId The ID of the host from which a request is sent.
event.requestParameters.Name The name of a request parameter.
event.requestParameters.Region The region from which a request is sent.
event.userIdentity.accessKeyId The AccessKey ID of an account that sends a request.
event.userIdentity.accountId The ID of an account that sends a request.
event.userIdentity.principalId The principal ID of an account that sends a request.
event.userIdentity.type The type of an account that sends a request.
event.userIdentity.userName The username of an account that sends a request.
event.errorCode The error code of an event.
addionalEventData.isMFAChecked Indicates whether multi-factor authentication (MFA) is enabled for the account that is used to log on to Log Service.
addionalEventData.loginAccount The logon account.

Server Load Balancer (SLB)

Log field Description
owner_id The ID of an Alibaba Cloud account.
region The region where an instance resides.
instance_id The ID of an instance.
instance_name The name of an instance.
network_type The type of network. Valid values: VPC and Classic.
vpc_id VPC ID
body_bytes_sent The size of the HTTP response message body that is sent to a client.
client_ip The IP address of a client that sends a request.
client_port The port number of a client that sends a request.
host The IP address of a server. The value is first obtained from the request parameters. If no value is obtained, the value is obtained from the host header field. If the value still cannot be obtained, the IP address of the backend server that processes the request is obtained as the field value.
http_host The HTTP Host header in a request message.
http_referer The HTTP Referer header in a request message that is received by the proxy.
http_user_agent The User-Agent HTTP header in a request message that is received by the proxy.
http_x_forwarded_for The X-Forwarded-For (XFF) HTTP header in a request message that is received by the proxy.
http_x_real_ip The real IP address of a client.
read_request_time The duration in which the proxy reads a request message. Unit: milliseconds.
request_length The length of a request message. This field includes the start-line, HTTP headers, and HTTP body.
request_method The request method.
request_time The duration between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds.
request_uri The URI of a request that is received by the proxy.
scheme The protocol of a request, for example, HTTP or HTTPS.
server_protocol The HTTP version that is received by the proxy, for example, HTTP/1.0 or HTTP/1.1.
slb_vport The listening port of an SLB instance.
slbid The ID of an SLB instance.
ssl_cipher The used cipher suite, for example, ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol The protocol that is used to establish an SSL connection, for example, TLSv1.2.
status The HTTP status code that is sent from the proxy.
tcpinfo_rtt The RTT of TCP packets. Unit: microseconds.
time The time when a log entry is recorded.
upstream_addr The IP address and port number of the backend server.
upstream_response_time The duration of the connection between the proxy and backend server. Unit: seconds.
upstream_status The HTTP status code that is received by the proxy from the backend server.
vip_addr The virtual IP address.
write_response_time The duration in which the proxy writes a response message. Unit: milliseconds.

API Gateway

Log field Description
owner_id The ID of the account to which an API belongs.
apiGroupUid The ID of the group to which an API belongs.
apiGroupName The name of the group to which an API belongs.
apiUid API ID
apiName The name of an API.
apiStageUid The stage ID of an API.
apiStageName The stage name of an API.
httpMethod The HTTP method that is used by an API request.
path The path of an API request.
domain The domain name of the resource for which an API request is sent.
statusCode The HTTP status code.
errorMessage The error message that is returned.
appId The ID of the application from which an API request is sent.
appName The name of the application from which an API request is sent.
clientIp The IP address of a client that sends an API request.
exception The specific error message that is returned by the backend server.
region The ID of a region, for example, cn-hangzhou.
requestHandleTime The time when an API request is sent. The time is in Greenwich Mean Time (GMT).
requestId The ID of an API request. The ID is globally unique.
requestSize The size of an API request. Unit: bytes.
responseSize The size of a response message. Unit: bytes.
serviceLatency The response latency of the backend server. Unit: milliseconds.

Web Application Firewall (WAF)

Log field Description
__topic__ The topic of a log entry. Valid value: waf_access_log.
owner_id The ID of an Alibaba Cloud account.
acl_action The action that is performed by WAF. This is the action that is triggered in response to a request based on an HTTP ACL policy, for example, pass, drop, or captcha.
Note If the value is null or a hyphen (-), this field also indicates the pass action.
acl_blocks Indicates whether a request is blocked by an HTTP ACL policy.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
antibot The type of an Anti-Bot Service protection policy that is triggered. Valid values:
  • ratelimit: frequency control
  • sdk: app protection
  • algorithm: intelligent algorithm
  • intelligence: bot threat intelligence
  • acl: HTTP ACL policy
  • blacklist: blacklist
antibot_action The action that is performed based on an Anti-Bot Service protection policy. Valid values:
  • challenge: verifies a request by using an embedded JavaScript.
  • drop: blocks bot threats.
  • report: logs access events.
  • captcha: verifies a request by using a slider captcha.
block_action The type of a WAF protection feature that is triggered. Valid values:
  • tmd: protection against HTTP flood attacks
  • waf: protection against Web application attacks
  • acl: HTTP ACL policy
  • geo: region blocking
  • antifraud: data risk control
  • antibot: anti-bot
body_bytes_sent The size of an HTTP message body that is sent to a client. Unit: bytes.
cc_action The action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, login, or n.
cc_blocks Indicates whether the request is blocked by the HTTP flood protection feature.
  • If the value is 1, the request is blocked.
  • If the value is not 1, the request is passed.
cc_phase The HTTP flood protection policy that is triggered. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.
content_type The content type of an access request.
host The origin server.
http_cookie The HTTP Cookie header. This field includes the information of a client.
http_referer The HTTP Referer header. This field includes the information of the source URL. If no information of the source URL is logged, a hyphen (-) is displayed.
http_user_agent The User-Agent HTTP header. This field includes information such as a client browser and an operating system.
http_x_forwarded_for The XFF HTTP header. This field identifies the original IP address of a client that connects to a web server by using an HTTP proxy or load balancing device.
https Indicates whether a request is an HTTPS request. Valid values:
  • true: The request is an HTTPS request.
  • false: The request is an HTTP request.
matched_host The matched origin server. This can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
querystring The query string in a request URL.
real_client_ip The real IP address of a client. If no real IP address is obtained, a hyphen (-) is displayed.
region The region where a WAF instance resides.
remote_addr The IP address of a client that sends a request.
remote_port The port number of a client.
request_length The size of a request message. Unit: bytes.
request_method The method of an HTTP access request.
request_path The relative path of a request. The query string is not included.
request_time_msec The duration in which a request is processed. Unit: milliseconds.
request_traceid The unique ID of a request that is traced by WAF.
server_protocol The type and version number of a response protocol that is used by an origin server.
status The HTTP status code that is returned by WAF to a client.
time The time when a request is sent.
ua_browser The information of a browser that sends a request.
ua_browser_family The family of a browser that sends a request.
ua_browser_type The type of a browser that sends a request.
ua_browser_version The version of a browser that sends a request.
ua_device_type The type of a client.
ua_os The operating system of a client.
ua_os_family The family of the operating system that runs on a client.
upstream_addr The list of back-to-origin IP addresses used by WAF. These IP addresses are separated by commas (,). Each IP address is in the IP:Port format.
upstream_ip The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance.
upstream_response_time The duration in which an origin server processes a WAF request. Unit: seconds. If a hyphen (-) is returned, this field indicates that the response times out.
upstream_status The status code that an origin server returns to WAF. If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server times out.
user_id The ID of an Alibaba Cloud account.
waf_action The action that is performed based on a web attack protection policy. If the value is block, the request is blocked. If the value is not block, the request is passed.
web_attack_type The type of a web attack, for example, xss, code_exec, webshell, sqli, lfilei, rfilei, or other.
waf_rule_id The ID of a WAF rule that is matched.
ssl_cipher The SSL cipher suite.
ssl_protocol The version of the SSL protocol.

Security Center

  • Network logs
    • DNS logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: sas-log-dns.
      owner_id The ID of an Alibaba Cloud account.
      additional The fields in the additional section. The fields are separated by vertical bars (|).
      additional_num The number of fields in the additional section.
      answer The DNS responses. These responses are separated by vertical bars (|).
      answer_num The number of DNS responses.
      authority The fields in the authority section.
      authority_num The number of fields in the authority section.
      client_subnet The subnet where a client resides.
      dst_ip The IP address of a destination server.
      dst_port The destination port.
      in_out The direction of data flows. Valid values:
      • in: inbound data flows
      • out: outbound data flows
      qid The ID of a query.
      qname The domain name to be queried.
      qtype The type of a resource to be queried.
      query_datetime The timestamp of a query. Unit: milliseconds.
      rcode The code of a response.
      region The ID of a source region. Valid values:
      • 1: China (Beijing)
      • 2: China (Qingdao)
      • 3: China (Hangzhou)
      • 4: China (Shanghai)
      • 5: China (Shenzhen)
      • 6: Others
      response_datetime The time when a response is returned.
      src_ip The IP address of a source server.
      src_port The source port.
    • Local DNS logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: local-dns.
      owner_id The ID of an Alibaba Cloud account.
      answer_rda The DNS responses. These responses are separated by vertical bars (|).
      answer_ttl The time-to-live (TTL) of resource records in DNS responses. The values are separated by vertical bars (|).
      answer_type The types of resource records in DNS responses. The values are separated by vertical bars (|).
      anwser_name The domain names in DNS responses. The values are separated by vertical bars (|).
      dest_ip The IP address of a destination server.
      dest_port The destination port.
      group_id The ID of the group to which a host belongs.
      hostname The hostname.
      id The IP address of a host.
      instance_id The ID of an instance.
      internet_ip The public IP address of a host.
      ip_ttl The TTL of the data packets that are sent by a host.
      query_name The domain name to be queried.
      query_type The type of a resource to be queried.
      src_ip The IP address of a source server.
      src_port The source port.
      time The timestamp of a query. Unit: seconds.
      time_usecond The response duration. Unit: microseconds.
      tunnel_id The ID of a DNS tunnel.
    • Network session logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: sas-log-session.
      owner_id The ID of an Alibaba Cloud account.
      asset_type The type of an associated Alibaba Cloud service, for example, ECS, SLB, or ApsaraDB RDS.
      dst_ip The IP address of a destination server.
      dst_port The destination port.
      proto The type of a transport layer protocol, for example, TCP or UDP.
      session_time The duration of a session.
      src_ip The IP address of a source server.
      src_port The source port.
    • Web logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: sas-log-http.
      owner_id The ID of an Alibaba Cloud account.
      content_length The content length of an HTTP request message.
      dst_ip The IP address of a destination server.
      dst_port The destination port.
      host The hostname of a web server.
      jump_location The IP address of an HTTP redirect.
      method The HTTP request method.
      referer The HTTP Referer header. This field includes the address of the web page that sends a request.
      request_datetime The time when a request is sent.
      ret_code The HTTP status code.
      rqs_content_type The content type of an HTTP request message.
      rsp_content_type The content type of an HTTP response message.
      src_ip The IP address of a source server.
      src_port The source port.
      uri The URI of a request.
      user_agent The user agent of a client that sends a request.
      x_forward_for The XFF HTTP header.
  • Security logs
    • Vulnerability logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: sas-vul-log.
      owner_id The ID of an Alibaba Cloud account.
      name The name of a vulnerability.
      alias_name The alias of a vulnerability.
      op The action that is performed on a vulnerability. Valid values:
      • new: detects a baseline.
      • verify: verifies the vulnerability.
      • fix: fixes the vulnerability.
      status The status of a vulnerability. For more information, see Table 2.
      tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish between different emergency (EMG) vulnerabilities.
      type The type of a vulnerability. Valid values:
      • sys: Windows vulnerability
      • cve: Linux vulnerability
      • cms: Web CMS vulnerability
      • EMG: Emergency vulnerability
      uuid The universally unique identifier (UUID) of a client.
    • Baseline logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: sas-hc-log.
      owner_id The ID of an Alibaba Cloud account.
      level The level of a baseline. Valid values: low, medium, and high.
      op The action that is performed on a baseline. Valid values:
      • new: detects a baseline.
      • verify: verifies the baseline.
      risk_name The name of a baseline risk.
      status The status of a baseline. For more information, see Table 2.
      sub_type_alias The subtype alias of a baseline.
      sub_type_name The subtype of a baseline.
      type_name The type of a baseline.
      type_alias The type alias of a baseline.
      uuid The UUID of a client.
      check_item The name of a check item.
      check_level The level of a check item.
      check_type The type of a check item.
      Table 1. Types and subtypes of baselines
      type_name sub_type_name
      system baseline
      weak_password postsql_weak_password
      database redis_check
      account system_account_security
      account system_account_security
      weak_password mysq_weak_password
      weak_password ftp_anonymous
      weak_password rdp_weak_password
      system group_policy
      system register
      account system_account_security
      weak_password sqlserver_weak_password
      system register
      weak_password ssh_weak_password
      weak_password ftp_weak_password
      cis centos7
      cis tomcat7
      cis memcached-check
      cis mongodb-check
      cis ubuntu14
      cis win2008_r2
      system file_integrity_mon
      cis linux-httpd-2.2-cis
      cis linux-docker-1.6-cis
      cis SUSE11
      cis redhat6
      cis bind9.9
      cis centos6
      cis debain8
      cis redhat7
      cis SUSE12
      cis ubuntu16
      Table 2. Status codes of security logs
      Status code Description
      1 Unfixed.
      2 Fix failed.
      3 Rollback failed.
      4 Fixing.
      5 Rolling back.
      6 Verifying.
      7 Fixed.
      8 Fixed. Waiting for a restart.
      9 Rollback succeeded.
      10 Ignored.
      11 Rollback succeeded. Waiting for a restart.
      12 No longer exists.
      20 Expired.
    • Security alert logs
      Log field Description
      __time__ The time when a connection is established, for example, 2018-02-27 11:58:15.
      __topic__ The topic of a log entry. Valid value: sas-security-log.
      data_source The source of the data. For more information, see Table 3.
      level The severity of an alert.
      name The name of an alert, for example, Suspicious Process-SSH-based Remote Execution of Non-interactive Commands.
      op The action that is performed on an alert. Valid values:
      • new: An alert is triggered.
      • dealing: The alert is being processed.
      status The status of an alert. For more information, see Table 2.
      uuid The UUID of a client.
      detail The detail of an alert, for example, {"loginSourceIp":"120.27.28.118","loginTimes":1,"type":"login_common_location","loginDestinationPort":22,"loginUser":"aike","protocol":2,"protocolName":"SSH","location":"Qingdao"}.
      unique_info The unique identifier of an alert for a single server, for example, 2536dd765f804916a1fa3b9516b5d512.
      Table 3. Values of the data_source field in security alert logs
      Value Description
      aegis_suspicious_event Server exceptions
      aegis_suspicious_file_v2 Webshell
      aegis_login_log Suspicious logon
      security_event Security Center exceptions
  • Host logs
    • Process startup logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: aegis-log-process.
      owner_id The ID of an Alibaba Cloud account.
      uuid The UUID of a client.
      ip The IP address of a client.
      cmdline The full command line to start a process.
      username The username.
      uid The ID of a user.
      pid The ID of a process.
      filename The name of a process file.
      filepath The full path of a process file.
      groupname The name of a user group.
      ppid The ID of a parent process.
      pfilename The name of a parent process file.
      pfilepath The full path of a parent process file.
    • Process snapshot logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: aegis-snapshot-process.
      owner_id The ID of an Alibaba Cloud account.
      uuid The UUID of a client.
      ip The IP address of a client.
      cmdline The full command line to start a process.
      pid The ID of a process.
      name The name of a process file.
      path The full path of a process file.
      md5 The MD5 hash of a process file. If the process file exceeds 1 MB, the MD5 hash is not calculated.
      pname The name of a parent process file.
      start_time The time when a process starts. This field is a built-in field.
      user The username.
      uid The ID of a user.
    • Logon logs
      The logon attempts within 1 minute are recorded in one log entry.
      Log field Description
      __topic__ The topic of a log entry. Valid value: aegis-log-login.
      owner_id The ID of an Alibaba Cloud account.
      uuid The UUID of a client.
      ip The IP address of a client.
      warn_ip The IP address of a source server.
      warn_port The logon port.
      warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
      warn_user The logon username.
      warn_count The number of logon attempts. In this example, the value 3 indicates that two logon requests are sent 1 minute before the current logon.
    • Brute-force cracking logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: aegis-log-crack.
      owner_id The ID of an Alibaba Cloud account.
      uuid The UUID of a client.
      ip The IP address of a client.
      warn_ip The IP address of a source server.
      warn_port The logon port.
      warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
      warn_user The logon username.
      warn_count The number of failed logon attempts.
    • Network connection logs
      Changes in network connections are collected on the host every 10 seconds to 1 minute.
      Log field Description
      __topic__ The topic of a log entry. Valid value: aegis-log-network.
      owner_id The ID of an Alibaba Cloud account.
      uuid The UUID of a client.
      ip The IP address of a client.
      src_ip The IP address of a source server.
      src_port The source port.
      dst_ip The IP address of a destination server.
      dst_port The destination port.
      proc_name The name of a process.
      proc_path The path of a process file.
      proto The protocol that is used to establish a network connection, for example, TCP, UDP, or raw (raw socket).
      status The connection status. For more information, see Table 4.
      Table 4. Status codes of network connections
      Status Description
      1 closed
      2 listen
      3 syn send
      4 syn recv
      5 establisted
      6 close wait
      7 closing
      8 fin_wait1
      9 fin_wait2
      10 time_wait
      11 delete_tcb
    • Port listening snapshot logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: aegis-snapshot-port.
      owner_id The ID of an Alibaba Cloud account.
      uuid The UUID of a client.
      ip The IP address of a client.
      proto The protocol that is used to establish a network connection, for example, TCP, UDP, or raw (raw socket).
      src_ip The IP address of a listener port.
      src_port The listener port.
      pid The ID of a process.
      proc_name The name of a process.
    • Account snapshot logs
      Log field Description
      __topic__ The topic of a log entry. Valid value: aegis-snapshot-host.
      owner_id The ID of an Alibaba Cloud account.
      name The name of a vulnerability.
      alias_name The alias of a vulnerability.
      op The action that is performed on a vulnerability. Valid values:
      • new: detects a new vulnerability.
      • verify: verifies the vulnerability.
      • fix: fixes the vulnerability.
      status The connection status. For more information, see Table 4.
      tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish between different emergency (EMG) vulnerabilities.
      type The type of a vulnerability. Valid values:
      • sys: Windows vulnerability
      • cve: Linux vulnerability
      • cms: Web CMS vulnerability
      • EMG: Emergency vulnerability
      uuid The UUID of a client.

PolarDB-X

Log field Description
__topic__ The topic of a log entry. Valid value: drds_audit_log.
instance_id The ID of a PolarDB-X instance.
instance_name The name of a PolarDB-X instance.
owner_id The ID of an Alibaba Cloud account.
region The region where a PolarDB-X instance resides.
db_name The name of a PolarDB-X database.
user The name of the user who executes an SQL statement.
client_ip The IP address of a client that accesses a PolarDB-X instance.
client_port The port number of a client that accesses a PolarDB-X instance.
sql The SQL statement.
trace_id The trace ID of an SQL statement when it is executed. If a transaction is executed, it is tracked by using an ID. The ID consists of the trace ID, a hyphen (-), and a number, for example, drdsabcdxyz-1 and drdsabcdxyz-2.
sql_code The hash value of a template SQL statement.
hint The hint that is used to execute an SQL statement.
table_name The names of the tables that are involved in a query. Multiple tables are separated by commas (,).
sql_type The type of an SQL statement. Valid values: Select, Insert, Update, Delete, Set, Alter, Create, Drop, Truncate, Replace, and Other.
sql_type_detail The name of an SQL parser.
response_time The response duration. Unit: milliseconds.
affect_rows The number of affected or returned rows when an SQL statement is executed.
fail Indicates the result after an SQL statement is executed. Valid values:
  • 0: successful
  • 1: failed
sql_time The time when an SQL statement is executed.

Cloud Firewall

Log field Description
__topic__ The topic of a log entry. Valid value: cloudfirewall_access_log.
owner_id The ID of an Alibaba Cloud account.
log_type The type of a log entry.
app_name The name of the protocol over which an application is accessed. The value can be HTTPS, NTP, SIP, SMB, NFS, or DNS. If the protocol is unknown, the value is displayed as Unknown.
direction The direction of Internet traffic. Valid values:
  • in: inbound traffic
  • out: outbound traffic
domain The domain name of a destination server.
dst_ip The IP address of a destination server.
dst_port The destination port.
end_time The time when a session ends. Unit: seconds (UNIX timestamp).
in_bps The rate of inbound traffic. Unit: bit/s.
in_packet_bytes The total size of inbound packets. Unit: bytes.
in_packet_count The total number of inbound packets.
in_pps The rate of inbound packets. Unit: packet/s.
ip_protocol The type of an IP protocol. Valid values: TCP and UDP.
out_bps The rate of outbound traffic. Unit: bit/s.
out_packet_bytes The total size of the outbound traffic. Unit: bytes.
out_packet_count The total number of outbound packets.
out_pps The rate of outbound packets. Unit: packet/s.
region_id The region from which access traffic originates.
rule_result The result of how an access policy processes Internet traffic. Valid values:
  • pass: Data packets are allowed to pass Cloud Firewall.
  • alert: An alert is triggered when data packets attempt to pass Cloud Firewall.
  • drop: Data packets are dropped.
src_ip The IP address of a source server.
src_port The source port of a host that sends traffic data.
start_time The time when a session starts. Unit: seconds (UNIX timestamp).
start_time_min The time when a session starts. The value of this field is rounded up to the next minute. Unit: seconds (UNIX timestamp).
tcp_seq The sequence number of a TCP segment.
total_bps The total rate of inbound and outbound packets. Unit: bit/s.
total_packet_bytes The total size of inbound and outbound packets. Unit: bytes.
total_packet_count The total number of packets.
total_pps The total rate of inbound and outbound packets. Unit: bit/s.
src_private_ip The private IP address of a source server.
vul_level The risk level of a vulnerability. Valid values:
  • 1: low
  • 2: medium
  • 3: high
url The URL of a resource that is accessed.
acl_rule_id The ID of an access control list (ACL) policy that is matched.
ips_rule_id The ID of an intrusion prevention system (IPS) policy that is matched.
ips_ai_rule_id The ID of an intelligent policy that is matched.

Bastionhost

Log field Description
__topic__ The topic of a log entry.
owner_id The ID of an Alibaba Cloud account.
content The content of a log entry.
event_type The type of an event. For more information, see Table 5.
instance_id The ID of a bastion host.
log_level The severity of a log entry.
resource_address The address of the server where a resource resides.
resource_name The name of the resource on which an operation is performed.
result The result of an operation.
session_id The ID of a session.
user_client_ip The source IP address.
user_id The ID of a user.
user_name The username.
Table 5. Event types
Event type Description
cmd.Command The CMD commands.
file.Upload Uploads a file.
file.Download Downloads a file.
file.Rename Renames a file.
file.Delete Deletes a file.
file.DeleteDir Deletes a directory.
file.CreateDir Creates a directory.
graph.Text Text event.
graph.Keyboard Keyboard event.

Object Storage Service (OSS)

Log type Description
Access logs Records access to OSS buckets. The logs are collected in real time.
Batch deletion logs Records information of deleted objects. The logs are collected in real time.
Note When you call the DeleteObjects API operation, a request record is generated in an access log. The information of the deleted objects is stored in the HTTP body of a request. A hyphen (-) is used to indicate the deleted objects in the access log. To retrieve the deleted objects, you can use the request_id parameter to query the deleted objects in the batch deletion log.
Hourly metering logs Records the hourly metering statistics of a specific bucket. A latency of several hours exists in log collection.
Table 6. Bucket storage classes
Storage type Description
standard Standard
archive Archive
infrequent_access IA
For information about related API operations, see API overview.
Table 7. Access types
Operation Description
AbortMultiPartUpload Cancels a multipart upload task.
AppendObject Appends an object to an existing object.
CompleteUploadPart Completes the multipart upload task of an object.
CopyObject Copies an object.
DeleteBucket Deletes a bucket.
DeleteLiveChannel Deletes a LiveChannel.
DeleteObject Deletes an object.
DeleteObjects Deletes multiple objects.
GetBucket Lists all objects in a bucket.
GetBucketAcl Queries the access control list (ACL) of a bucket.
GetBucketCors Queries the cross-origin resource sharing (CORS) rules of a bucket.
GetBucketEventNotification Queries the notification configurations of a bucket.
GetBucketInfo Queries the information of a bucket.
GetBucketLifecycle Queries the lifecycle rules configured for the objects in a bucket.
GetBucketLocation Queries the region where a bucket resides.
GetBucketLog Queries the access log configurations of a bucket.
GetBucketReferer Queries the hotlink protection rules configured for a bucket.
GetBucketReplication Queries the cross-region replication (CRR) rules configured for a bucket.
GetBucketReplicationProgress Queries the progress of a CRR task that is performed on a bucket.
GetBucketStat Queries the information of a bucket.
GetBucketWebSite Queries the status of the static website hosting for a bucket.
GetLiveChannelStat Queries the status of a LiveChannel.
GetObject Reads an object.
GetObjectAcl Queries the ACL of an object.
GetObjectInfo Queries the information of an object.
GetObjectMeta Queries the metadata of an object.
GetObjectSymlink Queries the symbolic link of an object.
GetPartData Queries the data in all parts of an object.
GetPartInfo Queries the information of all parts of an object.
GetProcessConfiguration Queries the image processing configurations of a bucket.
GetService Lists all buckets.
HeadBucket Queries the information of a bucket.
HeadObject Queries the information of an object.
InitiateMultipartUpload Initializes the multipart upload for an object.
ListMultiPartUploads Lists multipart upload events.
ListParts Queries the status of all parts of an object.
PostObject Uploads an object by using a form.
PostProcessTask Commits data processing operations, such as screenshots.
PostVodPlaylist Creates a video-on-demand (VOD) playlist of a LiveChannel.
ProcessImage Processes an image.
PutBucket Creates a bucket.
PutBucketCors Specifies the CORS rule for a bucket.
PutBucketLifecycle Specifies the lifecycle of a bucket.
PutBucketLog Specifies the access log for a bucket.
PutBucketWebSite Specifies the static website hosting mode for a bucket.
PutLiveChannel Creates a LiveChannel.
PutLiveChannelStatus Specifies the status of a LiveChannel.
PutObject Uploads an object.
PutObjectAcl Modifies the ACL of an object.
PutObjectSymlink Creates a symbolic link for an object.
RedirectBucket Redirects the request to a bucket endpoint.
RestoreObject Restores an object.
UploadPart Resumes the upload of an object from a specified checkpoint.
UploadPartCopy Copies a part of an object.
get_image_exif Queries the exchangeable image file format (Exif) data of an image.
get_image_info Queries the length and width of an image.
get_image_infoexif Queries the length, width, and Exif data of an image.
get_style Queries the style of a bucket.
list_style Queries all styles of a bucket.
put_style Creates a picture processing rule for a bucket.
Table 8. Synchronization request types
Synchronization request type Description
- General requests
cdn CDN back-to-origin requests
For information about signatures, see Verify user signatures.
Table 9. Signature types
Signature type Description
NotSign A request is unsigned.
NormalSign A request is signed with a regular signature.
UriSign A request is signed with a URL signature.
AdminSign A request is signed with an administrator account.
  • Access logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: oss_access_log.
    owner_id The ID of an Alibaba Cloud account.
    region The region where a bucket resides.
    access_id The AccessKey ID that is used to access OSS.
    time The time when OSS receives a request. If a timestamp is required, use the value of the __time__ field.
    owner_id The ID of an Alibaba Cloud account that belongs to a bucket owner.
    User-Agent The User-Agent HTTP header.
    logging_flag Indicates whether logging has been enabled to export logs to OSS buckets at regular intervals.
    bucket The name of a bucket.
    content_length_in The value of the Content-Length field in an HTTP request. Unit: bytes.
    content_length_out The value of the Content-Length field in an HTTP response. Unit: bytes.
    object The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
    object_size The size of a requested object. Unit: bytes.
    operation The API operation. For more information, see Table 7.
    request_uri The URL-encoded URI of a request. This includes the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
    error_code The error code that is returned by OSS. For more information, see Error responses.
    request_length The size of an HTTP request message that includes the header information. Unit: bytes.
    client_ip The IP address from which a request is sent. This can be the IP address of a client, firewall, or proxy.
    response_body_length The size of an HTTP response body that excludes the header information.
    http_method The HTTP request method.
    referer The HTTP Referer header.
    requester_id The ID of an Alibaba Cloud account that belongs to a requester. If you use anonymous logon, the value of this field is a hyphen (-).
    request_id The ID of a request.
    response_time The response duration. Unit: milliseconds.
    server_cost_time The processing time of an OSS instance. Unit: milliseconds. The value of this field is the time that is required by the OSS instance to process a request.
    http_type The protocol of an HTTP request. Valid values: HTTP and HTTPS.
    sign_type The type of a signature. For more information, see Table 9.
    http_status The status code of an HTTP connection that is returned in a request to OSS.
    sync_request The type of a synchronization request. For more information, see Table 8.
    bucket_storage_type The bucket storage class. For more information, see Table 6.
    host The domain name of an OSS server from which resources are requested.
    vpc_addr The VPC IP address of an OSS server. The IP address is based on the domain name of the server.
    vpc_id VPC ID
    delta_data_size The size change of an object. If the object size does not change, the value of this field is 0. If a request is not an upload request, the value of this field is a hyphen (-).
    acc_access_region If a request is a transfer acceleration request, this field indicates the ID of the region where the requested access point resides. Otherwise, the value of this field is a hyphen (-).
  • Batch deletion logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: oss_batch_delete_log.
    owner_id The ID of an Alibaba Cloud account.
    region The region where a bucket resides.
    client_ip The IP address from which a request is sent. This can be the IP address of a client, firewall, or proxy.
    user_agent The User-Agent HTTP header.
    bucket The name of a bucket.
    error_code The error code that is returned by OSS. For more information, see Error responses.
    request_length The size of an HTTP request message that includes the header information. Unit: bytes.
    response_body_length The size of an HTTP response body that excludes the header information.
    object The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
    object_size The size of a requested object. Unit: bytes.
    operation The API operation. For more information, see Table 7.
    bucket_location The cluster to which a bucket belongs.
    http_method The HTTP request method.
    referer The HTTP Referer header.
    request_id The ID of a request.
    http_status The HTTP status code that is returned by an OSS request.
    sync_request The type of a synchronization request. For more information, see Table 8.
    request_uri The URL-encoded URI of a request. This includes the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
    host The domain name of an OSS server from which resources are requested.
    logging_flag Indicates whether logging has been enabled to export logs to OSS buckets at regular intervals.
    server_cost_time The duration in which an OSS server processes a request. Unit: milliseconds.
    owner_id The ID of an Alibaba Cloud account that belongs to a bucket owner.
    requester_id The ID of an Alibaba Cloud account that belongs to a requester. If you use anonymous logon, the value of this field is a hyphen (-).
    delta_data_size The size change of an object. If the object size does not change, the value of this field is 0. If a request is not an upload request, the value of this field is a hyphen (-).
  • Hourly metering logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: oss_metering_log.
    owner_id The ID of an Alibaba Cloud account that belongs to a bucket owner.
    bucket The name of a bucket.
    cdn_in The inbound traffic from CDN. Unit: bytes.
    cdn_out The outbound traffic to CDN. Unit: bytes.
    get_request The number of GET requests.
    intranet_in The inbound traffic from the internal network. Unit: bytes.
    intranet_out The outbound traffic of the internal network. Unit: bytes.
    network_in The inbound traffic from the public network. Unit: bytes.
    network_out The outbound traffic to the public network. Unit: bytes.
    put_request The number of PUT requests.
    storage_type The bucket storage class. For more information, see Table 6.
    storage The storage usage of a bucket. Unit: bytes.
    metering_datasize The size of metering data of non-Standard OSS buckets.
    process_img_size The size of a processed image. Unit: bytes.
    process_img The processed image.
    sync_in The inbound synchronization traffic. Unit: bytes.
    sync_out The outbound synchronization traffic. Unit: bytes.
    start_time The time when a metering operation starts.
    end_time The time when a metering operation ends.
    region The region where a bucket resides.

ApsaraDB RDS

Log field Description
__topic__ The topic of a log entry. Valid value: rds_audit_log.
owner_id The ID of an Alibaba Cloud account.
region The region where an RDS instance resides.
instance_name The name of an RDS instance.
instance_id The ID of an RDS instance.
db_type The type of an RDS instance, for example, mysql, mssql, or pgsql.
db_version The version of an RDS instance.
check_rows The number of scanned rows.
db The name of a database.
fail Indicates the result after an SQL statement is executed. Valid values:
  • 0: successful
  • 1: failed
client_ip The IP address of a client that accesses an RDS instance.
latency The network latency. Unit: microseconds.
origin_time The time when an SQL statement is executed. Unit: microseconds.
return_rows The number of returned rows.
sql The SQL statement.
thread_id The ID of a thread.
user The name of a user who executes an SQL statement.
update_rows The number of updated rows.

Apsara File Storage NAS

Log field Description
owner_id The ID of an Alibaba Cloud account.
ArgIno The inode number of a file system.
AuthRc The authorization code that is returned.
NFSProtocolRc The return code of the Network File System (NFS) protocol.
OpList The procedure number of the NFSv4 protocol.
Proc The procedure number of the NFSv3 protocol.
RWSize The size of read and write data. Unit: bytes.
RequestId The ID of a request.
ResIno The inode number of a resource that is looked up.
SourceIp The IP address of a client.
Vers The version number of the NFS protocol.
Vip The IP address of a server.
Volume The ID of a file system.
microtime The time when a request is sent. Unit: microseconds.

Alibaba Cloud Mobile Push

Log field Description
__topic__ The topic of a log entry. Valid value: cps_callback_event.
owner_id The ID of an Alibaba Cloud account.
app_key AppKey
message_id The ID of a message.
event_time The time when a callback event occurs.
event_type The type of a callback event.
device_id The ID of a device.
device_type The type of a device.
last_active_time The last time when a device is active.
app_version The version of an application.
client_ip The IP address of a client.
brand The brand of a device.
network_type The network type of a device.
os The operating system of a device.
os_version The version of the operating system that runs on a device.
isp The ISP of a device.
job_key The key of a job.
event_channel The push channel.
vendor_message_id The message ID of a vendor channel.
reason The cause of a failed push.

PolarDB for MySQL

Log field Description
__topic__ The topic of a log entry. Valid value: polardb_audit_log.
owner_id The ID of an Alibaba Cloud account.
region The region where a PolarDB for MySQL cluster resides.
cluster_id The ID of a PolarDB for MySQL cluster.
node_id The node IDs of PolarDB for MySQL.
check_rows The number of scanned rows.
db The name of a database.
fail Indicates the result after an SQL statement is executed. Valid values:
  • 0: successful
  • 1: failed
client_ip The IP address of a client that accesses a PolarDB for MySQL cluster.
latency The network latency. Unit: microseconds.
origin_time The time when an SQL statement is executed. Unit: microseconds.
return_rows The number of returned rows.
sql The SQL statement.
thread_id The ID of a thread.
user The name of a user who executes an SQL statement.
update_rows The number of updated rows.