Log fields - Application| Alibaba Cloud Documentation Center

ActionTrail

Field details


Log field	Description
__topic__	The topic of the log entry. Valid values: actiontrail_event.
owner_id	The ID of the Alibaba Cloud account.
event	The log event in the JSON format. The content of this field varies depending on the log event.
event.eventId	The unique ID of the event.
event.eventName	The name of the event.
event.eventSource	The source of the event.
event.eventType	The type of the event.
event.eventVersion	The data format version of the event. Valid values: 1.
event.acsRegion	The region where the event occurs.
event.requestId	The ID of the API request.
event.apiVersion	The version of the API.
event.errorMessage	The error message of the event.
event.serviceName	The name of the Alibaba Cloud service associated with the event.
event.sourceIpAddress	The source IP address that is associated with the event.
event.userAgent	The client that introduces the event.
event.requestParameters.HostId	The ID of the host from which the request originates.
event.requestParameters.Name	The name of the request parameter.
event.requestParameters.Region	The region from which the request originates
event.userIdentity.accessKeyId	The AccessKey ID of the logon account.
event.userIdentity.accountId	The ID of the Alibaba Cloud account.
event.userIdentity.principalId	The ID of the logon account.
event.userIdentity.type	The identity type of the logon account.
event.userIdentity.userName	The username of the logon account.
event.errorCode	The error code of the event.
addionalEventData.isMFAChecked	Indicates whether MFA is enabled for the logon account that is used to log on to Log Service.
addionalEventData.loginAccount	The account used to log on to Log Service.

Sample log entry

{
  "acsRegion": "cn-hangzhou",
  "additionalEventData": {
    "isMFAChecked": "false",
    "loginAccount": "test1234@aliyun.com"
  },
  "eventId": "7be1e173-1234-44a1-b135-1234",
  "eventName": "ConsoleSignin",
  "eventSource": "http://account.aliyun.com:443/login/login_aliyun.htm",
  "eventTime": "2018-07-12T06:14:50Z",
  "eventType": "ConsoleSignin",
  "eventVersion": "1",
  "requestId": "7be1e173-1234-44a1-b135-1234",
  "serviceName": "AasCustomer",
  "sourceIpAddress": "42.120.75.137",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36",
  "userIdentity": {
    "accessKeyId": "25****************",
    "accountId": "1234",
    "principalId": "1234",
    "type": "root-account",
    "userName": "root"
  }
}

Server Load Balancer (SLB)


Log field	Description
owner_id	The ID of the Alibaba Cloud account.
region	The region where the instance resides.
instance_id	The ID of the instance.
instance_name	The name of the instance.
network_type	The type of network. Valid values: VPC and Classic.
vpc_id	VPC ID
body_bytes_sent	The size of the HTTP response message body sent to the client. Unit: bytes.
client_ip	The IP address of the client.
client_port	The port of the client.
host	The IP address of the server. The value is obtained from the request parameters first. If no value is obtained, the value is obtained from the host header field. If the value still cannot be obtained, the IP address of the backend server that processes the request is obtained as the field value.
http_host	The host HTTP header in the request message.
http_referer	The Referer HTTP header in the request message received by the proxy.
http_user_agent	The User-Agent HTTP header in the request message received by the proxy.
http_x_forwarded_for	The x-forwarded-for HTTP header in the request message received by the proxy.
http_x_real_ip	The real IP address of the client.
read_request_time	The time when the proxy reads the request message. Unit: milliseconds.
request_length	The length of the request message, which includes the start-line, HTTP headers, and HTTP body.
request_method	The request method.
request_time	The duration between the time when the proxy receives the first request message and the time when the proxy returns a response message. Unit: seconds.
request_uri	The request URI received by the proxy.
scheme	The protocol of the request, for example, HTTP and HTTPS.
server_protocol	The HTTP version, for example, HTTP/1.0 and HTTP/1.1.
slb_vport	The listening port of the SLB instance.
slbid	The ID of the SLB instance.
ssl_cipher	The cipher suite used, for example, ECDHE-RSA-AES128-GCM-SHA256.
ssl_protocol	The protocol used to establish an SSL connection, for example, TLSv1.2.
status	The HTTP status code sent from the proxy.
tcpinfo_rtt	The RTT of TCP packets. Unit: milliseconds.
time	The time when the log entry was recorded.
upstream_addr	The IP address and port number of the backend server.
upstream_response_time	The duration of the connection between the proxy and backend server. Unit: seconds.
upstream_status	The HTTP status code received by the proxy from the backend server.
vip_addr	The virtual IP address.
write_response_time	The response duration of the proxy. Unit: milliseconds.

API Gateway


Log field	Description
owner_id	The ID of the account that the API belongs.
apiGroupUid	The ID of the group that the API belongs.
apiGroupName	The name of the group that the API belongs.
apiUid	API ID
apiName	The name of the API.
apiStageUid	The stage ID of the API.
apiStageName	The stage name of the API.
httpMethod	The HTTP method of the request.
path	The request URL path.
domain	The domain name of the requested resources.
statusCode	The HTTP status code.
errorMessage	The returned error message.
appId	The ID of the client that sends the request.
appName	The name of the client that sends the request.
clientIp	The IP address of the client that sends the request.
exception	The specific error message returned by the backend server.
region	The ID of the region, for example, cn-hangzhou.
requestHandleTime	The time when the request is sent. The time is in GMT.
requestId	The request ID. The ID is globally unique.
requestSize	The size of the request message. Unit: bytes.
responseSize	The size of the response message. Unit: bytes.
serviceLatency	The response latency of the backend server. Unit: milliseconds.

Web Application Firewall (WAF)


Field	Description
__topic__	The topic of the log entry. Valid values: waf_access_log.
owner_id	The ID of the Alibaba Cloud account.
acl_action	The action taken by WAF to respond to the request based on the HTTP ACL policies, for example, pass, drop, and captcha. Note Null values or hyphens (-) also indicate the pass action.
acl_blocks	Indicates whether the request is blocked based on the HTTP ACL policies. A value of 1 indicates that the request is blocked. Other values indicate that the request is allowed.
antibot	The type of the Anti-Bot Service protection strategy that applies. Valid values: ratelimit: Frequency control-based protection sdk: APP protection algorithm: Algorithm-based protection intelligence: Bot intelligence-based protection acl: HTTP ACL policy-based protection blacklist: Blacklist-based protection
antibot_action	The action taken by WAF based on the Anti-Bot Service protection strategy. Valid values: challenge: Verify by using an embedded JavaScript script drop: Block report: Log the access event captcha: Verify by using a slider captcha
block_action	The type of the WAF protection feature that implements blocks. Valid values: tmd: Protection against HTTP flood attacks waf: Protection against Web application attacks acl: HTTP ACL policy geo: Block regions antifraud: Data risk control antibot: Anti-bot
body_bytes_sent	The size of the HTTP response message body sent to the client. Unit: bytes.
cc_action	The action taken to protect against HTTP flood attacks. Valid values: none, challenge, pass, close, captcha, wait, and login.
cc_blocks	Indicates whether the request is blocked by the HTTP flood attack protection feature. A value of 1 indicates that the request is blocked by the HTTP flood attack protection feature. Other values indicate that the request is not blocked.
cc_phase	The HTTP flood attack protection strategy that is activated. Valid values: seccookie, server_ip_blacklist, static_whitelist, server_header_blacklist, server_cookie_blacklist, server_args_blacklist, and qps_overmax.
content_type	The media type of the requested resource.
host	The origin server.
http_cookie	The Cookie HTTP header. The field includes information about the client.
http_referer	The Referer HTTP header. The field includes the source URL information. If no source URL information is logged, the value of the log field is a hyphen (-).
http_user_agent	The User-Agent request header. The field contains information such as the client and the operating system.
http_x_forwarded_for	The X-Forwarded-For (XFF) HTTP header. The field identifies the original IP address of the client that connects to the web server by using an HTTP proxy or load balancing.
https	Indicates whether the request is an HTTPS request. Valid values: true: The request is an HTTPS request. false: The request is an HTTP request.
matched_host	The matched domain names that are protected by WAF. If no domain name can be matched, the value of the log field is a hyphen (-).
querystring	The query string in the request URL.
real_client_ip	The real IP address of the client. If the real IP address cannot be obtained, the value of the log field is a hyphen (-).
region	The region where the WAF instance resides.
remote_addr	The IP address of the client.
remote_port	The port of the client.
request_length	The size of the request message. Unit: bytes.
request_method	The HTTP request method.
request_path	The relative path of the request.
request_time_msec	The request time. Unit: millseconds.
request_traceid	The unique ID of the request that is recorded by WAF.
server_protocol	The response protocol and the version number of the origin server.
status	The HTTP status code returned by WAF.
time	The time when the request occurs.
ua_browser	The information about the browser that sends the request.
ua_browser_family	The family of the browser.
ua_browser_type	The type of the browser.
ua_browser_version	The version of the browser.
ua_device_type	The type of the client device.
ua_os	The client operating system.
ua_os_family	The family of the client operating system.
upstream_addr	A list of origin server IP addresses. Each IP address is in the IP:Port format, separated by commas (,).
upstream_ip	The IP address of the origin server where the requested resource resides. For example, if the origin server is an ECS instance, the value of this field is the IP address of the ECS instance.
upstream_response_time	The time that the origin server takes to respond to the request from WAF. Unit: seconds. If the value of the field is a hyphen (-), it indicates that the response times out.
upstream_status	The HTTP status code that WAF receives from the origin server. If the value of the field is a hyphen (-), it indicates that the request is blocked by WAF.
user_id	The ID of the Alibaba Cloud account.
waf_action	The action that is taken to protect against web attacks. The value bloc indicates the request is blocked. Other values indicate that the request is allowed.
web_attack_type	The type of the web attack. The values include xss, code_exec, webshell, sqli, lfilei, rfilei, and other.
waf_rule_id	The ID of the matched WAF rule.

Security Center

Network logs

DNS logs


Log field	Description
__topic__	The topic of the log entry. Valid values: sas-log-dns.
owner_id	The ID of the Alibaba Cloud account.
additional	The fields in the additional section. Each field is separated by a vertical bar (\|).
additional_num	The number of fields in the additional section.
answer	The DNS answers. Each DNS answer is separated by a vertical bar (\|).
answer_num	The number of DNS answers.
authority	The fields in the authority section.
authority_num	The number of fields in the authority section.
client_subnet	The subnet where the client resides.
dst_ip	The destination IP address.
dst_port	The destination port.
in_out	The direction of data flows. Valid values: in: inbound data flows out: outbound data flows
qid	The ID of the query.
qname	The domain name to be queried.
qtype	The type of the resource to be queried.
query_datetime	The timestamp of the query. Unit: milliseconds.
rcode	The code of the response.
region	The ID of the source region. Valid values: 1: Beijing 2: Qingdao 3: Hangzhou 4: Shanghai 5: Shenzhen 6: Others
response_datetime	The timestamp of the response. The timestamp is in the datetime format.
src_ip	The source IP address.
src_port	The source port.

Local DNS logs


Log field	Description
__topic__	The topic of the log entry. Valid values: local-dns.
owner_id	The ID of the Alibaba Cloud account.
answer_rda	The DNS answers. Each DNS answer is separated by a vertical bar (\|).
answer_ttl	The TTL of resource records in the DNS answers. Each value is separated by a vertical bar (\|).
answer_type	The types of resource records in the DNS answers. Each value is separated by a vertical bar (\|).
anwser_name	The domain names in the DNS answers. Each value is separated by a vertical bar (\|).
dest_ip	The destination IP address.
dest_port	The destination port.
group_id	The ID of the group to which the host belongs.
hostname	The hostname.
id	The IP address of the host.
instance_id	The ID of the ECS instance.
internet_ip	The public IP address of the host.
ip_ttl	The TTL of the data packets sent by the host.
query_name	The domain name to be queried.
query_type	The type of the resource to be queried.
src_ip	The source IP address.
src_port	The source port.
time	The time of the query. The time is in the UNIX timestamp format.
time_usecond	The response duration. Unit: microseconds.
tunnel_id	The ID of the DNS tunnel.

Network session logs


Log field	Description
__topic__	The topic of the log entry. Valid values: sas-log-session.
owner_id	The ID of the Alibaba Cloud account.
asset_type	The type of the associated Alibaba Cloud service, for example, ECS, SLB, and ApsaraDB for RDS.
dst_ip	The destination IP address.
dst_port	The destination port.
proto	The type of the transport layer protocol, for example, TCP and UDP.
session_time	The time of the TCP session.
src_ip	The source IP address.
src_port	The source port.

Web logs


Log field	Description
__topic__	The topic of the log entry. Valid values: sas-log-http.
owner_id	The ID of the Alibaba Cloud account.
content_length	The content length of the HTTP request message.
dst_ip	The destination IP address.
dst_port	The destination port.
host	The hostname of the web server.
jump_location	The HTTP redirect.
method	The HTTP request method.
referer	The Referer HTTP header. The field contains the address of the web page which is linked to the resource being requested.
request_datetime	The time of the request. The time is in the datetime format.
ret_code	The HTTP status code.
rqs_content_type	The content type of the HTTP request message.
rsp_content_type	The content type of the HTTP response message.
src_ip	The source IP address.
src_port	The source port.
uri	The request URI.
user_agent	The client that initiates the request.
x_forward_for	The x-forwarded-for HTTP header.

Security logs

Vulnerability logs


Log field	Description
__topic__	The topic of the log entry. Valid values: sas-vul-log.
owner_id	The ID of the Alibaba Cloud account.
name	The name of the vulnerability.
alias_name	The alias of the vulnerability.
op	The action about the vulnerability. new: A new vulnerability is detected. verify: Verifies the vulnerability. fix: Fixes the vulnerability.
status	The status of the vulnerability. For more information, see Table 2.
tag	The vulnerability tag, for example, oval, system, and cms. The field can be used to distinguish emergency (EMG) vulnerabilities.
type	The type of the vulnerability. sys: Windows vulnerability cve: Linux vulnerability cms: Web CMS vulnerability EMG: Emergency vulnerability
uuid	The UUID of the client.

Baseline logs


Log field	Description
__topic__	The topic of the log entry. Valid values: sas-hc-log.
owner_id	The ID of the Alibaba Cloud account.
level	The level of the baseline check. Valid values: low, medium, and high.
op	The action about the vulnerability. new: A new vulnerability is detected. verify: Verifies the baseline check.
risk_name	The name of the check item.
status	The status of the check item. For more information, see Table 2.
sub_type_alias	The subtype alias of the check item.
sub_type_name	The subtype of the check item.
type_name	The type of the check item.
type_alias	The type alias of the check item.
uuid	The UUID of the client.

Table 1. Types and subtypes of check items
type_name	sub_type_name
system	baseline
weak_password	postsql_weak_password
database	redis_check
account	system_account_security
account	system_account_security
weak_password	mysq_weak_password
weak_password	ftp_anonymous
weak_password	rdp_weak_password
system	group_policy
system	register
account	system_account_security
weak_password	sqlserver_weak_password
system	register
weak_password	ssh_weak_password
weak_password	ftp_weak_password
cis	centos7
cis	tomcat7
cis	memcached-check
cis	mongodb-check
cis	ubuntu14
cis	win2008_r2
system	file_integrity_mon
cis	linux-httpd-2.2-cis
cis	linux-docker-1.6-cis
cis	SUSE11
cis	redhat6
cis	bind9.9
cis	centos6
cis	debain8
cis	redhat7
cis	SUSE12
cis	ubuntu16

Table 2. Status codes of security logs
Status code	Description
1	Unfixed.
2	Fix failed.
3	Rollback failed.
4	Fixing.
5	Rolling back.
6	Verifying.
7	Fixed.
8	Fixed. To be restarted.
9	Rollback succeeded.
10	Ignored.
11	Rollback succeeded. To be restarted.
12	Does not exist.
20	Expired.

Security alert logs


Log field	Description
__topic__	The topic of the log entry. Valid values: sas-security-log.
owner_id	The ID of the Alibaba Cloud account.
data_source	The source of the data. For more information, see Table 3.
level	The severity of the alert.
name	The name of the alert, for example, Suspicious Process-SSH-based Remote Execution of Non-interactive Commands.
op	The action about the vulnerability. new: An alert is triggered. dealing: The alert is being processed.
status	The status of the alert. For more information, see Table 2.
uuid	The UUID of the client.

Table 3. Values of the data_source field in security alert logs
Value	Description
aegis_suspicious_event	Server exceptions
aegis_suspicious_file_v2	Webshell
aegis_login_log	Suspicious logon
security_event	Security Center exceptions

Host logs

Process initiation logs


Log field	Description
__topic__	The topic of the log entry. Valid values: aegis-log-process.
owner_id	The ID of the Alibaba Cloud account.
uuid	The UUID of the client.
ip	The IP address of the client.
cmdline	The full command line to start the process.
username	The username.
uid	The ID of the user.
pid	The ID of the process.
filename	The name of the process file.
filepath	The full path of the process file.
groupname	The name of the user group.
ppid	The ID of the parent process.
pfilename	The name of the parent process file.
pfilepath	The full path of the parent process file.

Process snapshot logs


Log field	Description
__topic__	The topic of the log entry. Valid values: aegis-snapshot-process.
owner_id	The ID of the Alibaba Cloud account.
uuid	The UUID of the client.
ip	The IP address of the client.
cmdline	The full command line to start the process.
pid	The ID of the process.
name	The name of the process file.
path	The full path of the process file.
md5	The MD5 hash of the process file. The MD5 hash is not performed if the process file exceeds 1 MB.
pname	The file name of the parent process.
start_time	The time when the process starts. This field is a built-in field.
user	The username.
uid	The ID of the user.

Logon logs

Logon attempts within one minute are recorded in one log entry.


Log field	Description
__topic__	The topic of the log entry. Valid values: aegis-log-login.
owner_id	The ID of the Alibaba Cloud account.
uuid	The UUID of the client.
ip	The IP address of the client.
warn_ip	The source IP address.
warn_port	The logon port.
warn_type	The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
warn_user	The logon username.
warn_count	The number of logon attempts. A value of 3 indicates that two logon requests are sent one minute before the current logon.

Brute-force cracking logs


Log field	Description
__topic__	The topic of the log entry. Valid values: aegis-log-crack.
owner_id	The ID of the Alibaba Cloud account.
uuid	The UUID of the client.
ip	The IP address of the client.
warn_ip	The source IP address.
warn_port	The logon port.
warn_type	The type of the logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
warn_user	The logon username.
warn_count	The number of failed logon attempts.

Network connection logs

Changes in network connections are collected on the host every 10 seconds to 1 minute.


Log field	Description
__topic__	The topic of the log entry. Valid values: aegis-log-network.
owner_id	The ID of the Alibaba Cloud account.
uuid	The UUID of the client.
ip	The IP address of the client.
src_ip	The source IP address.
src_port	The source port.
dst_ip	The destination IP address.
dst_port	The destination port.
proc_name	The name of the process.
proc_path	The path of the process file.
proto	The protocol used to establish a network connection, for example, TCP, UDP, and raw (raw socket).
status	The connection status. For more information, see Table 4.

Table 4. Status codes of network connections
Status code	Description
1	closed
2	listen
3	syn send
4	syn recv
5	establisted
6	close wait
7	closing
8	fin_wait1
9	fin_wait2
10	time_wait
11	delete_tcb

Port listening snapshot logs


Log field	Description
__topic__	The topic of the log entry. Valid values: aegis-snapshot-port.
owner_id	The ID of the Alibaba Cloud account.
uuid	The UUID of the client.
ip	The IP address of the client.
proto	The protocol that is used to establish a network connection, for example, TCP, UDP, and raw (raw socket).
src_ip	The IP address of the listener port.
src_port	The listener port.
pid	The ID of the process.
proc_name	The name of the process.

Account snapshot logs


Log field	Description
__topic__	The topic of the log entry. Valid values: aegis-snapshot-host.
owner_id	The ID of the Alibaba Cloud account.
name	The name of the vulnerability.
alias_name	The alias of the vulnerability.
op	The action about the vulnerability. new: A new vulnerability is detected. verify: Verifies the vulnerability. fix: Fixes the vulnerability.
status	The status of the account. For more information, see Table 4.
tag	The vulnerability tag, for example, oval, system, and cms. The field can be used to distinguish emergency (EMG) vulnerabilities.
type	The type of the vulnerability. sys: Windows vulnerability cve: Linux vulnerability cms: Web CMS vulnerability EMG: Emergency vulnerability
uuid	The UUID of the client.

Distributed Relational Database Service


Field	Description
__topic__	The topic of the log entry. Valid values: drds_audit_log.
instance_id	The ID of the PolarDB-X instance.
instance_name	The name of the PolarDB-X instance.
owner_id	The ID of the Alibaba Cloud account.
region	The region where the PolarDB-X instance resides.
db_name	The name of the PolarDB-X database.
user	The name of the user who executes the SQL statement.
client_ip	The client IP address used to access the PolarDB-X instance.
client_port	The client port used to access the PolarDB-X instance.
sql	The SQL statement.
trace_id	The trace ID of the SQL statement when it is executed. If a transaction is executed, it is tracked by an ID that consists of the trace ID, a hyphen, and a number, for example, drdsabcdxyz-1 and drdsabcdxyz-2.
sql_code	The hash value of the template SQL statement.
hint	The hint that is used to optimize the SQL query.
table_name	The name of the table involved in the query. Separate multiple tables with commas (,).
sql_type	The type of the SQL statement. Valid values: Select, Insert, Update, Delete, Set, Alter, Create, Drop, Truncate, Replace, and Other.
sql_type_detail	The name of the SQL parser.
response_time	The response duration. Unit: milliseconds.
affect_rows	The number of affected or returned rows when the SQL statement is executed.
fail	Indicates whether the SQL statement failed to be executed. Valid values: 0: succeeded 1: failed
sql_time	The time when the SQL statement starts to be executed.

Cloud Firewall


Log field	Description
__topic__	The topic of the log entry. Valid values: cloudfirewall_access_log.
owner_id	The ID of the Alibaba Cloud account.
log_type	The type of the log entry.
app_name	The layer 7 protocol over which data traffic is sent. Valid values: HTTPS, NTP, SIP, SMB, NFS, DNS, and Unknown.
direction	The direction of the traffic. in: inbound traffic out: outbound traffic
domain	The domain name of the target server.
dst_ip	The destination IP address.
dst_port	The destination port.
end_time	The time when the network session ended. The time is in the UNIX timestamp format.
in_bps	The inbound traffic rate. Unit: bits/s.
in_packet_bytes	The total size of the inbound traffic. Unit: bytes.
in_packet_count	The total number of inbound data packets.
in_pps	The transmission rate of inbound data packets. Unit: packets/s.
ip_protocol	The layer 4 protocol over which data is sent. Valid values: TCP and UDP.
out_bps	The outbound traffic rate. Unit: bits/s.
out_packet_bytes	The total size of the outbound traffic. Unit: bytes.
out_packet_count	The total number of outbound data packets.
out_pps	The transmission rate of outbound data packets. Unit: packets/s.
region_id	The region where the data traffic is sent.
rule_result	The action that the access control policy uses to process data packets. pass: Data packets are allowed to pass Cloud Firewall. alert: An alert is triggered when data packets attempt to pass Cloud Firewall. drop: Data packets are dropped.
src_ip	The source IP address.
src_port	The source port.
start_time	The start time of the network session. The time is in the UNIX timestamp format.
start_time_min	The start time of the network session. The time is in the UNIX timestamp format, in minutes.
tcp_seq	The sequence number of the TCP segment.
total_bps	The total inbound and outbound traffic rate. Unit: bits/s.
total_packet_bytes	The total size of the inbound and outbound traffic. Unit: bytes.
total_packet_count	The total number of data packets.
total_pps	The total transmission rate of inbound and outbound packets. Unit: packets/s.
src_private_ip	The source private IP address.
vul_level	The severity of the vulnerability. Valid values: 1: low 2: moderate 3: high
url	The URL of the requested resource.
acl_rule_id	The ID of the matched access control list (ACL) policy.
ips_rule_id	The ID of the matched intrusion prevention system (IPS) policy.
ips_ai_rule_id	The ID of the matched intelligent policy.

Bastionhost


Log field	Description
__topic__	Log topics
owner_id	The ID of the Alibaba Cloud account.
content	The content of the log entry.
event_type	The type of the event. For more information, see Table 5.
instance_id	The ID of the Bastionhost instance.
log_level	The severity of the log entry.
resource_address	The address of the server where the resource resides.
resource_name	The name of the resource on which the operation is performed.
result	The result of the operation.
session_id	The ID of the session.
user_client_ip	The source IP address.
user_id	The ID of the user.
user_name	The username.

Table 5. Event types
Event type	Description
cmd.Command	The CMD commands.
file.Upload	Uploads the file.
file.Download	Downloads the file.
file.Rename	Renames the file.
file.Delete	Deletes the file.
file.DeleteDir	Deletes the directory.
file.CreateDir	Creates the directory.
graph.Text	Text event.
graph.Keyboard	Keyboard event.

OSS


Log type	Description
Access logs	Records access to OSS buckets. The logs are collected in real time.
Batch deletion logs	Records information about deleted objects. The logs are collected in real time. Note When you call the DeleteObjects API operation, a request record is generated in an access log. The information about the deleted objects is stored in the HTTP body of a request. A hyphen (-) is used to indicate the deleted objects in the access log. To retrieve the deleted objects, you can use the request-id parameter to query the deleted objects in the batch deletion log.
Hourly metering logs	Records the hourly metering statistics of a specific bucket. A latency of several hours exists in log collection.

Table 6. Bucket storage classes
Storage Type	Description
standard	Standard
archive	Archive
infrequent_access	IA

For more information about relevant API operations, see API overview.

Table 7. Access types
Operation	Description
AbortMultiPartUpload	Terminates the multipart upload.
AppendObject	Appends the object.
CommitTransition	Commits the transition.
CompleteUploadPart	Completes the multipart upload.
CopyObject	Copies the object.
DeleteBucket	Deletes the bucket.
DeleteLiveChannel	Deletes the LiveChannel.
DeleteObject	Deletes the object.
DeleteObjects	Deletes multiple objects.
ExpireObject	Makes the object expire.
GetBucket	Queries the objects of the bucket.
GetBucketAcl	Obtains permissions on the bucket.
GetBucketCors	Queries the cross-origin resource sharing (CORS) rules of the bucket.
GetBucketEventNotification	Queries the notification configurations of the bucket.
GetBucketInfo	Queries the information about the bucket.
GetBucketLifecycle	Queries the lifecycle configurations of the bucket.
GetBucketLocation	Queries the region where the bucket resides.
GetBucketLog	Queries the access log configurations of the bucket.
GetBucketReferer	Queries the hotlink protection configurations of the bucket.
GetBucketReplication	Queries the cross-region replication configurations.
GetBucketReplicationProgress	Queries the progress of the cross-region replication.
GetBucketStat	Queries the information about the bucket.
GetBucketWebSite	Queries the static website hosting status of the bucket.
GetLiveChannelStat	Queries the status of the LiveChannel.
GetObject	Reads the object.
GetObjectAcl	Obtains the ACL of the object.
GetObjectInfo	Queries the information about the object.
GetObjectMeta	Queries the metadata of the object.
GetObjectSymlink	Queries the details of the object to which the symbolic link is referenced.
GetPartData	Queries the data in all parts of the object.
GetPartInfo	Queries the information about all parts of the object.
GetProcessConfiguration	Queries the image processing configurations of the bucket.
GetService	Queries buckets.
HeadBucket	Queries the information about the bucket.
HeadObject	Queries the information about the object.
InitiateMultipartUpload	Initializes the object for multipart upload.
ListMultiPartUploads	Queries multipart upload events.
ListParts	Queries the status of all parts of the object.
Options	Queries the options.
PostObject	Uploads the object by using the form.
PostProcessTask	Commits data processing operations, such as taking snapshots.
PostVodPlaylist	Creates a video-on-demand (VOD) playlist of the LiveChannel.
ProcessImage	Processes the image.
PutBucket	Creates the bucket.
PutBucketCors	Specifies the CORS rule for the bucket.
PutBucketLifecycle	Configures the lifecycle of the bucket.
PutBucketLog	Specifies the access log for the bucket.
PutBucketWebSite	Specifies the static website hosting mode for the bucket.
PutLiveChannel	Creates the LiveChannel.
PutLiveChannelStatus	Specifies the status of the LiveChannel.
PutObject	Uploads the object.
PutObjectAcl	Modifies the ACL of the object.
PutObjectSymlink	Creates the object by using a symbolic link.
RedirectBucket	Redirects the request to the bucket endpoint.
RestoreObject	Restores the object.
UploadPart	Resumes uploading the object from a checkpoint.
UploadPartCopy	Duplicates the part.
get_image_exif	Queries the exchangeable image file format (Exif) data of the image.
get_image_info	Queries the length and width of the image.
get_image_infoexif	Queries the length, width, and Exif data of the image.
get_style	Queries the picture processing rule of the bucket.
list_style	Queries all picture processing rules of the bucket.
put_style	Creates a picture processing rule for the bucket.

Table 8. Synchronization request types
Synchronization request type	Description
-	General requests
cdn	CDN back-to-origin requests

For more information about signatures, see Verify user signatures.

Table 9. Signature types
Signature type	Description
NotSign	Indicates that a request was unsigned.
NormalSign	Indicates that a request was signed with a regular signature.
UriSign	Indicates that a request was signed with a URL signature.
AdminSign	Indicates that the request was signed with an administrator account.

Access logs


Log field	Description
__topic__	The topic of the log entry. Valid values: oss_access_log.
owner_id	The ID of the Alibaba Cloud account.
region	The region where the bucket resides.
access_id	The AccessKey ID of the Alibaba Cloud account.
time	The time when OSS receives a request. Use the value of __time__ if a timestamp is required.
owner_id	The Alibaba Cloud account ID of the bucket owner.
User-Agent	The HTTP User-Agent header.
logging_flag	Indicates whether logging has been enabled to periodically export logs to OSS buckets.
bucket	The name of the bucket.
content_length_in	The value of the request Content-Length header. Unit: bytes.
content_length_out	The value of response Content-Length header. Unit: bytes.
object	The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
object_size	The size of a requested object. Unit: bytes.
operation	The API operation. For more information, see Table 7.
request_uri	The URL-encoded URI of a request, including the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
error_code	The error code returned by OSS. For more information, see OSS error response.
request_length	The size of the HTTP request message. Unit: bytes.
client_ip	The IP address from which a request originates. The IP address can be the IP address of the client, firewall, or proxy.
response_body_length	The size of the HTTP response body.
http_method	The HTTP request method.
referer	The Referer HTTP header.
requester_id	The ID of the Alibaba Cloud account. The value of this field is a hyphen (-) if you use anonymous logon.
request_id	The ID of the request.
response_time	The response duration. Unit: milliseconds.
server_cost_time	The time that the OSS server consumes to process a request. Unit: milliseconds.
http_type	The protocol of an HTTP request. Valid values: HTTP and HTTPS.
sign_type	The type of the signature. For more information, see Table 9.
http_status	The HTTP status code returned by the OSS server.
sync_request	The type of the synchronization request. For more information, see Table 8.
bucket_storage_type	The OSS storage class. For more information, see Table 6.
host	The domain name of the OSS server from which resources are requested.
vpc_addr	The VPC IP address of the OSS server. The IP address is resolved from the domain name of the server.
vpc_id	VPC ID
delta_data_size	The size change of the object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) if the request is not an upload request.
acc_access_region	For a transfer acceleration request, this field is the ID of the region where the requested access point resides. Otherwise, The value of this field is a hyphen (-).

Batch deletion logs


Log field	Description
__topic__	The topic of the log entry. Valid values: oss_batch_delete_log.
owner_id	The ID of the Alibaba Cloud account.
region	The region where the bucket resides.
client_ip	The IP address from which a request originates. The IP address can be the IP address of the client, firewall, or proxy.
user_agent	The HTTP User-Agent header.
bucket	The name of the bucket.
error_code	The error code returned by OSS. For more information, see OSS error response.
request_length	The size of the HTTP request message. Unit: bytes.
response_body_length	The size of the HTTP response body.
object	The requested URL-encoded object. You can include the select url_decode(object) clause in a query statement to decode the object.
object_size	The size of the requested object. Unit: bytes.
operation	The API operation. For more information, see Table 7.
bucket_location	The cluster to which the bucket belongs.
http_method	The HTTP request method.
referer	The Referer HTTP header.
request_id	The ID of the request.
http_status	The HTTP status code that OSS returns.
sync_request	The type of the synchronization request. For more information, see Table 8.
request_uri	The URL-encoded URI of a request, including the query_string parameter. You can include the select url_decode(request_uri) clause in a query statement to decode the URI.
host	The domain name of the OSS server from which resources are requested.
logging_flag	Indicates whether logging has been enabled to periodically export logs to OSS buckets.
server_cost_time	The time that the OSS server consumes to process a request. Unit: milliseconds.
owner_id	The Alibaba Cloud account ID of the bucket owner.
requester_id	The Alibaba Cloud ID of the requester. The value of this field is a hyphen (-) for anonymous requests.
delta_data_size	The variation of the size of the object. The value of this field is 0 if the object size does not change. The value of this field is a hyphen (-) if the request is not an upload request.

Hourly metering logs


Log field	Description
__topic__	The topic of the log entry. Valid values: oss_metering_log.
owner_id	The Alibaba Cloud account ID of the bucket owner.
bucket	The name of the bucket.
cdn_in	The inbound traffic from CDN. Unit: bytes.
cdn_out	The outbound traffic to CDN. Unit: bytes.
get_request	The number of GET requests.
intranet_in	The inbound traffic from the internal network. Unit: bytes.
intranet_out	The outbound traffic of the internal network. Unit: bytes.
network_in	The inbound traffic from the public network. Unit: bytes.
network_out	The outbound traffic to the public network. Unit: bytes.
put_request	The number of PUT requests.
storage_type	The OSS storage class. For more information, see Table 6.
storage	The storage usage of the bucket. Unit: bytes.
metering_datasize	The size of metering data in non-standard storage.
process_img_size	The size of the processed image. Unit: bytes.
process_img	The processed image.
sync_in	The inbound synchronization traffic. Unit: bytes.
sync_out	The outbound synchronization traffic. Unit: bytes.
start_time	The time when a metering operation starts. The time is in the UNIX timestamp format.
end_time	The time when a metering operation ends. The time is in the UNIX timestamp format.
region	The region where the bucket resides.

ApsaraDB for RDS


Log field	Description
__topic__	The topic of the log entry. Valid values: rds_audit_log.
owner_id	The ID of the Alibaba Cloud account.
region	The region where the ApsaraDB for RDS instance resides.
instance_name	The name of the ApsaraDB for RDS instance.
instance_id	The ID of the ApsaraDB for RDS instance.
db_type	The type of the ApsaraDB for RDS instance, for example, mysql, mssql, and pgsql.
db_version	The version of the ApsaraDB for RDS instance.
check_rows	The number of scanned rows.
db	The name of the database in the instance.
fail	Indicates whether the SQL statement failed to be executed. Valid values: 0: succeeded 1: failed
client_ip	The IP address of the client that accesses the ApsaraDB for RDS instance.
latency	The network latency. Unit: microseconds.
origin_time	The time when the SQL statement is executed. The time is in the UNIX timestamp format, in microseconds.
return_rows	The number of returned rows.
sql	The SQL statement.
thread_id	The ID of the thread.
user	The name of the user who executes the SQL statement.
update_rows	The number of updated rows.

Apsara File Storage NAS


Log field	Description
owner_id	The ID of the Alibaba Cloud account.
ArgIno	The inode number of the file system.
AuthRc	The authorization return code.
NFSProtocolRc	The NFS return code.
OpList	The NFSv4 procedure number.
Proc	The NFSv3 procedure number.
RWSize	The size of the read/write data. Unit: bytes.
RequestId	The ID of the request.
ResIno	The inode number of lookup resources.
SourceIp	The IP address of the client.
Vers	The version number of the NFS protocol.
Vip	The IP address of the server.
Volume	The ID of the file system.
microtime	The time when the request is sent. The time is in the UNIX timestamp format, in microseconds.

Alibaba Cloud Mobile Push


Log field	Description
__topic__	The topic of the log entry. Valid values: cps_callback_event.
owner_id	The ID of the Alibaba Cloud account.
app_key	AppKey
message_id	The message ID.
event_time	The time when the callback event occurs.
event_type	The type of the callback event.
device_id	The ID of the device.
device_type	The type of the device.
last_active_time	The last time when the device is active.
app_version	The version of the application.
client_ip	The IP address of the client.
brand	The brand of the device.
network_type	The network type of the device.
os	The operating system of the device.
os_version	The version of the operating system.
isp	The ISP of the device.
job_key	The key of the job.