This topic describes the fields of log entries that are collected from Alibaba Cloud services.
ActionTrail
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: actiontrail_event. |
owner_id | The ID of an Alibaba Cloud account. |
event | The log event in the JSON format. The content of this field varies based on the log event. |
event.eventId | The ID of an event. |
event.eventName | The name of an event. |
event.eventSource | The source of an event. |
event.eventType | The type of an event. |
event.eventVersion | The data format version of an event. Valid value: 1. |
event.acsRegion | The region where an event occurs. |
event.requestId | The ID of an API request. |
event.apiVersion | The version of an API operation. |
event.errorMessage | The error message of an event. |
event.serviceName | The name of the Alibaba Cloud service that is associated with an event. |
event.sourceIpAddress | The source IP address that is associated with an event. |
event.userAgent | The User-Agent HTTP header that is associated with an event. |
event.requestParameters.HostId | The ID of the host from which a request is sent. |
event.requestParameters.Name | The name of a request parameter. |
event.requestParameters.Region | The region from which a request is sent. |
event.userIdentity.accessKeyId | The AccessKey ID of an account that sends a request. |
event.userIdentity.accountId | The ID of an account that sends a request. |
event.userIdentity.principalId | The principal ID of an account that sends a request. |
event.userIdentity.type | The type of an account that sends a request. |
event.userIdentity.userName | The username of an account that sends a request. |
event.errorCode | The error code of an event. |
addionalEventData.isMFAChecked | Indicates whether multi-factor authentication (MFA) is enabled for the account that is used to log on to Log Service. |
addionalEventData.loginAccount | The logon account. |
Server Load Balancer (SLB)
Log field | Description |
---|---|
owner_id | The ID of an Alibaba Cloud account. |
region | The region where an instance resides. |
instance_id | The ID of an instance. |
instance_name | The name of an instance. |
network_type | The type of network. Valid values: VPC and Classic. |
vpc_id | VPC ID |
body_bytes_sent | The size of the HTTP response message body that is sent to a client. |
client_ip | The IP address of a client that sends a request. |
client_port | The port number of a client that sends a request. |
host | The IP address of a server. The value is first obtained from the request parameters. If no value is obtained, the value is obtained from the host header field. If the value still cannot be obtained, the IP address of the backend server that processes the request is obtained as the field value. |
http_host | The HTTP Host header in a request message. |
http_referer | The HTTP Referer header in a request message that is received by the proxy. |
http_user_agent | The User-Agent HTTP header in a request message that is received by the proxy. |
http_x_forwarded_for | The X-Forwarded-For (XFF) HTTP header in a request message that is received by the proxy. |
http_x_real_ip | The real IP address of a client. |
read_request_time | The duration in which the proxy reads a request message. Unit: milliseconds. |
request_length | The length of a request message. This field includes the start-line, HTTP headers, and HTTP body. |
request_method | The request method. |
request_time | The duration between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds. |
request_uri | The URI of a request that is received by the proxy. |
scheme | The protocol of a request, for example, HTTP or HTTPS. |
server_protocol | The HTTP version that is received by the proxy, for example, HTTP/1.0 or HTTP/1.1. |
slb_vport | The listening port of an SLB instance. |
slbid | The ID of an SLB instance. |
ssl_cipher | The used cipher suite, for example, ECDHE-RSA-AES128-GCM-SHA256. |
ssl_protocol | The protocol that is used to establish an SSL connection, for example, TLSv1.2. |
status | The HTTP status code that is sent from the proxy. |
tcpinfo_rtt | The RTT of TCP packets. Unit: microseconds. |
time | The time when a log entry is recorded. |
upstream_addr | The IP address and port number of the backend server. |
upstream_response_time | The duration of the connection between the proxy and backend server. Unit: seconds. |
upstream_status | The HTTP status code that is received by the proxy from the backend server. |
vip_addr | The virtual IP address. |
write_response_time | The duration in which the proxy writes a response message. Unit: milliseconds. |
API Gateway
Log field | Description |
---|---|
owner_id | The ID of the account to which an API belongs. |
apiGroupUid | The ID of the group to which an API belongs. |
apiGroupName | The name of the group to which an API belongs. |
apiUid | API ID |
apiName | The name of an API. |
apiStageUid | The stage ID of an API. |
apiStageName | The stage name of an API. |
httpMethod | The HTTP method that is used by an API request. |
path | The path of an API request. |
domain | The domain name of the resource for which an API request is sent. |
statusCode | The HTTP status code. |
errorMessage | The error message that is returned. |
appId | The ID of the application from which an API request is sent. |
appName | The name of the application from which an API request is sent. |
clientIp | The IP address of a client that sends an API request. |
exception | The specific error message that is returned by the backend server. |
region | The ID of a region, for example, cn-hangzhou. |
requestHandleTime | The time when an API request is sent. The time is in Greenwich Mean Time (GMT). |
requestId | The ID of an API request. The ID is globally unique. |
requestSize | The size of an API request. Unit: bytes. |
responseSize | The size of a response message. Unit: bytes. |
serviceLatency | The response latency of the backend server. Unit: milliseconds. |
Web Application Firewall (WAF)
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: waf_access_log. |
owner_id | The ID of an Alibaba Cloud account. |
acl_action | The action that is performed by WAF. This is the action that is triggered in response
to a request based on an HTTP ACL policy, for example, pass, drop, or captcha.
Note If the value is null or a hyphen (-), this field also indicates the pass action.
|
acl_blocks | Indicates whether a request is blocked by an HTTP ACL policy.
|
antibot | The type of an Anti-Bot Service protection policy that is triggered. Valid values:
|
antibot_action | The action that is performed based on an Anti-Bot Service protection policy. Valid
values:
|
block_action | The type of a WAF protection feature that is triggered. Valid values:
|
body_bytes_sent | The size of an HTTP message body that is sent to a client. Unit: bytes. |
cc_action | The action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, login, or n. |
cc_blocks | Indicates whether the request is blocked by the HTTP flood protection feature.
|
cc_phase | The HTTP flood protection policy that is triggered. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax. |
content_type | The content type of an access request. |
host | The origin server. |
http_cookie | The HTTP Cookie header. This field includes the information of a client. |
http_referer | The HTTP Referer header. This field includes the information of the source URL. If no information of the source URL is logged, a hyphen (-) is displayed. |
http_user_agent | The User-Agent HTTP header. This field includes information such as a client browser and an operating system. |
http_x_forwarded_for | The XFF HTTP header. This field identifies the original IP address of a client that connects to a web server by using an HTTP proxy or load balancing device. |
https | Indicates whether a request is an HTTPS request. Valid values:
|
matched_host | The matched origin server. This can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed. |
querystring | The query string in a request URL. |
real_client_ip | The real IP address of a client. If no real IP address is obtained, a hyphen (-) is displayed. |
region | The region where a WAF instance resides. |
remote_addr | The IP address of a client that sends a request. |
remote_port | The port number of a client. |
request_length | The size of a request message. Unit: bytes. |
request_method | The method of an HTTP access request. |
request_path | The relative path of a request. The query string is not included. |
request_time_msec | The duration in which a request is processed. Unit: milliseconds. |
request_traceid | The unique ID of a request that is traced by WAF. |
server_protocol | The type and version number of a response protocol that is used by an origin server. |
status | The HTTP status code that is returned by WAF to a client. |
time | The time when a request is sent. |
ua_browser | The information of a browser that sends a request. |
ua_browser_family | The family of a browser that sends a request. |
ua_browser_type | The type of a browser that sends a request. |
ua_browser_version | The version of a browser that sends a request. |
ua_device_type | The type of a client. |
ua_os | The operating system of a client. |
ua_os_family | The family of the operating system that runs on a client. |
upstream_addr | The list of back-to-origin IP addresses used by WAF. These IP addresses are separated by commas (,). Each IP address is in the IP:Port format. |
upstream_ip | The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance. |
upstream_response_time | The duration in which an origin server processes a WAF request. Unit: seconds. If a hyphen (-) is returned, this field indicates that the response times out. |
upstream_status | The status code that an origin server returns to WAF. If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server times out. |
user_id | The ID of an Alibaba Cloud account. |
waf_action | The action that is performed based on a web attack protection policy. If the value is block, the request is blocked. If the value is not block, the request is passed. |
web_attack_type | The type of a web attack, for example, xss, code_exec, webshell, sqli, lfilei, rfilei, or other. |
waf_rule_id | The ID of a WAF rule that is matched. |
ssl_cipher | The SSL cipher suite. |
ssl_protocol | The version of the SSL protocol. |
Security Center
- Network logs
- DNS logs
Log field Description __topic__ The topic of a log entry. Valid value: sas-log-dns. owner_id The ID of an Alibaba Cloud account. additional The fields in the additional section. The fields are separated by vertical bars (|). additional_num The number of fields in the additional section. answer The DNS responses. These responses are separated by vertical bars (|). answer_num The number of DNS responses. authority The fields in the authority section. authority_num The number of fields in the authority section. client_subnet The subnet where a client resides. dst_ip The IP address of a destination server. dst_port The destination port. in_out The direction of data flows. Valid values: - in: inbound data flows
- out: outbound data flows
qid The ID of a query. qname The domain name to be queried. qtype The type of a resource to be queried. query_datetime The timestamp of a query. Unit: milliseconds. rcode The code of a response. region The ID of a source region. Valid values: - 1: China (Beijing)
- 2: China (Qingdao)
- 3: China (Hangzhou)
- 4: China (Shanghai)
- 5: China (Shenzhen)
- 6: Others
response_datetime The time when a response is returned. src_ip The IP address of a source server. src_port The source port. - Local DNS logs
Log field Description __topic__ The topic of a log entry. Valid value: local-dns. owner_id The ID of an Alibaba Cloud account. answer_rda The DNS responses. These responses are separated by vertical bars (|). answer_ttl The time-to-live (TTL) of resource records in DNS responses. The values are separated by vertical bars (|). answer_type The types of resource records in DNS responses. The values are separated by vertical bars (|). anwser_name The domain names in DNS responses. The values are separated by vertical bars (|). dest_ip The IP address of a destination server. dest_port The destination port. group_id The ID of the group to which a host belongs. hostname The hostname. id The IP address of a host. instance_id The ID of an instance. internet_ip The public IP address of a host. ip_ttl The TTL of the data packets that are sent by a host. query_name The domain name to be queried. query_type The type of a resource to be queried. src_ip The IP address of a source server. src_port The source port. time The timestamp of a query. Unit: seconds. time_usecond The response duration. Unit: microseconds. tunnel_id The ID of a DNS tunnel. - Network session logs
Log field Description __topic__ The topic of a log entry. Valid value: sas-log-session. owner_id The ID of an Alibaba Cloud account. asset_type The type of an associated Alibaba Cloud service, for example, ECS, SLB, or ApsaraDB RDS. dst_ip The IP address of a destination server. dst_port The destination port. proto The type of a transport layer protocol, for example, TCP or UDP. session_time The duration of a session. src_ip The IP address of a source server. src_port The source port. - Web logs
Log field Description __topic__ The topic of a log entry. Valid value: sas-log-http. owner_id The ID of an Alibaba Cloud account. content_length The content length of an HTTP request message. dst_ip The IP address of a destination server. dst_port The destination port. host The hostname of a web server. jump_location The IP address of an HTTP redirect. method The HTTP request method. referer The HTTP Referer header. This field includes the address of the web page that sends a request. request_datetime The time when a request is sent. ret_code The HTTP status code. rqs_content_type The content type of an HTTP request message. rsp_content_type The content type of an HTTP response message. src_ip The IP address of a source server. src_port The source port. uri The URI of a request. user_agent The user agent of a client that sends a request. x_forward_for The XFF HTTP header.
- DNS logs
- Security logs
- Vulnerability logs
Log field Description __topic__ The topic of a log entry. Valid value: sas-vul-log. owner_id The ID of an Alibaba Cloud account. name The name of a vulnerability. alias_name The alias of a vulnerability. op The action that is performed on a vulnerability. Valid values: - new: detects a baseline.
- verify: verifies the vulnerability.
- fix: fixes the vulnerability.
status The status of a vulnerability. For more information, see Table 2. tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish between different emergency (EMG) vulnerabilities. type The type of a vulnerability. Valid values: - sys: Windows vulnerability
- cve: Linux vulnerability
- cms: Web CMS vulnerability
- EMG: Emergency vulnerability
uuid The universally unique identifier (UUID) of a client. - Baseline logs
Log field Description __topic__ The topic of a log entry. Valid value: sas-hc-log. owner_id The ID of an Alibaba Cloud account. level The level of a baseline. Valid values: low, medium, and high. op The action that is performed on a baseline. Valid values: - new: detects a baseline.
- verify: verifies the baseline.
risk_name The name of a baseline risk. status The status of a baseline. For more information, see Table 2. sub_type_alias The subtype alias of a baseline. sub_type_name The subtype of a baseline. type_name The type of a baseline. type_alias The type alias of a baseline. uuid The UUID of a client. check_item The name of a check item. check_level The level of a check item. check_type The type of a check item. Table 1. Types and subtypes of baselines type_name sub_type_name system baseline weak_password postsql_weak_password database redis_check account system_account_security account system_account_security weak_password mysq_weak_password weak_password ftp_anonymous weak_password rdp_weak_password system group_policy system register account system_account_security weak_password sqlserver_weak_password system register weak_password ssh_weak_password weak_password ftp_weak_password cis centos7 cis tomcat7 cis memcached-check cis mongodb-check cis ubuntu14 cis win2008_r2 system file_integrity_mon cis linux-httpd-2.2-cis cis linux-docker-1.6-cis cis SUSE11 cis redhat6 cis bind9.9 cis centos6 cis debain8 cis redhat7 cis SUSE12 cis ubuntu16 Table 2. Status codes of security logs Status code Description 1 Unfixed. 2 Fix failed. 3 Rollback failed. 4 Fixing. 5 Rolling back. 6 Verifying. 7 Fixed. 8 Fixed. Waiting for a restart. 9 Rollback succeeded. 10 Ignored. 11 Rollback succeeded. Waiting for a restart. 12 No longer exists. 20 Expired. - Security alert logs
Log field Description __time__ The time when a connection is established, for example, 2018-02-27 11:58:15. __topic__ The topic of a log entry. Valid value: sas-security-log. data_source The source of the data. For more information, see Table 3. level The severity of an alert. name The name of an alert, for example, Suspicious Process-SSH-based Remote Execution of Non-interactive Commands. op The action that is performed on an alert. Valid values: - new: An alert is triggered.
- dealing: The alert is being processed.
status The status of an alert. For more information, see Table 2. uuid The UUID of a client. detail The detail of an alert, for example, {"loginSourceIp":"120.27.28.118","loginTimes":1,"type":"login_common_location","loginDestinationPort":22,"loginUser":"aike","protocol":2,"protocolName":"SSH","location":"Qingdao"}. unique_info The unique identifier of an alert for a single server, for example, 2536dd765f804916a1fa3b9516b5d512. Table 3. Values of the data_source field in security alert logs Value Description aegis_suspicious_event Server exceptions aegis_suspicious_file_v2 Webshell aegis_login_log Suspicious logon security_event Security Center exceptions
- Vulnerability logs
- Host logs
- Process startup logs
Log field Description __topic__ The topic of a log entry. Valid value: aegis-log-process. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. cmdline The full command line to start a process. username The username. uid The ID of a user. pid The ID of a process. filename The name of a process file. filepath The full path of a process file. groupname The name of a user group. ppid The ID of a parent process. pfilename The name of a parent process file. pfilepath The full path of a parent process file. - Process snapshot logs
Log field Description __topic__ The topic of a log entry. Valid value: aegis-snapshot-process. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. cmdline The full command line to start a process. pid The ID of a process. name The name of a process file. path The full path of a process file. md5 The MD5 hash of a process file. If the process file exceeds 1 MB, the MD5 hash is not calculated. pname The name of a parent process file. start_time The time when a process starts. This field is a built-in field. user The username. uid The ID of a user. - Logon logs
The logon attempts within 1 minute are recorded in one log entry.
Log field Description __topic__ The topic of a log entry. Valid value: aegis-log-login. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. warn_ip The IP address of a source server. warn_port The logon port. warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN. warn_user The logon username. warn_count The number of logon attempts. In this example, the value 3 indicates that two logon requests are sent 1 minute before the current logon. - Brute-force cracking logs
Log field Description __topic__ The topic of a log entry. Valid value: aegis-log-crack. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. warn_ip The IP address of a source server. warn_port The logon port. warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN. warn_user The logon username. warn_count The number of failed logon attempts. - Network connection logs
Changes in network connections are collected on the host every 10 seconds to 1 minute.
Log field Description __topic__ The topic of a log entry. Valid value: aegis-log-network. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. src_ip The IP address of a source server. src_port The source port. dst_ip The IP address of a destination server. dst_port The destination port. proc_name The name of a process. proc_path The path of a process file. proto The protocol that is used to establish a network connection, for example, TCP, UDP, or raw (raw socket). status The connection status. For more information, see Table 4. Table 4. Status codes of network connections Status Description 1 closed 2 listen 3 syn send 4 syn recv 5 establisted 6 close wait 7 closing 8 fin_wait1 9 fin_wait2 10 time_wait 11 delete_tcb - Port listening snapshot logs
Log field Description __topic__ The topic of a log entry. Valid value: aegis-snapshot-port. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. proto The protocol that is used to establish a network connection, for example, TCP, UDP, or raw (raw socket). src_ip The IP address of a listener port. src_port The listener port. pid The ID of a process. proc_name The name of a process. - Account snapshot logs
Log field Description __topic__ The topic of a log entry. Valid value: aegis-snapshot-host. owner_id The ID of an Alibaba Cloud account. name The name of a vulnerability. alias_name The alias of a vulnerability. op The action that is performed on a vulnerability. Valid values: - new: detects a new vulnerability.
- verify: verifies the vulnerability.
- fix: fixes the vulnerability.
status The connection status. For more information, see Table 4. tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish between different emergency (EMG) vulnerabilities. type The type of a vulnerability. Valid values: - sys: Windows vulnerability
- cve: Linux vulnerability
- cms: Web CMS vulnerability
- EMG: Emergency vulnerability
uuid The UUID of a client.
- Process startup logs
PolarDB-X
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: drds_audit_log. |
instance_id | The ID of a PolarDB-X instance. |
instance_name | The name of a PolarDB-X instance. |
owner_id | The ID of an Alibaba Cloud account. |
region | The region where a PolarDB-X instance resides. |
db_name | The name of a PolarDB-X database. |
user | The name of the user who executes an SQL statement. |
client_ip | The IP address of a client that accesses a PolarDB-X instance. |
client_port | The port number of a client that accesses a PolarDB-X instance. |
sql | The SQL statement. |
trace_id | The trace ID of an SQL statement when it is executed. If a transaction is executed, it is tracked by using an ID. The ID consists of the trace ID, a hyphen (-), and a number, for example, drdsabcdxyz-1 and drdsabcdxyz-2. |
sql_code | The hash value of a template SQL statement. |
hint | The hint that is used to execute an SQL statement. |
table_name | The names of the tables that are involved in a query. Multiple tables are separated by commas (,). |
sql_type | The type of an SQL statement. Valid values: Select, Insert, Update, Delete, Set, Alter, Create, Drop, Truncate, Replace, and Other. |
sql_type_detail | The name of an SQL parser. |
response_time | The response duration. Unit: milliseconds. |
affect_rows | The number of affected or returned rows when an SQL statement is executed. |
fail | Indicates the result after an SQL statement is executed. Valid values:
|
sql_time | The time when an SQL statement is executed. |
Cloud Firewall
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: cloudfirewall_access_log. |
owner_id | The ID of an Alibaba Cloud account. |
log_type | The type of a log entry. |
app_name | The name of the protocol over which an application is accessed. The value can be HTTPS, NTP, SIP, SMB, NFS, or DNS. If the protocol is unknown, the value is displayed as Unknown. |
direction | The direction of Internet traffic. Valid values:
|
domain | The domain name of a destination server. |
dst_ip | The IP address of a destination server. |
dst_port | The destination port. |
end_time | The time when a session ends. Unit: seconds (UNIX timestamp). |
in_bps | The rate of inbound traffic. Unit: bit/s. |
in_packet_bytes | The total size of inbound packets. Unit: bytes. |
in_packet_count | The total number of inbound packets. |
in_pps | The rate of inbound packets. Unit: packet/s. |
ip_protocol | The type of an IP protocol. Valid values: TCP and UDP. |
out_bps | The rate of outbound traffic. Unit: bit/s. |
out_packet_bytes | The total size of the outbound traffic. Unit: bytes. |
out_packet_count | The total number of outbound packets. |
out_pps | The rate of outbound packets. Unit: packet/s. |
region_id | The region from which access traffic originates. |
rule_result | The result of how an access policy processes Internet traffic. Valid values:
|
src_ip | The IP address of a source server. |
src_port | The source port of a host that sends traffic data. |
start_time | The time when a session starts. Unit: seconds (UNIX timestamp). |
start_time_min | The time when a session starts. The value of this field is rounded up to the next minute. Unit: seconds (UNIX timestamp). |
tcp_seq | The sequence number of a TCP segment. |
total_bps | The total rate of inbound and outbound packets. Unit: bit/s. |
total_packet_bytes | The total size of inbound and outbound packets. Unit: bytes. |
total_packet_count | The total number of packets. |
total_pps | The total rate of inbound and outbound packets. Unit: bit/s. |
src_private_ip | The private IP address of a source server. |
vul_level | The risk level of a vulnerability. Valid values:
|
url | The URL of a resource that is accessed. |
acl_rule_id | The ID of an access control list (ACL) policy that is matched. |
ips_rule_id | The ID of an intrusion prevention system (IPS) policy that is matched. |
ips_ai_rule_id | The ID of an intelligent policy that is matched. |
Bastionhost
Log field | Description |
---|---|
__topic__ | The topic of a log entry. |
owner_id | The ID of an Alibaba Cloud account. |
content | The content of a log entry. |
event_type | The type of an event. For more information, see Table 5. |
instance_id | The ID of a bastion host. |
log_level | The severity of a log entry. |
resource_address | The address of the server where a resource resides. |
resource_name | The name of the resource on which an operation is performed. |
result | The result of an operation. |
session_id | The ID of a session. |
user_client_ip | The source IP address. |
user_id | The ID of a user. |
user_name | The username. |
Event type | Description |
---|---|
cmd.Command | The CMD commands. |
file.Upload | Uploads a file. |
file.Download | Downloads a file. |
file.Rename | Renames a file. |
file.Delete | Deletes a file. |
file.DeleteDir | Deletes a directory. |
file.CreateDir | Creates a directory. |
graph.Text | Text event. |
graph.Keyboard | Keyboard event. |
Object Storage Service (OSS)
Log type | Description |
---|---|
Access logs | Records access to OSS buckets. The logs are collected in real time. |
Batch deletion logs | Records information of deleted objects. The logs are collected in real time.
Note When you call the DeleteObjects API operation, a request record is generated in an
access log. The information of the deleted objects is stored in the HTTP body of a
request. A hyphen (-) is used to indicate the deleted objects in the access log. To retrieve the deleted
objects, you can use the request_id parameter to query the deleted objects in the
batch deletion log.
|
Hourly metering logs | Records the hourly metering statistics of a specific bucket. A latency of several hours exists in log collection. |
Storage type | Description |
---|---|
standard | Standard |
archive | Archive |
infrequent_access | IA |
For information about related API operations, see API overview.
Operation | Description |
---|---|
AbortMultiPartUpload | Cancels a multipart upload task. |
AppendObject | Appends an object to an existing object. |
CompleteUploadPart | Completes the multipart upload task of an object. |
CopyObject | Copies an object. |
DeleteBucket | Deletes a bucket. |
DeleteLiveChannel | Deletes a LiveChannel. |
DeleteObject | Deletes an object. |
DeleteObjects | Deletes multiple objects. |
GetBucket | Lists all objects in a bucket. |
GetBucketAcl | Queries the access control list (ACL) of a bucket. |
GetBucketCors | Queries the cross-origin resource sharing (CORS) rules of a bucket. |
GetBucketEventNotification | Queries the notification configurations of a bucket. |
GetBucketInfo | Queries the information of a bucket. |
GetBucketLifecycle | Queries the lifecycle rules configured for the objects in a bucket. |
GetBucketLocation | Queries the region where a bucket resides. |
GetBucketLog | Queries the access log configurations of a bucket. |
GetBucketReferer | Queries the hotlink protection rules configured for a bucket. |
GetBucketReplication | Queries the cross-region replication (CRR) rules configured for a bucket. |
GetBucketReplicationProgress | Queries the progress of a CRR task that is performed on a bucket. |
GetBucketStat | Queries the information of a bucket. |
GetBucketWebSite | Queries the status of the static website hosting for a bucket. |
GetLiveChannelStat | Queries the status of a LiveChannel. |
GetObject | Reads an object. |
GetObjectAcl | Queries the ACL of an object. |
GetObjectInfo | Queries the information of an object. |
GetObjectMeta | Queries the metadata of an object. |
GetObjectSymlink | Queries the symbolic link of an object. |
GetPartData | Queries the data in all parts of an object. |
GetPartInfo | Queries the information of all parts of an object. |
GetProcessConfiguration | Queries the image processing configurations of a bucket. |
GetService | Lists all buckets. |
HeadBucket | Queries the information of a bucket. |
HeadObject | Queries the information of an object. |
InitiateMultipartUpload | Initializes the multipart upload for an object. |
ListMultiPartUploads | Lists multipart upload events. |
ListParts | Queries the status of all parts of an object. |
PostObject | Uploads an object by using a form. |
PostProcessTask | Commits data processing operations, such as screenshots. |
PostVodPlaylist | Creates a video-on-demand (VOD) playlist of a LiveChannel. |
ProcessImage | Processes an image. |
PutBucket | Creates a bucket. |
PutBucketCors | Specifies the CORS rule for a bucket. |
PutBucketLifecycle | Specifies the lifecycle of a bucket. |
PutBucketLog | Specifies the access log for a bucket. |
PutBucketWebSite | Specifies the static website hosting mode for a bucket. |
PutLiveChannel | Creates a LiveChannel. |
PutLiveChannelStatus | Specifies the status of a LiveChannel. |
PutObject | Uploads an object. |
PutObjectAcl | Modifies the ACL of an object. |
PutObjectSymlink | Creates a symbolic link for an object. |
RedirectBucket | Redirects the request to a bucket endpoint. |
RestoreObject | Restores an object. |
UploadPart | Resumes the upload of an object from a specified checkpoint. |
UploadPartCopy | Copies a part of an object. |
get_image_exif | Queries the exchangeable image file format (Exif) data of an image. |
get_image_info | Queries the length and width of an image. |
get_image_infoexif | Queries the length, width, and Exif data of an image. |
get_style | Queries the style of a bucket. |
list_style | Queries all styles of a bucket. |
put_style | Creates a picture processing rule for a bucket. |
Synchronization request type | Description |
---|---|
- | General requests |
cdn | CDN back-to-origin requests |
For information about signatures, see Verify user signatures.
Signature type | Description |
---|---|
NotSign | A request is unsigned. |
NormalSign | A request is signed with a regular signature. |
UriSign | A request is signed with a URL signature. |
AdminSign | A request is signed with an administrator account. |
- Access logs
Log field Description __topic__ The topic of a log entry. Valid value: oss_access_log. owner_id The ID of an Alibaba Cloud account. region The region where a bucket resides. access_id The AccessKey ID that is used to access OSS. time The time when OSS receives a request. If a timestamp is required, use the value of the __time__ field. owner_id The ID of an Alibaba Cloud account that belongs to a bucket owner. User-Agent The User-Agent HTTP header. logging_flag Indicates whether logging has been enabled to export logs to OSS buckets at regular intervals. bucket The name of a bucket. content_length_in The value of the Content-Length field in an HTTP request. Unit: bytes. content_length_out The value of the Content-Length field in an HTTP response. Unit: bytes. object The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object. object_size The size of a requested object. Unit: bytes. operation The API operation. For more information, see Table 7. request_uri The URL-encoded URI of a request. This includes the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI. error_code The error code that is returned by OSS. For more information, see Error responses. request_length The size of an HTTP request message that includes the header information. Unit: bytes. client_ip The IP address from which a request is sent. This can be the IP address of a client, firewall, or proxy. response_body_length The size of an HTTP response body that excludes the header information. http_method The HTTP request method. referer The HTTP Referer header. requester_id The ID of an Alibaba Cloud account that belongs to a requester. If you use anonymous logon, the value of this field is a hyphen (-). request_id The ID of a request. response_time The response duration. Unit: milliseconds. server_cost_time The processing time of an OSS instance. Unit: milliseconds. The value of this field is the time that is required by the OSS instance to process a request. http_type The protocol of an HTTP request. Valid values: HTTP and HTTPS. sign_type The type of a signature. For more information, see Table 9. http_status The status code of an HTTP connection that is returned in a request to OSS. sync_request The type of a synchronization request. For more information, see Table 8. bucket_storage_type The bucket storage class. For more information, see Table 6. host The domain name of an OSS server from which resources are requested. vpc_addr The VPC IP address of an OSS server. The IP address is based on the domain name of the server. vpc_id VPC ID delta_data_size The size change of an object. If the object size does not change, the value of this field is 0. If a request is not an upload request, the value of this field is a hyphen (-). acc_access_region If a request is a transfer acceleration request, this field indicates the ID of the region where the requested access point resides. Otherwise, the value of this field is a hyphen (-). - Batch deletion logs
Log field Description __topic__ The topic of a log entry. Valid value: oss_batch_delete_log. owner_id The ID of an Alibaba Cloud account. region The region where a bucket resides. client_ip The IP address from which a request is sent. This can be the IP address of a client, firewall, or proxy. user_agent The User-Agent HTTP header. bucket The name of a bucket. error_code The error code that is returned by OSS. For more information, see Error responses. request_length The size of an HTTP request message that includes the header information. Unit: bytes. response_body_length The size of an HTTP response body that excludes the header information. object The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object. object_size The size of a requested object. Unit: bytes. operation The API operation. For more information, see Table 7. bucket_location The cluster to which a bucket belongs. http_method The HTTP request method. referer The HTTP Referer header. request_id The ID of a request. http_status The HTTP status code that is returned by an OSS request. sync_request The type of a synchronization request. For more information, see Table 8. request_uri The URL-encoded URI of a request. This includes the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI. host The domain name of an OSS server from which resources are requested. logging_flag Indicates whether logging has been enabled to export logs to OSS buckets at regular intervals. server_cost_time The duration in which an OSS server processes a request. Unit: milliseconds. owner_id The ID of an Alibaba Cloud account that belongs to a bucket owner. requester_id The ID of an Alibaba Cloud account that belongs to a requester. If you use anonymous logon, the value of this field is a hyphen (-). delta_data_size The size change of an object. If the object size does not change, the value of this field is 0. If a request is not an upload request, the value of this field is a hyphen (-). - Hourly metering logs
Log field Description __topic__ The topic of a log entry. Valid value: oss_metering_log. owner_id The ID of an Alibaba Cloud account that belongs to a bucket owner. bucket The name of a bucket. cdn_in The inbound traffic from CDN. Unit: bytes. cdn_out The outbound traffic to CDN. Unit: bytes. get_request The number of GET requests. intranet_in The inbound traffic from the internal network. Unit: bytes. intranet_out The outbound traffic of the internal network. Unit: bytes. network_in The inbound traffic from the public network. Unit: bytes. network_out The outbound traffic to the public network. Unit: bytes. put_request The number of PUT requests. storage_type The bucket storage class. For more information, see Table 6. storage The storage usage of a bucket. Unit: bytes. metering_datasize The size of metering data of non-Standard OSS buckets. process_img_size The size of a processed image. Unit: bytes. process_img The processed image. sync_in The inbound synchronization traffic. Unit: bytes. sync_out The outbound synchronization traffic. Unit: bytes. start_time The time when a metering operation starts. end_time The time when a metering operation ends. region The region where a bucket resides.
ApsaraDB RDS
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: rds_audit_log. |
owner_id | The ID of an Alibaba Cloud account. |
region | The region where an RDS instance resides. |
instance_name | The name of an RDS instance. |
instance_id | The ID of an RDS instance. |
db_type | The type of an RDS instance, for example, mysql, mssql, or pgsql. |
db_version | The version of an RDS instance. |
check_rows | The number of scanned rows. |
db | The name of a database. |
fail | Indicates the result after an SQL statement is executed. Valid values:
|
client_ip | The IP address of a client that accesses an RDS instance. |
latency | The network latency. Unit: microseconds. |
origin_time | The time when an SQL statement is executed. Unit: microseconds. |
return_rows | The number of returned rows. |
sql | The SQL statement. |
thread_id | The ID of a thread. |
user | The name of a user who executes an SQL statement. |
update_rows | The number of updated rows. |
Apsara File Storage NAS
Log field | Description |
---|---|
owner_id | The ID of an Alibaba Cloud account. |
ArgIno | The inode number of a file system. |
AuthRc | The authorization code that is returned. |
NFSProtocolRc | The return code of the Network File System (NFS) protocol. |
OpList | The procedure number of the NFSv4 protocol. |
Proc | The procedure number of the NFSv3 protocol. |
RWSize | The size of read and write data. Unit: bytes. |
RequestId | The ID of a request. |
ResIno | The inode number of a resource that is looked up. |
SourceIp | The IP address of a client. |
Vers | The version number of the NFS protocol. |
Vip | The IP address of a server. |
Volume | The ID of a file system. |
microtime | The time when a request is sent. Unit: microseconds. |
Alibaba Cloud Mobile Push
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: cps_callback_event. |
owner_id | The ID of an Alibaba Cloud account. |
app_key | AppKey |
message_id | The ID of a message. |
event_time | The time when a callback event occurs. |
event_type | The type of a callback event. |
device_id | The ID of a device. |
device_type | The type of a device. |
last_active_time | The last time when a device is active. |
app_version | The version of an application. |
client_ip | The IP address of a client. |
brand | The brand of a device. |
network_type | The network type of a device. |
os | The operating system of a device. |
os_version | The version of the operating system that runs on a device. |
isp | The ISP of a device. |
job_key | The key of a job. |
event_channel | The push channel. |
vendor_message_id | The message ID of a vendor channel. |
reason | The cause of a failed push. |
PolarDB for MySQL
Log field | Description |
---|---|
__topic__ | The topic of a log entry. Valid value: polardb_audit_log. |
owner_id | The ID of an Alibaba Cloud account. |
region | The region where a PolarDB for MySQL cluster resides. |
cluster_id | The ID of a PolarDB for MySQL cluster. |
node_id | The node IDs of PolarDB for MySQL. |
check_rows | The number of scanned rows. |
db | The name of a database. |
fail | Indicates the result after an SQL statement is executed. Valid values:
|
client_ip | The IP address of a client that accesses a PolarDB for MySQL cluster. |
latency | The network latency. Unit: microseconds. |
origin_time | The time when an SQL statement is executed. Unit: microseconds. |
return_rows | The number of returned rows. |
sql | The SQL statement. |
thread_id | The ID of a thread. |
user | The name of a user who executes an SQL statement. |
update_rows | The number of updated rows. |