Log fields - Application| Alibaba Cloud Documentation Center

ActionTrail


Log field	Description
__topic__	The topic of a log entry. Valid value: actiontrail_event.
owner_id	The ID of an Alibaba Cloud account.
event	The log event in the JSON format. The content of this field varies based on the log event.
event.eventId	The ID of an event.
event.eventName	The name of an event.
event.eventSource	The source of an event.
event.eventType	The type of an event.
event.eventVersion	The data format version of an event. Valid value: 1.
event.acsRegion	The region where an event occurs.
event.requestId	The ID of an API request.
event.apiVersion	The version of an API operation.
event.errorMessage	The error message of an event.
event.serviceName	The name of the Alibaba Cloud service that is associated with an event.
event.sourceIpAddress	The source IP address that is associated with an event.
event.userAgent	The User-Agent HTTP header that is associated with an event.
event.requestParameters.HostId	The ID of the host from which a request is sent.
event.requestParameters.Name	The name of a request parameter.
event.requestParameters.Region	The region from which a request is sent.
event.userIdentity.accessKeyId	The AccessKey ID of an account that sends a request.
event.userIdentity.accountId	The ID of an account that sends a request.
event.userIdentity.principalId	The principal ID of an account that sends a request.
event.userIdentity.type	The type of an account that sends a request.
event.userIdentity.userName	The username of an account that sends a request.
event.errorCode	The error code of an event.
addionalEventData.isMFAChecked	Indicates whether multi-factor authentication (MFA) is enabled for the account that is used to log on to Log Service.
addionalEventData.loginAccount	The logon account.

Server Load Balancer (SLB)


Log field	Description
owner_id	The ID of an Alibaba Cloud account.
region	The region where an instance resides.
instance_id	The ID of an instance.
instance_name	The name of an instance.
network_type	The type of network. Valid values: VPC and Classic.
vpc_id	VPC ID
body_bytes_sent	The size of the HTTP response message body that is sent to a client.
client_ip	The IP address of a client that sends a request.
client_port	The port number of a client that sends a request.
host	The IP address of a server. The value is first obtained from the request parameters. If no value is obtained, the value is obtained from the host header field. If the value still cannot be obtained, the IP address of the backend server that processes the request is obtained as the field value.
http_host	The HTTP Host header in a request message.
http_referer	The HTTP Referer header in a request message that is received by the proxy.
http_user_agent	The User-Agent HTTP header in a request message that is received by the proxy.
http_x_forwarded_for	The X-Forwarded-For (XFF) HTTP header in a request message that is received by the proxy.
http_x_real_ip	The real IP address of a client.
read_request_time	The duration in which the proxy reads a request message. Unit: milliseconds.
request_length	The length of a request message. This field includes the start-line, HTTP headers, and HTTP body.
request_method	The request method.
request_time	The duration between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds.
request_uri	The URI of a request that is received by the proxy.
scheme	The protocol of a request, for example, HTTP or HTTPS.
server_protocol	The HTTP version that is received by the proxy, for example, HTTP/1.0 or HTTP/1.1.
slb_vport	The listening port of an SLB instance.
slbid	The ID of an SLB instance.
ssl_cipher	The used cipher suite, for example, ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol	The protocol that is used to establish an SSL connection, for example, TLSv1.2.
status	The HTTP status code that is sent from the proxy.
tcpinfo_rtt	The RTT of TCP packets. Unit: microseconds.
time	The time when a log entry is recorded.
upstream_addr	The IP address and port number of the backend server.
upstream_response_time	The duration of the connection between the proxy and backend server. Unit: seconds.
upstream_status	The HTTP status code that is received by the proxy from the backend server.
vip_addr	The virtual IP address.
write_response_time	The duration in which the proxy writes a response message. Unit: milliseconds.

API Gateway


Log field	Description
owner_id	The ID of the account to which an API belongs.
apiGroupUid	The ID of the group to which an API belongs.
apiGroupName	The name of the group to which an API belongs.
apiUid	API ID
apiName	The name of an API.
apiStageUid	The stage ID of an API.
apiStageName	The stage name of an API.
httpMethod	The HTTP method that is used by an API request.
path	The path of an API request.
domain	The domain name of the resource for which an API request is sent.
statusCode	The HTTP status code.
errorMessage	The error message that is returned.
appId	The ID of the application from which an API request is sent.
appName	The name of the application from which an API request is sent.
clientIp	The IP address of a client that sends an API request.
exception	The specific error message that is returned by the backend server.
region	The ID of a region, for example, cn-hangzhou.
requestHandleTime	The time when an API request is sent. The time is in Greenwich Mean Time (GMT).
requestId	The ID of an API request. The ID is globally unique.
requestSize	The size of an API request. Unit: bytes.
responseSize	The size of a response message. Unit: bytes.
serviceLatency	The response latency of the backend server. Unit: milliseconds.

Web Application Firewall (WAF)


Log field	Description
__topic__	The topic of a log entry. Valid value: waf_access_log.
owner_id	The ID of an Alibaba Cloud account.
acl_action	The action that is performed by WAF. This is the action that is triggered in response to a request based on an HTTP ACL policy, for example, pass, drop, or captcha. Note If the value is null or a hyphen (-), this field also indicates the pass action.
acl_blocks	Indicates whether a request is blocked by an HTTP ACL policy. If the value is 1, the request is blocked. If the value is not 1, the request is passed.
antibot	The type of an Anti-Bot Service protection policy that is triggered. Valid values: ratelimit: frequency control sdk: app protection algorithm: intelligent algorithm intelligence: bot threat intelligence acl: HTTP ACL policy blacklist: blacklist
antibot_action	The action that is performed based on an Anti-Bot Service protection policy. Valid values: challenge: verifies a request by using an embedded JavaScript. drop: blocks bot threats. report: logs access events. captcha: verifies a request by using a slider captcha.
block_action	The type of a WAF protection feature that is triggered. Valid values: tmd: protection against HTTP flood attacks waf: protection against Web application attacks acl: HTTP ACL policy geo: region blocking antifraud: data risk control antibot: anti-bot
body_bytes_sent	The size of an HTTP message body that is sent to a client. Unit: bytes.
cc_action	The action that is performed based on an HTTP flood protection policy. The action can be none, challenge, pass, close, captcha, wait, login, or n.
cc_blocks	Indicates whether the request is blocked by the HTTP flood protection feature. If the value is 1, the request is blocked. If the value is not 1, the request is passed.
cc_phase	The HTTP flood protection policy that is triggered. The policy can be seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, or qps_overmax.
content_type	The content type of an access request.
host	The origin server.
http_cookie	The HTTP Cookie header. This field includes the information of a client.
http_referer	The HTTP Referer header. This field includes the information of the source URL. If no information of the source URL is logged, a hyphen (-) is displayed.
http_user_agent	The User-Agent HTTP header. This field includes information such as a client browser and an operating system.
http_x_forwarded_for	The XFF HTTP header. This field identifies the original IP address of a client that connects to a web server by using an HTTP proxy or load balancing device.
https	Indicates whether a request is an HTTPS request. Valid values: true: The request is an HTTPS request. false: The request is an HTTP request.
matched_host	The matched origin server. This can be a wildcard domain name. If no origin server is matched, a hyphen (-) is displayed.
querystring	The query string in a request URL.
real_client_ip	The real IP address of a client. If no real IP address is obtained, a hyphen (-) is displayed.
region	The region where a WAF instance resides.
remote_addr	The IP address of a client that sends a request.
remote_port	The port number of a client.
request_length	The size of a request message. Unit: bytes.
request_method	The method of an HTTP access request.
request_path	The relative path of a request. The query string is not included.
request_time_msec	The duration in which a request is processed. Unit: milliseconds.
request_traceid	The unique ID of a request that is traced by WAF.
server_protocol	The type and version number of a response protocol that is used by an origin server.
status	The HTTP status code that is returned by WAF to a client.
time	The time when a request is sent.
ua_browser	The information of a browser that sends a request.
ua_browser_family	The family of a browser that sends a request.
ua_browser_type	The type of a browser that sends a request.
ua_browser_version	The version of a browser that sends a request.
ua_device_type	The type of a client.
ua_os	The operating system of a client.
ua_os_family	The family of the operating system that runs on a client.
upstream_addr	The list of back-to-origin IP addresses used by WAF. These IP addresses are separated by commas (,). Each IP address is in the IP:Port format.
upstream_ip	The IP address of an origin server that responds to a request. For example, if the origin server is an Elastic Compute Service (ECS) instance, the value of this field is the IP address of the ECS instance.
upstream_response_time	The duration in which an origin server processes a WAF request. Unit: seconds. If a hyphen (-) is returned, this field indicates that the response times out.
upstream_status	The status code that an origin server returns to WAF. If a hyphen (-) is returned, the request is blocked by WAF or the response from the origin server times out.
user_id	The ID of an Alibaba Cloud account.
waf_action	The action that is performed based on a web attack protection policy. If the value is block, the request is blocked. If the value is not block, the request is passed.
web_attack_type	The type of a web attack, for example, xss, code_exec, webshell, sqli, lfilei, rfilei, or other.
waf_rule_id	The ID of a WAF rule that is matched.
ssl_cipher	The SSL cipher suite.
ssl_protocol	The version of the SSL protocol.

Security Center

Network logs

DNS logs


Log field	Description
__topic__	The topic of a log entry. Valid value: sas-log-dns.
owner_id	The ID of an Alibaba Cloud account.
additional	The fields in the additional section. The fields are separated by vertical bars (\|).
additional_num	The number of fields in the additional section.
answer	The DNS responses. These responses are separated by vertical bars (\|).
answer_num	The number of DNS responses.
authority	The fields in the authority section.
authority_num	The number of fields in the authority section.
client_subnet	The subnet where a client resides.
dst_ip	The IP address of a destination server.
dst_port	The destination port.
in_out	The direction of data flows. Valid values: in: inbound data flows out: outbound data flows
qid	The ID of a query.
qname	The domain name to be queried.
qtype	The type of a resource to be queried.
query_datetime	The timestamp of a query. Unit: milliseconds.
rcode	The code of a response.
region	The ID of a source region. Valid values: 1: China (Beijing) 2: China (Qingdao) 3: China (Hangzhou) 4: China (Shanghai) 5: China (Shenzhen) 6: Others
response_datetime	The time when a response is returned.
src_ip	The IP address of a source server.
src_port	The source port.

Local DNS logs


Log field	Description
__topic__	The topic of a log entry. Valid value: local-dns.
owner_id	The ID of an Alibaba Cloud account.
answer_rda	The DNS responses. These responses are separated by vertical bars (\|).
answer_ttl	The time-to-live (TTL) of resource records in DNS responses. The values are separated by vertical bars (\|).
answer_type	The types of resource records in DNS responses. The values are separated by vertical bars (\|).
anwser_name	The domain names in DNS responses. The values are separated by vertical bars (\|).
dest_ip	The IP address of a destination server.
dest_port	The destination port.
group_id	The ID of the group to which a host belongs.
hostname	The hostname.
id	The IP address of a host.
instance_id	The ID of an instance.
internet_ip	The public IP address of a host.
ip_ttl	The TTL of the data packets that are sent by a host.
query_name	The domain name to be queried.
query_type	The type of a resource to be queried.
src_ip	The IP address of a source server.
src_port	The source port.
time	The timestamp of a query. Unit: seconds.
time_usecond	The response duration. Unit: microseconds.
tunnel_id	The ID of a DNS tunnel.

Network session logs


Log field	Description
__topic__	The topic of a log entry. Valid value: sas-log-session.
owner_id	The ID of an Alibaba Cloud account.
asset_type	The type of an associated Alibaba Cloud service, for example, ECS, SLB, or ApsaraDB RDS.
dst_ip	The IP address of a destination server.
dst_port	The destination port.
proto	The type of a transport layer protocol, for example, TCP or UDP.
session_time	The duration of a session.
src_ip	The IP address of a source server.
src_port	The source port.

Web logs


Log field	Description
__topic__	The topic of a log entry. Valid value: sas-log-http.
owner_id	The ID of an Alibaba Cloud account.
content_length	The content length of an HTTP request message.
dst_ip	The IP address of a destination server.
dst_port	The destination port.
host	The hostname of a web server.
jump_location	The IP address of an HTTP redirect.
method	The HTTP request method.
referer	The HTTP Referer header. This field includes the address of the web page that sends a request.
request_datetime	The time when a request is sent.
ret_code	The HTTP status code.
rqs_content_type	The content type of an HTTP request message.
rsp_content_type	The content type of an HTTP response message.
src_ip	The IP address of a source server.
src_port	The source port.
uri	The URI of a request.
user_agent	The user agent of a client that sends a request.
x_forward_for	The XFF HTTP header.

Security logs

Vulnerability logs


Log field	Description
__topic__	The topic of a log entry. Valid value: sas-vul-log.
owner_id	The ID of an Alibaba Cloud account.
name	The name of a vulnerability.
alias_name	The alias of a vulnerability.
op	The action that is performed on a vulnerability. Valid values: new: detects a baseline. verify: verifies the vulnerability. fix: fixes the vulnerability.
status	The status of a vulnerability. For more information, see Table 2.
tag	The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish between different emergency (EMG) vulnerabilities.
type	The type of a vulnerability. Valid values: sys: Windows vulnerability cve: Linux vulnerability cms: Web CMS vulnerability EMG: Emergency vulnerability
uuid	The universally unique identifier (UUID) of a client.

Baseline logs


Log field	Description
__topic__	The topic of a log entry. Valid value: sas-hc-log.
owner_id	The ID of an Alibaba Cloud account.
level	The level of a baseline. Valid values: low, medium, and high.
op	The action that is performed on a baseline. Valid values: new: detects a baseline. verify: verifies the baseline.
risk_name	The name of a baseline risk.
status	The status of a baseline. For more information, see Table 2.
sub_type_alias	The subtype alias of a baseline.
sub_type_name	The subtype of a baseline.
type_name	The type of a baseline.
type_alias	The type alias of a baseline.
uuid	The UUID of a client.
check_item	The name of a check item.
check_level	The level of a check item.
check_type	The type of a check item.

Table 1. Types and subtypes of baselines
type_name	sub_type_name
system	baseline
weak_password	postsql_weak_password
database	redis_check
account	system_account_security
account	system_account_security
weak_password	mysq_weak_password
weak_password	ftp_anonymous
weak_password	rdp_weak_password
system	group_policy
system	register
account	system_account_security
weak_password	sqlserver_weak_password
system	register
weak_password	ssh_weak_password
weak_password	ftp_weak_password
cis	centos7
cis	tomcat7
cis	memcached-check
cis	mongodb-check
cis	ubuntu14
cis	win2008_r2
system	file_integrity_mon
cis	linux-httpd-2.2-cis
cis	linux-docker-1.6-cis
cis	SUSE11
cis	redhat6
cis	bind9.9
cis	centos6
cis	debain8
cis	redhat7
cis	SUSE12
cis	ubuntu16

Table 2. Status codes of security logs
Status code	Description
1	Unfixed.
2	Fix failed.
3	Rollback failed.
4	Fixing.
5	Rolling back.
6	Verifying.
7	Fixed.
8	Fixed. Waiting for a restart.
9	Rollback succeeded.
10	Ignored.
11	Rollback succeeded. Waiting for a restart.
12	No longer exists.
20	Expired.

Security alert logs


Log field	Description
__time__	The time when a connection is established, for example, 2018-02-27 11:58:15.
__topic__	The topic of a log entry. Valid value: sas-security-log.
data_source	The source of the data. For more information, see Table 3.
level	The severity of an alert.
name	The name of an alert, for example, Suspicious Process-SSH-based Remote Execution of Non-interactive Commands.
op	The action that is performed on an alert. Valid values: new: An alert is triggered. dealing: The alert is being processed.
status	The status of an alert. For more information, see Table 2.
uuid	The UUID of a client.
detail	The detail of an alert, for example, {"loginSourceIp":"120.27.28.118","loginTimes":1,"type":"login_common_location","loginDestinationPort":22,"loginUser":"aike","protocol":2,"protocolName":"SSH","location":"Qingdao"}.
unique_info	The unique identifier of an alert for a single server, for example, 2536dd765f804916a1fa3b9516b5d512.

Table 3. Values of the data_source field in security alert logs
Value	Description
aegis_suspicious_event	Server exceptions
aegis_suspicious_file_v2	Webshell
aegis_login_log	Suspicious logon
security_event	Security Center exceptions

Host logs

Process startup logs


Log field	Description
__topic__	The topic of a log entry. Valid value: aegis-log-process.
owner_id	The ID of an Alibaba Cloud account.
uuid	The UUID of a client.
ip	The IP address of a client.
cmdline	The full command line to start a process.
username	The username.
uid	The ID of a user.
pid	The ID of a process.
filename	The name of a process file.
filepath	The full path of a process file.
groupname	The name of a user group.
ppid	The ID of a parent process.
pfilename	The name of a parent process file.
pfilepath	The full path of a parent process file.

Process snapshot logs


Log field	Description
__topic__	The topic of a log entry. Valid value: aegis-snapshot-process.
owner_id	The ID of an Alibaba Cloud account.
uuid	The UUID of a client.
ip	The IP address of a client.
cmdline	The full command line to start a process.
pid	The ID of a process.
name	The name of a process file.
path	The full path of a process file.
md5	The MD5 hash of a process file. If the process file exceeds 1 MB, the MD5 hash is not calculated.
pname	The name of a parent process file.
start_time	The time when a process starts. This field is a built-in field.
user	The username.
uid	The ID of a user.

Logon logs

The logon attempts within 1 minute are recorded in one log entry.


Log field	Description
__topic__	The topic of a log entry. Valid value: aegis-log-login.
owner_id	The ID of an Alibaba Cloud account.
uuid	The UUID of a client.
ip	The IP address of a client.
warn_ip	The IP address of a source server.
warn_port	The logon port.
warn_type	The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
warn_user	The logon username.
warn_count	The number of logon attempts. In this example, the value 3 indicates that two logon requests are sent 1 minute before the current logon.

Brute-force cracking logs


Log field	Description
__topic__	The topic of a log entry. Valid value: aegis-log-crack.
owner_id	The ID of an Alibaba Cloud account.
uuid	The UUID of a client.
ip	The IP address of a client.
warn_ip	The IP address of a source server.
warn_port	The logon port.
warn_type	The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
warn_user	The logon username.
warn_count	The number of failed logon attempts.

Network connection logs

Changes in network connections are collected on the host every 10 seconds to 1 minute.


Log field	Description
__topic__	The topic of a log entry. Valid value: aegis-log-network.
owner_id	The ID of an Alibaba Cloud account.
uuid	The UUID of a client.
ip	The IP address of a client.
src_ip	The IP address of a source server.
src_port	The source port.
dst_ip	The IP address of a destination server.
dst_port	The destination port.
proc_name	The name of a process.
proc_path	The path of a process file.
proto	The protocol that is used to establish a network connection, for example, TCP, UDP, or raw (raw socket).
status	The connection status. For more information, see Table 4.

Table 4. Status codes of network connections
Status	Description
1	closed
2	listen
3	syn send
4	syn recv
5	establisted
6	close wait
7	closing
8	fin_wait1
9	fin_wait2
10	time_wait
11	delete_tcb

Port listening snapshot logs


Log field	Description
__topic__	The topic of a log entry. Valid value: aegis-snapshot-port.
owner_id	The ID of an Alibaba Cloud account.
uuid	The UUID of a client.
ip	The IP address of a client.
proto	The protocol that is used to establish a network connection, for example, TCP, UDP, or raw (raw socket).
src_ip	The IP address of a listener port.
src_port	The listener port.
pid	The ID of a process.
proc_name	The name of a process.

Account snapshot logs


Log field	Description
__topic__	The topic of a log entry. Valid value: aegis-snapshot-host.
owner_id	The ID of an Alibaba Cloud account.
name	The name of a vulnerability.
alias_name	The alias of a vulnerability.
op	The action that is performed on a vulnerability. Valid values: new: detects a new vulnerability. verify: verifies the vulnerability. fix: fixes the vulnerability.
status	The connection status. For more information, see Table 4.
tag	The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish between different emergency (EMG) vulnerabilities.
type	The type of a vulnerability. Valid values: sys: Windows vulnerability cve: Linux vulnerability cms: Web CMS vulnerability EMG: Emergency vulnerability
uuid	The UUID of a client.

PolarDB-X


Log field	Description
__topic__	The topic of a log entry. Valid value: drds_audit_log.
instance_id	The ID of a PolarDB-X instance.
instance_name	The name of a PolarDB-X instance.
owner_id	The ID of an Alibaba Cloud account.
region	The region where a PolarDB-X instance resides.
db_name	The name of a PolarDB-X database.
user	The name of the user who executes an SQL statement.
client_ip	The IP address of a client that accesses a PolarDB-X instance.
client_port	The port number of a client that accesses a PolarDB-X instance.
sql	The SQL statement.
trace_id	The trace ID of an SQL statement when it is executed. If a transaction is executed, it is tracked by using an ID. The ID consists of the trace ID, a hyphen (-), and a number, for example, drdsabcdxyz-1 and drdsabcdxyz-2.
sql_code	The hash value of a template SQL statement.
hint	The hint that is used to execute an SQL statement.
table_name	The names of the tables that are involved in a query. Multiple tables are separated by commas (,).
sql_type	The type of an SQL statement. Valid values: Select, Insert, Update, Delete, Set, Alter, Create, Drop, Truncate, Replace, and Other.
sql_type_detail	The name of an SQL parser.
response_time	The response duration. Unit: milliseconds.
affect_rows	The number of affected or returned rows when an SQL statement is executed.
fail	Indicates the result after an SQL statement is executed. Valid values: 0: successful 1: failed
sql_time	The time when an SQL statement is executed.

Cloud Firewall


Log field	Description
__topic__	The topic of a log entry. Valid value: cloudfirewall_access_log.
owner_id	The ID of an Alibaba Cloud account.
log_type	The type of a log entry.
app_name	The name of the protocol over which an application is accessed. The value can be HTTPS, NTP, SIP, SMB, NFS, or DNS. If the protocol is unknown, the value is displayed as Unknown.
direction	The direction of Internet traffic. Valid values: in: inbound traffic out: outbound traffic
domain	The domain name of a destination server.
dst_ip	The IP address of a destination server.
dst_port	The destination port.
end_time	The time when a session ends. Unit: seconds (UNIX timestamp).
in_bps	The rate of inbound traffic. Unit: bit/s.
in_packet_bytes	The total size of inbound packets. Unit: bytes.
in_packet_count	The total number of inbound packets.
in_pps	The rate of inbound packets. Unit: packet/s.
ip_protocol	The type of an IP protocol. Valid values: TCP and UDP.
out_bps	The rate of outbound traffic. Unit: bit/s.
out_packet_bytes	The total size of the outbound traffic. Unit: bytes.
out_packet_count	The total number of outbound packets.
out_pps	The rate of outbound packets. Unit: packet/s.
region_id	The region from which access traffic originates.
rule_result	The result of how an access policy processes Internet traffic. Valid values: pass: Data packets are allowed to pass Cloud Firewall. alert: An alert is triggered when data packets attempt to pass Cloud Firewall. drop: Data packets are dropped.
src_ip	The IP address of a source server.
src_port	The source port of a host that sends traffic data.
start_time	The time when a session starts. Unit: seconds (UNIX timestamp).
start_time_min	The time when a session starts. The value of this field is rounded up to the next minute. Unit: seconds (UNIX timestamp).
tcp_seq	The sequence number of a TCP segment.
total_bps	The total rate of inbound and outbound packets. Unit: bit/s.
total_packet_bytes	The total size of inbound and outbound packets. Unit: bytes.
total_packet_count	The total number of packets.
total_pps	The total rate of inbound and outbound packets. Unit: bit/s.
src_private_ip	The private IP address of a source server.
vul_level	The risk level of a vulnerability. Valid values: 1: low 2: medium 3: high
url	The URL of a resource that is accessed.
acl_rule_id	The ID of an access control list (ACL) policy that is matched.
ips_rule_id	The ID of an intrusion prevention system (IPS) policy that is matched.
ips_ai_rule_id	The ID of an intelligent policy that is matched.

Bastionhost


Log field	Description
__topic__	The topic of a log entry.
owner_id	The ID of an Alibaba Cloud account.
content	The content of a log entry.
event_type	The type of an event. For more information, see Table 5.
instance_id	The ID of a bastion host.
log_level	The severity of a log entry.
resource_address	The address of the server where a resource resides.
resource_name	The name of the resource on which an operation is performed.
result	The result of an operation.
session_id	The ID of a session.
user_client_ip	The source IP address.
user_id	The ID of a user.
user_name	The username.

Table 5. Event types
Event type	Description
cmd.Command	The CMD commands.
file.Upload	Uploads a file.
file.Download	Downloads a file.
file.Rename	Renames a file.
file.Delete	Deletes a file.
file.DeleteDir	Deletes a directory.
file.CreateDir	Creates a directory.
graph.Text	Text event.
graph.Keyboard	Keyboard event.

Object Storage Service (OSS)


Log type	Description
Access logs	Records access to OSS buckets. The logs are collected in real time.
Batch deletion logs	Records information of deleted objects. The logs are collected in real time. Note When you call the DeleteObjects API operation, a request record is generated in an access log. The information of the deleted objects is stored in the HTTP body of a request. A hyphen (-) is used to indicate the deleted objects in the access log. To retrieve the deleted objects, you can use the request_id parameter to query the deleted objects in the batch deletion log.
Hourly metering logs	Records the hourly metering statistics of a specific bucket. A latency of several hours exists in log collection.

Table 6. Bucket storage classes
Storage type	Description
standard	Standard
archive	Archive
infrequent_access	IA

For information about related API operations, see API overview.

Table 7. Access types
Operation	Description
AbortMultiPartUpload	Cancels a multipart upload task.
AppendObject	Appends an object to an existing object.
CompleteUploadPart	Completes the multipart upload task of an object.
CopyObject	Copies an object.
DeleteBucket	Deletes a bucket.
DeleteLiveChannel	Deletes a LiveChannel.
DeleteObject	Deletes an object.
DeleteObjects	Deletes multiple objects.
GetBucket	Lists all objects in a bucket.
GetBucketAcl	Queries the access control list (ACL) of a bucket.
GetBucketCors	Queries the cross-origin resource sharing (CORS) rules of a bucket.
GetBucketEventNotification	Queries the notification configurations of a bucket.
GetBucketInfo	Queries the information of a bucket.
GetBucketLifecycle	Queries the lifecycle rules configured for the objects in a bucket.
GetBucketLocation	Queries the region where a bucket resides.
GetBucketLog	Queries the access log configurations of a bucket.
GetBucketReferer	Queries the hotlink protection rules configured for a bucket.
GetBucketReplication	Queries the cross-region replication (CRR) rules configured for a bucket.
GetBucketReplicationProgress	Queries the progress of a CRR task that is performed on a bucket.
GetBucketStat	Queries the information of a bucket.
GetBucketWebSite	Queries the status of the static website hosting for a bucket.
GetLiveChannelStat	Queries the status of a LiveChannel.
GetObject	Reads an object.
GetObjectAcl	Queries the ACL of an object.
GetObjectInfo	Queries the information of an object.
GetObjectMeta	Queries the metadata of an object.
GetObjectSymlink	Queries the symbolic link of an object.
GetPartData	Queries the data in all parts of an object.
GetPartInfo	Queries the information of all parts of an object.
GetProcessConfiguration	Queries the image processing configurations of a bucket.
GetService	Lists all buckets.
HeadBucket	Queries the information of a bucket.
HeadObject	Queries the information of an object.
InitiateMultipartUpload	Initializes the multipart upload for an object.
ListMultiPartUploads	Lists multipart upload events.
ListParts	Queries the status of all parts of an object.
PostObject	Uploads an object by using a form.
PostProcessTask	Commits data processing operations, such as screenshots.
PostVodPlaylist	Creates a video-on-demand (VOD) playlist of a LiveChannel.
ProcessImage	Processes an image.
PutBucket	Creates a bucket.
PutBucketCors	Specifies the CORS rule for a bucket.
PutBucketLifecycle	Specifies the lifecycle of a bucket.
PutBucketLog	Specifies the access log for a bucket.
PutBucketWebSite	Specifies the static website hosting mode for a bucket.
PutLiveChannel	Creates a LiveChannel.
PutLiveChannelStatus	Specifies the status of a LiveChannel.
PutObject	Uploads an object.
PutObjectAcl	Modifies the ACL of an object.
PutObjectSymlink	Creates a symbolic link for an object.
RedirectBucket	Redirects the request to a bucket endpoint.
RestoreObject	Restores an object.
UploadPart	Resumes the upload of an object from a specified checkpoint.
UploadPartCopy	Copies a part of an object.
get_image_exif	Queries the exchangeable image file format (Exif) data of an image.
get_image_info	Queries the length and width of an image.
get_image_infoexif	Queries the length, width, and Exif data of an image.
get_style	Queries the style of a bucket.
list_style	Queries all styles of a bucket.
put_style	Creates a picture processing rule for a bucket.

Table 8. Synchronization request types
Synchronization request type	Description
-	General requests
cdn	CDN back-to-origin requests

For information about signatures, see Verify user signatures.

Table 9. Signature types
Signature type	Description
NotSign	A request is unsigned.
NormalSign	A request is signed with a regular signature.
UriSign	A request is signed with a URL signature.
AdminSign	A request is signed with an administrator account.

Access logs


Log field	Description
__topic__	The topic of a log entry. Valid value: oss_access_log.
owner_id	The ID of an Alibaba Cloud account.
region	The region where a bucket resides.
access_id	The AccessKey ID that is used to access OSS.
time	The time when OSS receives a request. If a timestamp is required, use the value of the __time__ field.
owner_id	The ID of an Alibaba Cloud account that belongs to a bucket owner.
User-Agent	The User-Agent HTTP header.
logging_flag	Indicates whether logging has been enabled to export logs to OSS buckets at regular intervals.
bucket	The name of a bucket.
content_length_in	The value of the Content-Length field in an HTTP request. Unit: bytes.
content_length_out	The value of the Content-Length field in an HTTP response. Unit: bytes.
object	The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
object_size	The size of a requested object. Unit: bytes.
operation	The API operation. For more information, see Table 7.
request_uri	The URL-encoded URI of a request. This includes the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
error_code	The error code that is returned by OSS. For more information, see Error responses.
request_length	The size of an HTTP request message that includes the header information. Unit: bytes.
client_ip	The IP address from which a request is sent. This can be the IP address of a client, firewall, or proxy.
response_body_length	The size of an HTTP response body that excludes the header information.
http_method	The HTTP request method.
referer	The HTTP Referer header.
requester_id	The ID of an Alibaba Cloud account that belongs to a requester. If you use anonymous logon, the value of this field is a hyphen (-).
request_id	The ID of a request.
response_time	The response duration. Unit: milliseconds.
server_cost_time	The processing time of an OSS instance. Unit: milliseconds. The value of this field is the time that is required by the OSS instance to process a request.
http_type	The protocol of an HTTP request. Valid values: HTTP and HTTPS.
sign_type	The type of a signature. For more information, see Table 9.
http_status	The status code of an HTTP connection that is returned in a request to OSS.
sync_request	The type of a synchronization request. For more information, see Table 8.
bucket_storage_type	The bucket storage class. For more information, see Table 6.
host	The domain name of an OSS server from which resources are requested.
vpc_addr	The VPC IP address of an OSS server. The IP address is based on the domain name of the server.
vpc_id	VPC ID
delta_data_size	The size change of an object. If the object size does not change, the value of this field is 0. If a request is not an upload request, the value of this field is a hyphen (-).
acc_access_region	If a request is a transfer acceleration request, this field indicates the ID of the region where the requested access point resides. Otherwise, the value of this field is a hyphen (-).

Batch deletion logs


Log field	Description
__topic__	The topic of a log entry. Valid value: oss_batch_delete_log.
owner_id	The ID of an Alibaba Cloud account.
region	The region where a bucket resides.
client_ip	The IP address from which a request is sent. This can be the IP address of a client, firewall, or proxy.
user_agent	The User-Agent HTTP header.
bucket	The name of a bucket.
error_code	The error code that is returned by OSS. For more information, see Error responses.
request_length	The size of an HTTP request message that includes the header information. Unit: bytes.
response_body_length	The size of an HTTP response body that excludes the header information.
object	The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
object_size	The size of a requested object. Unit: bytes.
operation	The API operation. For more information, see Table 7.
bucket_location	The cluster to which a bucket belongs.
http_method	The HTTP request method.
referer	The HTTP Referer header.
request_id	The ID of a request.
http_status	The HTTP status code that is returned by an OSS request.
sync_request	The type of a synchronization request. For more information, see Table 8.
request_uri	The URL-encoded URI of a request. This includes the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
host	The domain name of an OSS server from which resources are requested.
logging_flag	Indicates whether logging has been enabled to export logs to OSS buckets at regular intervals.
server_cost_time	The duration in which an OSS server processes a request. Unit: milliseconds.
owner_id	The ID of an Alibaba Cloud account that belongs to a bucket owner.
requester_id	The ID of an Alibaba Cloud account that belongs to a requester. If you use anonymous logon, the value of this field is a hyphen (-).
delta_data_size	The size change of an object. If the object size does not change, the value of this field is 0. If a request is not an upload request, the value of this field is a hyphen (-).

Hourly metering logs


Log field	Description
__topic__	The topic of a log entry. Valid value: oss_metering_log.
owner_id	The ID of an Alibaba Cloud account that belongs to a bucket owner.
bucket	The name of a bucket.
cdn_in	The inbound traffic from CDN. Unit: bytes.
cdn_out	The outbound traffic to CDN. Unit: bytes.
get_request	The number of GET requests.
intranet_in	The inbound traffic from the internal network. Unit: bytes.
intranet_out	The outbound traffic of the internal network. Unit: bytes.
network_in	The inbound traffic from the public network. Unit: bytes.
network_out	The outbound traffic to the public network. Unit: bytes.
put_request	The number of PUT requests.
storage_type	The bucket storage class. For more information, see Table 6.
storage	The storage usage of a bucket. Unit: bytes.
metering_datasize	The size of metering data of non-Standard OSS buckets.
process_img_size	The size of a processed image. Unit: bytes.
process_img	The processed image.
sync_in	The inbound synchronization traffic. Unit: bytes.
sync_out	The outbound synchronization traffic. Unit: bytes.
start_time	The time when a metering operation starts.
end_time	The time when a metering operation ends.
region	The region where a bucket resides.

ApsaraDB RDS


Log field	Description
__topic__	The topic of a log entry. Valid value: rds_audit_log.
owner_id	The ID of an Alibaba Cloud account.
region	The region where an RDS instance resides.
instance_name	The name of an RDS instance.
instance_id	The ID of an RDS instance.
db_type	The type of an RDS instance, for example, mysql, mssql, or pgsql.
db_version	The version of an RDS instance.
check_rows	The number of scanned rows.
db	The name of a database.
fail	Indicates the result after an SQL statement is executed. Valid values: 0: successful 1: failed
client_ip	The IP address of a client that accesses an RDS instance.
latency	The network latency. Unit: microseconds.
origin_time	The time when an SQL statement is executed. Unit: microseconds.
return_rows	The number of returned rows.
sql	The SQL statement.
thread_id	The ID of a thread.
user	The name of a user who executes an SQL statement.
update_rows	The number of updated rows.

Apsara File Storage NAS


Log field	Description
owner_id	The ID of an Alibaba Cloud account.
ArgIno	The inode number of a file system.
AuthRc	The authorization code that is returned.
NFSProtocolRc	The return code of the Network File System (NFS) protocol.
OpList	The procedure number of the NFSv4 protocol.
Proc	The procedure number of the NFSv3 protocol.
RWSize	The size of read and write data. Unit: bytes.
RequestId	The ID of a request.
ResIno	The inode number of a resource that is looked up.
SourceIp	The IP address of a client.
Vers	The version number of the NFS protocol.
Vip	The IP address of a server.
Volume	The ID of a file system.
microtime	The time when a request is sent. Unit: microseconds.

Alibaba Cloud Mobile Push


Log field	Description
__topic__	The topic of a log entry. Valid value: cps_callback_event.
owner_id	The ID of an Alibaba Cloud account.
app_key	AppKey
message_id	The ID of a message.
event_time	The time when a callback event occurs.
event_type	The type of a callback event.
device_id	The ID of a device.
device_type	The type of a device.
last_active_time	The last time when a device is active.
app_version	The version of an application.
client_ip	The IP address of a client.
brand	The brand of a device.
network_type	The network type of a device.
os	The operating system of a device.
os_version	The version of the operating system that runs on a device.
isp	The ISP of a device.
job_key	The key of a job.
event_channel	The push channel.
vendor_message_id	The message ID of a vendor channel.
reason	The cause of a failed push.

PolarDB for MySQL


Log field	Description
__topic__	The topic of a log entry. Valid value: polardb_audit_log.
owner_id	The ID of an Alibaba Cloud account.
region	The region where a PolarDB for MySQL cluster resides.
cluster_id	The ID of a PolarDB for MySQL cluster.
node_id	The node IDs of PolarDB for MySQL.
check_rows	The number of scanned rows.
db	The name of a database.
fail	Indicates the result after an SQL statement is executed. Valid values: 0: successful 1: failed
client_ip	The IP address of a client that accesses a PolarDB for MySQL cluster.
latency	The network latency. Unit: microseconds.
origin_time	The time when an SQL statement is executed. Unit: microseconds.
return_rows	The number of returned rows.
sql	The SQL statement.
thread_id	The ID of a thread.
user	The name of a user who executes an SQL statement.
update_rows	The number of updated rows.