This topic describes the fields of the 14 subtypes of Security Center logs.

Network logs

  • DNS logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: sas-log-dns.
    additional The fields in the additional section. Each field is separated by a vertical bar (|).
    additional_num The number of fields in the additional section.
    answer The DNS answers. Each DNS answer is separated by a vertical bar (|).
    answer_num The number of DNS answers.
    authority The fields in the authority section. Each field is separated by a vertical bar (|).
    authority_num The number of fields in the authority section.
    client_subnet The subnet where the client resides.
    dst_ip The destination IP address.
    dst_port The destination port.
    in_out The direction of data flows. Valid values:
    • in: inbound data flows
    • out: outbound data flows
    qid The ID of the query.
    qname The domain name to be queried.
    qtype The type of the resource to be queried.
    query_datetime The timestamp of the query. Unit: milliseconds.
    rcode The code of the response.
    region The ID of the source region. Valid values:
    • 1: Beijing
    • 2: Qingdao
    • 3: Hangzhou
    • 4: Shanghai
    • 5: Shenzhen
    • 6: Others
    response_datetime The datetime of the response, for example, 2018-09-25 09:59:16.
    src_ip The source IP address.
    src_port The source port.
  • Local DNS logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: local-dns.
    answer_rda The DNS answers. Each DNS answer is separated by a vertical bar (|).
    answer_ttl The TTL of the resource records in the DNS answers. Each value is separated by a vertical bar (|).
    answer_type The types of the resource records in the DNS answers. Each value is separated by a vertical bar (|).
    anwser_name The domain names in the DNS answers. Each value is separated by a vertical bar (|).
    dest_ip The destination IP address.
    dest_port The destination port.
    group_id The ID of the group to which the host belongs.
    hostname The hostname.
    id The IP address of the host.
    instance_id The ID of the ECS instance.
    internet_ip The public IP address of the host.
    ip_ttl The TTL of the data packets sent by the host.
    query_name The domain name to be queried.
    query_type The type of the resource to be queried.
    src_ip The source IP address.
    src_port The source port.
    time The timestamp of the query. Unit: seconds.
    time_usecond The response time. Unit: microseconds.
    tunnel_id The ID of the DNS tunnel.
  • Network session logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: sas-log-session.
    asset_type The type of the associated Alibaba Cloud service, for example, ECS.
    dst_ip The destination IP address.
    dst_port The destination port.
    proto The type of the transport layer protocol, for example, TCP and UDP.
    session_time The time of the TCP session, for example, 2018-09-25 09:59:49.
    src_ip The source IP address.
    src_port The source port.
  • Web logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: sas-log-http.
    content_length The content length of the HTTP request message.
    dst_ip The destination IP address.
    dst_port The destination port.
    host The hostname of the web server.
    jump_location The HTTP redirect.
    method The HTTP request method, for example, GET.
    referer The Referer HTTP header field. The field contains the address of the web page that is linked to the resource being requested.
    request_datetime The time of the request. The time is in the datetime format.
    ret_code The HTTP status code.
    rqs_content_type The content type of the HTTP request message.
    rsp_content_type The content type of the HTTP response message.
    src_ip The source IP address.
    src_port The source port.
    uri The URI of the requested resource.
    user_agent The client that initiates the request.
    x_forward_for The x-forwarded-for HTTP header field.

Security logs

  • Vulnerability logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: sas-vul-log.
    name The name of the vulnerability.
    alias_name The alias of the vulnerability.
    op The action about the vulnerability.
    • new: A new vulnerability is detected.
    • verify: verifies the vulnerability.
    • fix: fixes the vulnerability.
    status The status of the alert. For more information, see Table 2.
    tag The vulnerability tag, for example, oval, system, and cms. The field can be used to distinguish emergency (EMG) vulnerabilities.
    type The vulnerability type. Examples:
    • sys: Windows vulnerability
    • cve: Linux vulnerability
    • cms: web CMS vulnerability
    • EMG: emergency vulnerability
    uuid The universally unique identifier (UUID) of the client.
  • Baseline logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid values: sas-hc-log.
    level The level of the baseline check. Valid values: low, medium, and high.
    op The action about the vulnerability.
    • new: A new vulnerability is detected.
    • verify: verifies the vulnerability.
    • fix: fixes the vulnerability.
    risk_name The name of the check item.
    status The status of the check item. For more information, see Table 2.
    sub_type_alias The subtype alias of the check item.
    sub_type_name The subtype of the check item.
    type_name The type of the check item.
    type_alias The type alias of the check item.
    uuid The UUID of the client.
    Table 1. Types and subtypes of check items
    type_name sub_type_name
    system baseline
    weak_password postsql_weak_password
    database redis_check
    account system_account_security
    account system_account_security
    weak_password mysq_weak_password
    weak_password ftp_anonymous
    weak_password rdp_weak_password
    system group_policy
    system register
    account system_account_security
    weak_password sqlserver_weak_password
    system register
    weak_password ssh_weak_password
    weak_password ftp_weak_password
    cis centos7
    cis tomcat7
    cis memcached-check
    cis mongodb-check
    cis ubuntu14
    cis win2008_r2
    system file_integrity_mon
    cis linux-httpd-2.2-cis
    cis linux-docker-1.6-cis
    cis SUSE11
    cis redhat6
    cis bind9.9
    cis centos6
    cis debain8
    cis redhat7
    cis SUSE12
    cis ubuntu16
    Table 2. Status codes of security logs
    Status code Description
    1 Unfixed.
    2 Fix failed.
    3 Rollback failed.
    4 Fixing.
    5 Rolling back.
    6 Verifying.
    7 Fixed.
    8 Fixed. To be restarted.
    9 Rollback succeeded.
    10 Ignored.
    11 Rollback succeeded. To be restarted.
    12 No longer exists.
    20 Expired.
  • Security alert logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: sas-security-log.
    data_source The source of the data. Valid values:
    • aegis_suspicious_event: server exceptions
    • aegis_suspicious_file_v2: Webshell
    • aegis_login_log: suspicious logons
    • security_event: Security Center exceptions
    level The severity of the alert, for example, suspicious, serious, or remind.
    name The name of the alert.
    op The action about the vulnerability.
    • new: An alert is triggered.
    • dealing: The alert is being processed.
    status The status of the alert. For more information, see Table 2.
    uuid The UUID of the client.

Host logs

  • Process initiation logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid values: aegis-log-process.
    uuid The UUID of the client.
    ip The IP address of the client.
    cmdline The full command line that starts the process.
    username The username.
    uid The ID of the user.
    pid The ID of the process.
    filename The name of the process file.
    filepath The full path of the process file.
    groupname The name of the user group.
    ppid The ID of the parent process.
    pfilename The name of the parent process file.
    pfilepath The full path of the parent process file.
  • Process snapshot logs
    Field Description
    __time__ The time when the data is obtained.
    __topic__ The topic of the log entry. Valid value: aegis-snapshot-process.
    uuid The UUID of the client.
    ip The IP address of the client.
    cmdline The full command line that starts the process.
    pid The ID of the process.
    name The name of the process file.
    path The full path of the process file.
    md5 The MD5 hash of the process file name. The MD5 hash is not calculated for the names of the process files that exceed 1 MB.
    pname The name of the parent process file.
    start_time The time when the process starts.
    user The username.
    uid The ID of the user.
  • Logon logs
    Note Repeated logons within one minute are recorded in the same log entry. The warn_count field indicates the number of logons.
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: aegis-log-login.
    uuid The UUID of the client.
    ip The IP address of the client.
    warn_ip The source IP address.
    warn_port The source port.
    warn_type The type of the logon. Examples:
    • SSHLOGIN: SSH logon
    • RDPLOGIN: remote desktop logon
    • IPCLOGIN: IPC logon
    warn_user The logon username.
    warn_count The number of logon attempts. A value of 3 indicates that two logon requests were sent 1 minute before the current logon attempt.
  • Brute-force cracking logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: aegis-log-crack.
    uuid The UUID of the client.
    ip The IP address of the client.
    warn_ip The source IP address.
    warn_port The source port.
    warn_type The type of the logon. Example:
    • SSHLOGIN: SSH logon
    • RDPLOGIN: remote desktop logon
    • IPCLOGIN: IPC logon
    warn_user The logon username.
    warn_count The number of failed logon attempts.
  • Network connection logs
    Note Network connection changes are collected on the host every 10 seconds to 1 minute. The logs of network connections in some states are collected.
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: aegis-log-network.
    uuid The UUID of the client.
    ip The IP address of the client.
    src_ip The source IP address.
    src_port The source port.
    dst_ip The destination IP address.
    dst_port The destination port.
    proc_name The process name.
    proc_path The path of the process file.
    proto The protocol used to establish a network connection, for example, UDP or raw (raw socket).
    status The connection status. For more information, see Table 3.
    Table 3. Status codes of network connections
    Status code Description
    1 closed
    2 listen
    3 syn send
    4 syn recv
    5 establisted
    6 close wait
    7 closing
    8 fin_wait1
    9 fin_wait2
    10 time_wait
    11 delete_tcb
  • Port listening snapshot logs
    Field Description
    __time__ The time when the data is obtained.
    __topic__ The topic of the log entry. Valid value: aegis-snapshot-host.
    uuid The UUID of the client.
    ip The IP address of the client.
    proto The protocol used to establish a network connection, for example, TCP, UDP, or raw (raw socket).
    src_ip The IP address that is listened on.
    src_port The port that is listened on.
    pid The ID of the process.
    proc_name The name of the process.
  • Account snapshot logs
    Field Description
    __time__ The connection time.
    __topic__ The topic of the log entry. Valid value: aegis-snapshot-host.
    uuid The UUID of the client.
    ip The IP address of the client.
    user The username of the account.
    perm Indicates whether the user has root permissions.
    • 0: The user does not have root permissions.
    • 1: The user has root permissions.
    home_dir The home directory of the user.
    groups The group to which the user belongs.
    last_chg The date when the password is last modified.
    shell The shell commands.
    domain The Windows domain.
    tty The logon terminal.
    warn_time The notification date for password expiration.
    account_expire The date when the account expires.
    passwd_expire The date when the password expires.
    login_ip The IP address of the last remote logon client.
    last_logon The date of the last logon.
    status The status of the user.
    • 0: disabled
    • 1: normal