This topic lists the fields of cloud service logs.

ActionTrail

  • Field details
    Log fields Description
    __topic__ Log topic. Fixed value: actiontrail_event.
    owner_id Tenant Account ID.
    event The event body, in the JSON format. The content of the event body varies with the event.
    event.eventId The unique ID of the event.
    event.eventName Event Name.
    event.eventSource Event Source.
    event.eventType Event type.
    event.eventVersion The data format version of ActionTrail, which is fixed at 1.
    event.acsRegion The region of the event.
    event.requestId The request ID that is used to operate a cloud service.
    event.apiVersion The version of the API.
    event.errorMessage The error message of the event failure.
    event.serviceName Event-related service name.
    event.sourceIpAddress The source IP address of the event.
    event.userAgent Event-related client Agent.
    event.requestParameters.HostId The host ID in the request-related parameter.
    event.requestParameters.Name Name in request-related parameters.
    event.requestParameters.Region The domain in the request-related parameter.
    event.userIdentity.accessKeyId The AccessKey ID used by the request.
    event.userIdentity.accountId The ID of the account requested.
    event.userIdentity.principalId The voucher ID of the account requested.
    event.userIdentity.type Type of account requested.
    event.userIdentity.userName Type of account requested.
    event.errorCode The error code of the event failure.
    addionalEventData.isMFAChecked Indicates whether MFA is enabled for the logon account.
    addionalEventData.loginAccount Logon credentials.
  • Sample log entry
    {
      "acsRegion": "cn-hangzhou",
      "additionalEventData": {
        "isMFAChecked": "false",
        "loginAccount": "test1234@aliyun.com"
      },
      "eventId": "7be1e173-1234-44a1-b135-1234",
      "eventName": "ConsoleSignin",
      "eventSource": "http://account.aliyun.com:443/login/login_aliyun.htm",
      "eventTime": "2018-07-12T06:14:50Z",
      "eventType": "ConsoleSignin",
      "eventVersion": "1",
      "requestId": "7be1e173-1234-44a1-b135-1234",
      "serviceName": "AasCustomer",
      "sourceIpAddress": "42.120.75.137",
      "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
      "userIdentity": {
        "accessKeyId": "25****************",
        "accountId": "1234",
        "principalId": "1234",
        "type": "root-account",
        "userName": "root"
      }
    }
    
    					

Server Load Balancer (SLB)

Log field Description
owner_id Tenant Account ID
region The region where the instance is located.
instance_id Instance ID.
instance_name The ID of the instance.
network_type The type of network.
vpc_id VPC ID
body_bytes_sent The number of bytes of the HTTP message body sent to the client.
client_ip Request client IP address.
client_port Request client port.
host The hostname. Obtain the value from the request parameters first. If no value is obtained, obtain it from the host header. If the value still cannot be obtained, use the IP address of the backend server that processes the request as the hostname.
http_host The host header in the request message.
http_referer The HTTP referer header in the request message received by the proxy.
http_user_agent The HTTP user-agent header in the request message received by the proxy.
http_x_forwarded_for The x-forwarded-for content in the request message received by the proxy.
http_x_real_ip The actual IP address of the client.
read_request_time The time when the proxy reads the request message. Unit: ms.
request_length The length of the request message, including the start-line, HTTP headers, and HTTP body.
request_method The request method.
request_time The interval between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds.
request_uri The URI of the request message received by the proxy.
scheme The schema of the request, for example, http or https.
server_protocol The HTTP version received by the proxy, such as "HTTP/1.0" or "HTTP/1.1".
slb_vport The listening port of the SLB instance.
slbid The ID of the SLB instance.
ssl_cipher The cipher suite used, such as ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol The protocol used to establish an SSL connection, such as TLSv1.2.
status The status of the proxy response message.
tcpinfo_rtt The tcp rtt of the client. Unit: microseconds.
time The time when the log entry was created.
upstream_addr The IP address and port number of the backend server.
upstream_response_time The total time taken by the SLB instance to establish a connection to the backend server, receive data, and then close the connection. Unit: seconds.
upstream_status The status code response received by the proxy from the backend server.
vip_addr vip address.
write_response_time The response time written by the proxy. Unit: milliseconds.

API Gateway

Log fields Description
owner_id The account ID of the API provider.
apiGroupUid The ID of the API group.
apiGroupName The name of the API group.
apiUid API ID
apiName The name of the API operation.
apiStageUid The ID of the API stage.
apiStageName The name of the API stage.
httpMethod The HTTP method of the request.
path The request path.
domain The domain name that sends the request.
statusCode The HTTP status code.
errorMessage Error message
appId The ID of the application that sends the request.
appName The name of the application that sends the request.
clientIp The IP address of the client that sends the request.
exception The specific error message returned by the backend server.
region The ID of the region, such as cn-hangzhou.
requestHandleTime The time when the request is sent. It must be in GMT.
requestId The request ID. It must be globally unique.
requestSize The size of the request message. Unit: bytes.
responseSize The size of the response message. Unit: bytes.
serviceLatency The backend latency. Unit: ms.

Web Application Firewall (WAF)

Field Description
__topic__ The subject of the log. Set this parameter to waf_access_log.
owner_id The ID of the Alibaba Cloud account.
acl_action The action generated by the WAF HTTP ACL policy to the request, such as pass, drop, and captcha.
Note Null values or hyphens (-) also indicate pass.
acl_blocks Indicates whether the HTTP ACL policy is enabled. A value of 1 indicates that the HTTP ACL policy is enabled. A value of 1 indicates that the HTTP ACL policy is enabled.
antibot The type of the Anti-Bot Service protection strategy that applies, which includes:
  • ratelimit: Frequency control
  • sdk: APP protection
  • algorithm: algorithm model.
  • intelligence: bot intelligence.
  • acl: HTTP ACL policy.
  • blacklist: Blacklist.
antibot_action The action performed by the Anti-Bot Service protection strategy, which includes:
  • challenge: Verifying using an embedded JavaScript script.
  • drop: Blocking.
  • report: Logging the access event.
  • captcha: Verifying using a slider captcha.
block_action The type of the WAF protection that is activated, which includes:
  • tmd: Protection against CC attacks.
  • waf: Protection against Web application attacks.
  • acl: HTTP ACL policy.
  • geo: Blocking regions.
  • antifraud: Risk control for data.
  • antibot: Blocking Web crawlers.
body_bytes_sent The number of bytes of the HTTP message body sent to the client.
cc_action The anti-HTTP flood protection action. Valid values include none, challenge, pass, close, captcha, wait, and login.
cc_blocks Indicates whether the HTTP flood protection function is enabled. A value of 1 indicates that the HTTP flood protection function is enabled.
cc_phase The CC protection strategy that is activated, which can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.
content_type The content type of the access request.
host The source website.
http_cookie The client-side cookie, which is included in the request header.
http_referer The URL information of the request source, which is included in the request header. If no source URL information is displayed, a hyphen (-) is used.
http_user_agent The User Agent field in the request header, which contains information such as the client browser and the operating system.
http_x_forwarded_for The X-Forwarded-For (XFF) information in the request header, which identifies the original IP address of the client that connects to the Web server using a HTTP proxy or load balancing.
https Indicates whether the request is an HTTPS request.
  • true: the request is an HTTPS request.
  • false: the request is an HTTP request.
matched_host The matched domain name (extensive domain name) that is protected by WAF. If the related domain name configuration cannot be matched, a hyphen (-) is displayed.
querystring The query string in the request.
real_client_ip The real IP address of the client. If it cannot be obtained, it is displayed as a dash (-).
region The information of the region where the WAF instance is located.
remote_addr The IP address of the client that sends the access request.
remote_port The port of the client that sends the access request.
request_length The size of the request, measured in bytes.
request_method The HTTP request method used in the access request.
request_path The relative path of the request. The query string is not included.
request_time_msec The request time, which is measured in microseconds.
request_traceid The unique ID of the access request that is recorded by WAF.
server_protocol The response protocol and the version number of the origin server.
status The status of the HTTP response to the client returned by WAF.
time The time when the access request occurs.
ua_browser The information of the browser that sends the request.
ua_browser_family The family of the browser that the sent the request.
ua_browser_type The type of the browser that the sent the request.
ua_browser_version The version of the browser that sends the request.
ua_device_type The type of the client device that sends the request.
ua_os The operating system used by the client that sends the request.
ua_os_family The family of the operating system used by the client.
upstream_addr A list of origin addresses, separated by commas. The format of an address is IP:Port.
upstream_ip The origin IP address that corresponds to the access request. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance.
upstream_response_time The time that the origin site takes to respond to the WAF request, which is measured in seconds. If a hyphen (-) is returned, the response times out.
upstream_status The response status that WAF receives from the origin server. A hyphen (-) is returned, indicating that there is no response. For example, the request was intercepted by WAF.
user_id The ID of the Alibaba Cloud account.
waf_action The Web attack protection policies. Block indicates interception. If you set this parameter to bypass, the attack is blocked.
web_attack_type The Web attack type such as xss, code_exec, webshell, sqli, lfilei, rfilei, and other.
waf_rule_id The ID of the WAF rule.

Security Center

  • Network logs
    • DNS logs
      Log fields Description
      __topic__ Theme, fixed to sas-log-dns.
      owner_id The ID of the Alibaba Cloud account.
      additional The additional field. Separated with vertical bars (|).
      additional_num The number of additional fields.
      answer DNS response. Separated with vertical bars (|).
      answer_num The number of DNS responses.
      authority The authority field.
      authority_num The number of authority fields.
      client_subnet Client subnet.
      dst_ip The destination IP address.
      dst_port The destination port.
      in_out Data transmission direction.
      • in: inbound mode.
      • out: outbound.
      qid Query ID.
      qname The domain name to be queried.
      qtype Query type.
      query_datetime The end timestamp of the query. Unit: milliseconds.
      rcode Response code.
      region Source region ID.
      • 1: Beijing
      • 2: Qingdao
      • 3: Hangzhou
      • 4: Shanghai
      • 5: Shenzhen
      • 6: Others
      response_datetime Response date.
      src_ip Source IP address.
      src_port Source port.
    • Local DNS logs.
      Log field Description
      __topic__ Theme, fixed to local-dns.
      owner_id The ID of the Alibaba Cloud account.
      answer_rda DNS response. Separated with vertical bars (|).
      answer_ttl The interval of DNS responses. Separated with vertical bars (|).
      answer_type The types of DNS responses. Separated with vertical bars (|).
      anwser_name The names of DNS responses. Separated with vertical bars (|).
      dest_ip The destination IP address.
      dest_port The destination port.
      group_id Group ID.
      hostname Hostname.
      id Host IP address.
      instance_id Instance ID.
      internet_ip Internet IP address.
      ip_ttl Time-to-live.
      query_name The domain name to be queried.
      query_type Query Type.
      src_ip Source IP address.
      src_port Source port.
      time The timestamp of the query. Unit: seconds.
      time_usecond The response time. Unit: microseconds.
      tunnel_id Tunnel ID.
    • Network session log
      Log fields Description
      __topic__ Log topic. Fixed value: sas-log-session.
      owner_id The ID of the Alibaba Cloud account.
      asset_type The associated asset type, such as ECS, SLB, and RDS.
      dst_ip Destination IP address.
      dst_port Destination port.
      proto Protocol type, such as tcp and udp.
      session_time Session date.
      src_ip Source IP address.
      src_port Source port.
    • Web log
      Log fields Description
      __topic__ Log topic. Fixed value: sas-log-http.
      owner_id The ID of the Alibaba Cloud account.
      content_length Content length.
      dst_ip Destination IP address.
      dst_port Destination port.
      host Destination host name.
      jump_location Redirected address.
      method HTTP access.
      referer The HTTP referer when the client sends a request to the server, which informs the server of the HTTP link from which the request is initiated.
      request_datetime Request date.
      ret_code Response value.
      rqs_content_type Request content type.
      rsp_content_type Response type.
      src_ip Source IP address.
      src_port Source port.
      uri Request URI.
      user_agent Sends a request to the user client.
      x_forward_for Redirecting information.
  • Security logs
    • Vulnerability logs
      Log fields Description
      __topic__ Log topic. Fixed value: sas-vul-log.
      owner_id The ID of the Alibaba Cloud account.
      name Vulnerability name.
      alias_name Vulnerability alias.
      op Operation information.
      • new: New.
      • verify: Verify.
      • fix: Repair.
      status For more information, see Table 2.
      tag The vulnerability tag, such as oval, system, and cms. It is used to distinguish emergency (EMG) vulnerabilities.
      type The type of the vulnerability.
      • sys: Windows vulnerabilities
      • cve: Linux vulnerabilities
      • cms: Web CMS vulnerabilities
      • EMG: Emergency vulnerability
      uuid Client UUID.
    • Baseline logs
      Log fields Description
      __topic__ Log topic. Fixed value: sas-hc-log.
      owner_id The ID of the Alibaba Cloud account.
      level Level, for example, low, medium, or high.
      op Operation information.
      • new: New.
      • verify: Verify.
      risk_name Risk name.
      status For more information, see Table 2.
      sub_type_alias Sub-type alias, Chinese.
      sub_type_name Sub-type name.
      type_name Type.
      type_alias Type alias
      uuid Client UUID.
      Table 1. Baseline type-sub-type list.
      type_name sub_type_name
      system baseline
      weak_password postsql_weak_password
      database redis_check
      account system_account_security
      account system_account_security
      weak_password mysq_weak_password
      weak_password ftp_anonymous
      weak_password rdp_weak_password
      system group_policy
      system register
      account system_account_security
      weak_password sqlserver_weak_password
      system register
      weak_password ssh_weak_password
      weak_password ftp_weak_password
      cis centos7
      cis tomcat7
      cis memcached-check
      cis mongodb-check
      cis ubuntu14
      cis win2008_r2
      system file_integrity_mon
      cis linux-httpd-2.2-cis
      cis linux-docker-1.6-cis
      cis SUSE11
      cis redhat6
      cis bind9.9
      cis centos6
      cis debain8
      cis redhat7
      cis SUSE12
      cis ubuntu16
      Table 2. Security log status codes
      Status value Description
      1 Unrepaired.
      2 Repair failed.
      3 Rollback failed.
      4 Fix vulnerabilities.
      5 Rolling back.
      6 Verifying.
      7 Repair succeeded.
      8 Repair succeeded. Preparing to restart.
      9 Rollback succeeded.
      10 Ignore.
      11 Rollback succeeded. Preparing to restart.
      12 Does not exist.
      20 Expired.
    • Security alert logs
      Log fields Description
      __topic__ Log topic. Fixed value: sas-security-log.
      owner_id The ID of the Alibaba Cloud account.
      data_source Data Source. For more information, see Table 3.
      level Alert level.
      name Name. Example: Suspicious Process-SSH-based Remote Execution of Non-interactive Commands.
      op Operation information.
      • new: New.
      • dealing: Process.
      status The status information. For more information, see Table 2.
      uuid Client UUID.
      Table 3. Data_source list of security alerts
      Value The description of the response.
      aegis_suspicious_event Host suspicion.
      aegis_suspicious_file_v2 Webshell
      aegis_login_log Suspicious logon.
      security_event Security Center exception events
  • Host logs
    • Process initiation logs
      Log fields Description
      __topic__ Log topic. Fixed value: aegis-log-process.
      owner_id The ID of the Alibaba Cloud account.
      uuid Client UUID.
      ip The IP address of the client.
      cmdline The netstat command.
      username User name.
      uid User ID.
      pid Process ID.
      filename Process filename.
      filepath Full path of the process file.
      groupname The name of the user group.
      ppid Parent process ID.
      pfilename Parent process filename.
      pfilepath Full path of the parent process file.
    • Process snapshot logs
      Log fields Description
      __topic__ Log topic. Fixed value: aegis-snapshot-process.
      owner_id The ID of the Alibaba Cloud account.
      uuid Client UUID.
      ip The IP address of the client.
      cmdline The netstat command.
      pid Process ID.
      name Process filename.
      path Full path of the process file.
      md5 Process files are calculated based on the MD5 algorithm. Process files exceeding 1MB are not calculated.
      pname The file name of the parent process.
      start_time Process start time and built-in field
      user User Name
      uid User ID.
    • Logon logs
      Repeated logons in one minute are saved into one log.
      Log fields Description
      __topic__ Log topic. Fixed value: aegis-log-login.
      owner_id The ID of the Alibaba Cloud account.
      uuid Client UUID.
      ip The IP address of the client.
      warn_ip Source IP address.
      warn_port Logon port.
      warn_type The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
      warn_user Logon username.
      warn_count Number of logons. For example, three times indicates that two logon requests are sent within one minute before the current logon.
    • Brute-force cracking log
      Log field Description
      __topic__ Log topic. Fixed value: aegis-log-crack.
      owner_id The ID of the Alibaba Cloud account.
      uuid Client UUID.
      ip The IP address of the client.
      warn_ip Source IP address.
      warn_port Logon port.
      warn_type The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
      warn_user Logon username.
      warn_count Number of failed logon attempts.
    • Network connection logs
      Changes in network connections are collected on the host every 10 seconds to 1 minute.
      Log fields Description
      __topic__ Log topic. Fixed value: aegis-log-network.
      owner_id The ID of the Alibaba Cloud account.
      uuid Client UUID.
      ip The IP address of the client.
      src_ip Source IP address.
      src_port Source port.
      dst_ip The destination IP address.
      dst_port The destination port.
      proc_name Process name.
      proc_path Process path.
      proto Possible protocols are TCP, UDP, and raw (raw socket).
      status The connection status. For more information, see Table 4.
      Table 4. Network connection status and description
      Status The description of the response.
      1 closed
      2 listen
      3 syn send
      4 syn recv
      5 establisted
      6 close wait
      7 closing
      8 fin_wait1
      9 fin_wait2
      10 time_wait
      11 delete_tcb
    • Port listening snapshot
      Log fields Description
      __topic__ Topic. Fixed to aegis-snapshot-port.
      owner_id The ID of the Alibaba Cloud account.
      uuid Client UUID.
      ip Client machine IP address.
      proto Possible protocols are TCP, UDP, and raw (raw socket).
      src_ip Listening IP address.
      src_port Listening port.
      pid Process ID.
      proc_name Process name.
    • Account snapshots
      Log fields Description
      __topic__ Log topic. Fixed value: aegis-snapshot-host.
      owner_id The ID of the Alibaba Cloud account.
      name Vulnerability name.
      alias_name Vulnerability alias.
      op Operation information.
      • new: New.
      • verify: Verify.
      • fix: Repair.
      status The connection status. For more information, see Table 4.
      tag Vulnerability labels. The labels include oval, system, cms. These labels are used to distinguish emergency (EMG) vulnerabilities.
      type The type of the vulnerability.
      • sys: Windows vulnerabilities
      • cve: Linux vulnerabilities
      • cms: Web CMS vulnerabilities
      • EMG: Emergency vulnerability
      uuid Client UUID.

Distributed Relational Database Service

Field Description
__topic__ The topic of the log. The value is rds_audit_log.
instance_id The ID of the DRDS instance.
instance_name DRDS instance name.
owner_id The ID of the Alibaba Cloud account.
region The region where the ApsaraDB for RDS instance resides.
db_name The name of the DRDS database.
user The username used to run the SQL statement.
client_ip The client IP address used to access the DRDS instance.
client_port The client port used to access the DRDS instance.
sql The SQL statement that was run.
trace_id The ID of the TRACE TRACE that is run. A transaction is processed with the tracking ID, hyphen (-), and number, such as drdsabcdxyz-1 or drdsabcdxyz-2.
sql_code The HASH value of SQL statements in the template.
hint Specifies the HINT used to run SQL statements.
table_name The name of the table involved in the query. Separate multiple tables with commas (,).
sql_type SQL type. Valid values: Select, Insert, Update, Delete, Set, Alter, Create, Drop, Truncate, Replace, and Other.
sql_type_detail The name of the SQL parser.
response_time The response latency. Unit: ms.
affect_rows The number of rows returned when the SQL statement is executed. The number of rows affected when the operation is added, deleted, or modified is configured as a query statement.
fail Indicates whether the SQL statement failed to be run. Valid values:
  • 0: successful
  • 1: failed
sql_time The start time of SQL execution.

Cloud Firewall

Log fields Description
__topic__ The value is always cloudfirewall_access_log.
owner_id The ID of the Alibaba Cloud account.
log_type The type of the log entry.
app_name Possible values include HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.
direction The direction of the traffic.
  • in: inbound
  • out: outbound
domain The domain name of the consortium member.
dst_ip The destination IP address.
dst_port The destination port.
end_time Session end time, in seconds (Unix timestamp)
in_bps The size of the inbound traffic. Unit: bps.
in_packet_bytes The total number of bytes of inbound traffic.
in_packet_count The total number of packets of inbound traffic.
in_pps The size of the inbound traffic. Unit: bps.
ip_protocol The protocol can be TCP or UDP.
out_bps The size of outbound traffic. Unit: bps.
out_packet_bytes The total number of bytes of outbound traffic.
out_packet_count The total number of packets of outbound traffic.
out_pps The size of outbound traffic. Unit: pps.
region_id The region of the traffic.
rule_result The action that the access control policy uses to process packets.
  • pass: The check task returned positive results.
  • alert: Alert.
  • drop: Discard.
src_ip Source IP address.
src_port The source port.
start_time The start time of a session. Unit: Unix timestamp.
start_time_min Session start time, integer in minutes, unit: Seconds (Unix timestamp).
tcp_seq The TCP serial number.
total_bps The total inbound and outbound traffic. Unit: bps.
total_packet_bytes The total inbound and outbound traffic. Unit: bytes.
total_packet_count The total number of packets.
total_pps The total inbound and outbound traffic. Unit: bps.
src_private_ip The private IP address.
vul_level The risk level of the vulnerability.
  • 1: low
  • 2: moderate
  • 3: high-risk
url URL.
acl_rule_id The ID of the rule that hits the ACL.
ips_rule_id The ID of the rule that hits the IPS.
ips_ai_rule_id The ID of the rule that hits the AI job.

Bastionhost

Log fields Description
__topic__ Log topics
owner_id The ID of the Alibaba Cloud account.
content The log content.
event_type Event type. For more information, see Table 5.
instance_id The ID of the Bastionhost instance.
log_level Log Level
resource_address Resource address.
resource_name Resource name.
result Result.
session_id The ID of the session.
user_client_ip User source IP address.
user_id The ID of the user.
user_name User name.
Table 5. Event type
Example Description
cmd.Command Character command
file.Upload Upload objects
file.Download Download objects
file.Rename Rename
file.Delete Delete
file.DeleteDir Delete a category
file.CreateDir Create a directory
graph.Text Graphic text
graph.Keyboard Keyboard events

OSS

Log types Description
Access logs Record all access to the corresponding OSS buckets.
Batch deletion logs Record the deletion information in batch deletion logs and collect the information in real time.
Note When you call the DeleteObjects API operation, a request record is generated in an access log. The information about the objects that you requested to delete is stored in the HTTP body of a request. Therefore, a hyphen (-) is used to indicate the corresponding object in the access log. To retrieve a list of the deleted objects, check the corresponding batch deletion log. You can use the request_id parameter to associate the batch deletion request with the objects that you want to delete.
Hourly metering log Record hourly metering statistics in a specific bucket to support analysis. A delay of several hours exists between log generation and log collection.
Table 6. Bucket storage classes
Storage Type The description of the response.
standard Standard
archive Archive
infrequent_access IA
For more information about each operation, see API overview.
Table 7. Access type
Operation The description of the response.
AbortMultiPartUpload Aborts a resumable Upload.
AppendObject Appends an object.
CommitTransition Commits a transition.
CompleteUploadPart Completes a multipart upload.
CopyObject Copies an object.
DeleteBucket Deletes a bucket.
DeleteLiveChannel Deletes a LiveChannel.
DeleteObject Deletes an object.
DeleteObjects Deletes multiple objects.
ExpireObject Makes an object expire.
GetBucket Queries objects.
GetBucketAcl Obtains permissions of a bucket.
GetBucketCors Queries the cross-origin resource sharing (CORS) rules of a bucket.
GetBucketEventNotification Queries the notification configurations of a bucket.
GetBucketInfo Queries the information about a bucket.
GetBucketLifecycle Queries the lifecycle configurations of a bucket.
GetBucketLocation Queries the region where a bucket is located.
GetBucketLog Queries the access log configurations of a bucket.
GetBucketReferer Queries the hotlink protection configurations of a bucket.
GetBucketReplication Queries the cross-region replication configurations.
GetBucketReplicationProgress Queries the progress of a cross-region replication.
GetBucketStat Queries the information about a bucket.
GetBucketWebSite Queries the static website hosting status of a bucket.
GetLiveChannelStat Queries the status of a LiveChannel.
GetObject Reads an object.
GetObjectAcl Obtains the access control list (ACL) of an object.
GetObjectInfo Queries the information about an object.
GetObjectMeta Queries the metadata of an object.
GetObjectSymlink Queries the details of the object that a symbolic link refers to.
GetPartData Queries the data in all parts of an object.
GetPartInfo Queries the information about all parts of an object.
GetProcessConfiguration Queries the image processing configurations of a bucket.
GetService Queries buckets.
HeadBucket Queries the information about a bucket.
HeadObject Queries the information about an object.
InitiateMultipartUpload Initializes the object for multipart upload.
ListMultiPartUploads Queries multipart upload events.
ListParts Queries status of all parts of an object.
Options Queries the options.
PostObject Uploads an object by using a form.
PostProcessTask Commits data processing operations, such as taking snapshots.
PostVodPlaylist Creates a video-on-demand (VOD) playlist of a LiveChannel.
ProcessImage Processes an image.
PutBucket Creates a bucket.
PutBucketCors Specifies the CORS rule for a bucket.
PutBucketLifecycle Specifies the lifecycle configurations of a bucket.
PutBucketLog Specifies the access log for a bucket.
PutBucketWebSite Specifies the static website hosting mode for a bucket.
PutLiveChannel Creates a LiveChannel.
PutLiveChannelStatus Specifies the status of a LiveChannel.
PutObject Uploads an object.
PutObjectAcl Modifies the ACL of an object.
PutObjectSymlink Creates the object by using the symbolic link.
RedirectBucket Redirects the request to a bucket endpoint.
RestoreObject Restores an object.
UploadPart Resumes uploading an object from a checkpoint.
UploadPartCopy Copies a part.
get_image_exif Queries the exchangeable image file format (Exif) data of an image.
get_image_info Queries the length and width of an image.
get_image_infoexif Queries the length, width, and Exif data of an image.
get_style Queries the picture processing rule of a bucket.
list_style Queries all picture processing rules of a bucket.
put_style Creates a picture processing rule for a bucket.
Table 8. Synchronization request type
Synchronization request type The description of the response.
- General request
cdn CDN back-to-origin
For more information about signatures, seeVerify user signatures
Table 9. Signature type
Signature type The description of the response.
NotSign Not signed.
NormalSign Indicates that a request was signed with a normal signature.
UriSign Indicates that a request was signed with a URL signature.
AdminSign Administrator account
  • Access logs
    Log fields Description
    __topic__ The name of the topic in a log. The value of this field is fixed to oss_access_log.
    owner_id The ID of the Alibaba Cloud account.
    region The region where a bucket is located.
    access_id The AccessKey ID of the user's Alibaba Cloud account.
    time The time when OSS receives a request. Use the value of __time__ if a timestamp is required.
    owner_id The user ID of the bucket owner.
    User-Agent The HTTP User-Agent header.
    logging_flag Indicates whether the feature for periodically exporting logs to OSS buckets is enabled.
    bucket Bucket Name
    content_length_in The value of Content-Length in a request header, in bytes.
    content_length_out The value of Content-Length in a response header, in bytes.
    object The URL encoded object of the request. You can use select url_decode(object) to decode the object when querying logs.
    object_size The size of a requested object, in bytes.
    operation The access type. For more information, see Table 7.
    request_uri The URL encoded URI of a request, including the query-string parameter. You can use select url_decode(request_uri) to decode the URI when querying logs.
    error_code The error code returned by OSS. For more information, see OSS error response.
    request_length The size of an HTTP request, including the size of the header. Unit: bytes.
    client_ip The IP address from which a request originates.
    response_body_length The size of the body in an HTTP response, excluding the header.
    http_method HTTP request methods
    referer Requested TTP Referer
    requester_id The ID of the Alibaba Cloud account of the requester. A hyphen (-) is used in an anonymous access.
    request_id The ID of the request.
    response_time The response time of a request, in milliseconds.
    server_cost_time The time consumed by the OSS server to process a request, in milliseconds.
    http_type The type of an HTTP request. The value of this field is HTTP or HTTPS.
    sign_type The signature type. For more information, see Table 9.
    http_status The status code of an HTTP connection returned by the OSS server.
    sync_request The synchronization request type. For more information, see Table 8.
    bucket_storage_type Bucket storage type. For more information, see Table 6.
    host The domain name to access.
    vpc_addr The VPC IP address corresponding to the OSS endpoint.
    vpc_id VPC ID
    delta_data_size The variation of the size of an object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) for requests other than uploads.
    acc_access_region For a request in CDN, this field is the domain name corresponding to the region where the requested access point is located. Otherwise, The value of this field is a hyphen (-).
  • Batch deletion logs
    Log fields Description
    __topic__ The name of the topic in a log. The value of this field is oss_batch_delete_log.
    owner_id The ID of the Alibaba Cloud account.
    region The region where a bucket is located.
    client_ip The IP address from which a request originates.
    user_agent The HTTP User-Agent header.
    bucket Bucket Name.
    error_code The error code returned by OSS. For more information, see OSS error response.
    request_length The size of an HTTP request, including the header. Unit: bytes.
    response_body_length The size of the body in an HTTP response, excluding the header.
    object The URL encoded object of the request. You can use select url_decode(object) to decode the object when querying logs.
    object_size The size of the request object. Unit: bytes.
    operation The access type. For more information, see Table 7.
    bucket_location The cluster of the Bucket.
    http_method HTTP request methods
    referer Requested TTP Referer
    request_id The ID of the request.
    http_status The HTTP status code that OSS returns.
    sync_request The synchronization request type. For more information, see Table 8.
    request_uri The URL encoded URI of a request, including the query-string parameter. You can use select url_decode(request_uri) to decode the URI when querying logs.
    host The domain name to access.
    logging_flag Indicates whether logging has been enabled to periodically export logs to OSS buckets.
    server_cost_time The time consumed by the OSS server to process a request, in milliseconds.
    owner_id The ID of the Alibaba Cloud account of the Bucket owner.
    requester_id The Alibaba Cloud ID of the requester. The value of this field is a hyphen (-) for anonymous access.
    delta_data_size The variation of the size of an object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) for requests other than uploads.
  • Hourly metering log
    Log fields Description
    __topic__ The name of the topic in a log. The value of this field is oss_metering_log.
    owner_id The ID of the Alibaba Cloud account of the Bucket owner.
    bucket Bucket Name.
    cdn_in The CDN traffic volume. Unit: bytes.
    cdn_out The CDN of the outbound traffic. Unit: bytes.
    get_request The number of GET requests.
    intranet_in The inbound traffic of the internal network. Unit: bytes.
    intranet_out The internal network outbound traffic. Unit: Byte.
    network_in The inbound traffic from the public network. Unit: bytes.
    network_out The outbound traffic of the public network. Unit: bytes.
    put_request The number of PUT requests.
    storage_type Bucket storage type. For more information, see Table 6.
    storage The storage usage of the Bucket. Unit: bytes.
    metering_datasize The size of metering data in non-standard storage.
    process_img_size The size of a processed image file. Unit: bytes.
    process_img Processed image
    sync_in The amount of synchronized data. Unit: bytes.
    sync_out The synchronization outbound traffic. Unit: bytes.
    start_time The timestamp when a metering operation starts.
    end_time Metering end timestamp
    region The region where a bucket is located.

ApsaraDB for RDS

Log fields Description
__topic__ The topic of the log. The value is rds_audit_log.
owner_id The ID of the Alibaba Cloud account.
region The region where the instance is located.
instance_name RDS Instance Name.
instance_id RDS Instance ID
db_type The type of the RDS instance, such as mysql, mssql, and pgsql.
db_version The version of the instance.
check_rows The number of scanned rows.
db The name of the database.
fail Indicates whether the SQL statement failed to be run. Valid values:
  • 0: successful
  • 1: failed
client_ip The IP address of the client that accessed the RDS instance.
latency Delay, in microseconds.
origin_time The duration for which the SQL statement was run, in microseconds.
return_rows Returns the number of rows.
sql The SQL statement that was run.
thread_id The ID of the thread.
user The username used to run the SQL statement.
update_rows Updated rows.

Apsara File Storage NAS

Log fields Description
owner_id The ID of the Alibaba Cloud account.
ArgIno The inode number of the file system.
AuthRc The authorization return code.
NFSProtocolRc The NFS return code.
OpList The NFSv4 procedure number.
Proc The NFSv3 procedure number.
RWSize The size of the specified plugin package. Unit: bytes.
RequestId Request ID.
ResIno The inode number of lookup resources.
SourceIp Client IP Address
Vers The version number of the NFS protocol.
Vip Server IP address.
Volume File System ID
microtime The time when the request was sent, in microseconds.

Alibaba Cloud Mobile Push

Log fields Description
__topic__ Log topic. Fixed value: cps_callback_event.
owner_id The ID of the Alibaba Cloud account.
app_key AppKey
message_id The message ID
event_time Receipt event time.
event_type Receipt event type.
device_id The ID of the device.
device_type Device Type
last_active_time The last time when the device was activated.
app_version The version of the application that is running on EDAS Container.
client_ip Client IP Address.
brand Device Brand.
network_type Device Network type.
os Operating system of your local machine.
os_version Version
isp Operator.
job_key Task Key