This topic describes the fields of Security Center logs. Security Center logs include network logs, security logs, and host logs.

Network logs

  • DNS logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: sas-log-dns.
    owner_idThe ID of an Alibaba Cloud account.
    additionalThe fields in the additional section. Multiple values are separated by vertical bars (|).
    additional_numThe number of fields in the additional section.
    answerThe DNS responses. Multiple values are separated by vertical bars (|).
    answer_numThe number of DNS responses.
    authorityThe fields in the authority section.
    authority_numThe number of fields in the authority section.
    client_subnetThe subnet where a client resides.
    dst_ipThe IP address of a destination server.
    dst_portThe destination port.
    in_outThe direction of data flows. Valid values:
    • in: inbound
    • out: outbound
    qidThe ID of a query.
    qnameThe domain name that is queried.
    qtypeThe type of a resource that is queried.
    query_datetimeThe timestamp of a query. Unit: milliseconds.
    rcodeThe code of a response.
    regionThe ID of a source region. Valid values:
    • 1: China (Beijing)
    • 2: China (Qingdao)
    • 3: China (Hangzhou)
    • 4: China (Shanghai)
    • 5: China (Shenzhen)
    • 6: Others
    response_datetimeThe time when a response is returned.
    src_ipThe IP address of a source server.
    src_portThe source port.
  • Local DNS logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: local-dns.
    owner_idThe ID of an Alibaba Cloud account.
    answer_rdataThe DNS responses. Multiple values are separated by vertical bars (|).
    answer_ttlThe time-to-live (TTL) of resource records in DNS responses. Multiple values are separated by vertical bars (|).
    answer_typeThe types of resource records in DNS responses. Multiple values are separated by vertical bars (|).
    anwser_nameThe domain names in DNS responses. Multiple values are separated by vertical bars (|).
    dest_ipThe IP address of a destination server.
    dest_portThe destination port.
    group_idThe ID of the group to which a host belongs.
    hostnameThe hostname.
    idThe ID of a query.
    instance_idThe ID of an instance.
    internet_ipThe public IP address of a host.
    ip_ttlThe TTL of the data packets that are sent by a host.
    query_nameThe domain name that is queried.
    query_typeThe type of a resource that is queried.
    src_ipThe IP address of a source server.
    src_portThe source port.
    timeThe timestamp of a query. Unit: seconds.
    time_usecondThe response time. Unit: microseconds.
    tunnel_idThe ID of a DNS tunnel.
  • Network session logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: sas-log-session.
    owner_idThe ID of an Alibaba Cloud account.
    asset_typeThe type of an associated Alibaba Cloud service, for example, ECS, SLB, or ApsaraDB RDS.
    dst_ipThe IP address of a destination server.
    dst_portThe destination port.
    protoThe type of a transport layer protocol, for example, TCP or UDP.
    session_timeThe duration of a session.
    src_ipThe IP address of a source server.
    src_portThe source port.
  • Web logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: sas-log-http.
    owner_idThe ID of an Alibaba Cloud account.
    content_lengthThe content length of an HTTP request message.
    dst_ipThe IP address of a destination server.
    dst_portThe destination port.
    hostThe hostname of a web server.
    jump_locationThe IP address of an HTTP redirect.
    methodThe HTTP request method.
    refererThe Referer HTTP header. This field includes the address of the web page that sends a request.
    request_datetimeThe time when a request is sent.
    ret_codeThe HTTP status code.
    rqs_content_typeThe content type of an HTTP request message.
    rsp_content_typeThe content type of an HTTP response message.
    src_ipThe IP address of a source server.
    src_portThe source port.
    uriThe URI of a request.
    user_agentThe user agent of a client that sends a request.
    x_forward_forThe X-Forwarded-For (XFF) HTTP header.

Security logs

  • Vulnerability logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: sas-vul-log.
    owner_idThe ID of an Alibaba Cloud account.
    nameThe name of a vulnerability.
    alias_nameThe alias of a vulnerability.
    opThe action that is performed on a vulnerability. Valid values:
    • new: detects a new vulnerability.
    • verify: verifies a vulnerability.
    • fix: fixes a vulnerability.
    statusThe status of a vulnerability. For more information, see Status codes of security logs.
    tagThe tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish different emergency (EMG) vulnerabilities.
    typeThe type of a vulnerability. Valid values:
    • sys: Windows vulnerability
    • cve: Linux vulnerability
    • cms: Web CMS vulnerability
    • EMG: emergency vulnerability
    uuidThe universally unique identifier (UUID) of a client.
  • Baseline logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: sas-hc-log.
    owner_idThe ID of an Alibaba Cloud account.
    levelThe level of a baseline.
    opThe action that is performed on a baseline. Valid values:
    • new: detects a new baseline.
    • verify: verifies a baseline.
    risk_nameThe name of a baseline risk.
    statusThe status of a baseline. For more information, see Status codes of security logs.
    sub_type_aliasThe subtype alias of a baseline.
    sub_type_nameThe subtype of a baseline.
    type_nameThe type of a baseline. For more information, see Types and subtypes of baselines.
    type_aliasThe type alias of a baseline.
    uuidThe UUID of a client.
    check_itemThe name of a check item.
    check_levelThe level of a check item.
    check_typeThe type of a check item.
    Table 1. Types and subtypes of baselines
    type_namesub_type_name
    systembaseline
    weak_passwordpostsql_weak_password
    databaseredis_check
    accountsystem_account_security
    accountsystem_account_security
    weak_passwordmysq_weak_password
    weak_passwordftp_anonymous
    weak_passwordrdp_weak_password
    systemgroup_policy
    systemregister
    accountsystem_account_security
    weak_passwordsqlserver_weak_password
    systemregister
    weak_passwordssh_weak_password
    weak_passwordftp_weak_password
    ciscentos7
    cistomcat7
    cismemcached-check
    cismongodb-check
    cisubuntu14
    ciswin2008_r2
    systemfile_integrity_mon
    cislinux-httpd-2.2-cis
    cislinux-docker-1.6-cis
    cisSUSE11
    cisredhat6
    cisbind9.9
    ciscentos6
    cisdebain8
    cisredhat7
    cisSUSE12
    cisubuntu16
    Table 2. Status codes of security logs
    Status codeDescription
    1Unfixed.
    2Fix failed.
    3Rollback failed.
    4Fixing.
    5Rolling back.
    6Verifying.
    7Fixed.
    8Fixed. Waiting for a restart.
    9Rollback succeeded.
    10Ignored.
    11Rollback succeeded. Waiting for a restart.
    12No longer exists.
    20Expired.
  • Security alert logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: sas-security-log.
    data_sourceThe data source. For more information, see Values of the data_source field in security alert logs.
    levelThe severity level of an alert.
    nameThe name of an alert.
    opThe action that is performed on an alert. Valid values:
    • new: An alert is triggered.
    • dealing: An alert is being processed.
    statusThe status of an alert. For more information, see Status codes of security logs.
    uuidThe UUID of a client.
    detailThe details of an alert.
    unique_infoThe unique identifier of an alert for a single server.
    Table 3. Values of the data_source field in security alert logs
    ValueDescription
    aegis_suspicious_eventServer exceptions
    aegis_suspicious_file_v2Webshell
    aegis_login_logSuspicious logons
    security_eventSecurity Center exceptions

Host logs

  • Process startup logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: aegis-log-process.
    uuidThe UUID of a client.
    ipThe IP address of a client.
    cmdlineThe full command line that starts a process.
    usernameThe username.
    uidThe ID of a user.
    pidThe ID of a process.
    filenameThe name of a process file.
    filepathThe full path of a process file.
    groupnameThe name of a user group.
    ppidThe ID of a parent process.
    pfilenameThe name of a parent process file.
    pfilepathThe full path of a parent process file.
    cmd_chainThe process chain.
    containerhostnameThe hostname of a container.
    containerpidThe process ID of a container.
    containerimageidThe ID of an image.
    containerimagenameThe name of an image.
    containernameThe name of a container.
    containeridThe ID of a container.
    cwdThe current working directory (CWD) of a running process.
  • Process snapshot logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: aegis-snapshot-process.
    owner_idThe ID of an Alibaba Cloud account.
    uuidThe UUID of a client.
    ipThe IP address of a client.
    cmdlineThe full command line that starts a process.
    pidThe ID of a process.
    nameThe name of a process file.
    pathThe full path of a process file.
    md5The MD5 hash of a process file. If the process file exceeds 1 MB, the MD5 hash is not calculated.
    pnameThe name of a parent process file.
    start_timeThe time when a process starts. This field is a built-in field.
    userThe username.
    uidThe ID of a user.
  • Logon logs
    The logon attempts within 1 minute are recorded in one log.
    Log fieldDescription
    __topic__The topic of a log. Valid value: aegis-log-login.
    owner_idThe ID of an Alibaba Cloud account.
    uuidThe UUID of a client.
    ipThe IP address of a client.
    warn_ipThe IP address of a source server.
    warn_portThe logon port.
    warn_typeThe type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
    warn_userThe logon username.
    warn_countThe number of logon attempts. In this example, the value 3 indicates that two logon requests are sent 1 minute before the current logon.
  • Brute-force cracking logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: aegis-log-crack.
    owner_idThe ID of an Alibaba Cloud account.
    uuidThe UUID of a client.
    ipThe IP address of a client.
    warn_ipThe IP address of a source server.
    warn_portThe logon port.
    warn_typeThe type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
    warn_userThe logon username.
    warn_countThe number of failed logon attempts.
  • Network connection logs
    The changes in network connections are collected on the host every 10 seconds to 1 minute.
    Log fieldDescription
    __topic__The topic of a log. Valid value: aegis-log-network.
    owner_idThe ID of an Alibaba Cloud account.
    uuidThe UUID of a client.
    ipThe IP address of a client.
    src_ipThe IP address of a source server.
    src_portThe source port.
    dst_ipThe IP address of a destination server.
    dst_portThe destination port.
    proc_nameThe name of a process.
    proc_pathThe path of a process file.
    protoThe protocol that is used to establish a network connection.
    statusThe connection status. For more information, see Status codes of network connections.
    Table 4. Status codes of network connections
    Status codeDescription
    1closed
    2listen
    3syn send
    4syn recv
    5establisted
    6close wait
    7closing
    8fin_wait1
    9fin_wait2
    10time_wait
    11delete_tcb
  • Port listening snapshot logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: aegis-snapshot-port.
    owner_idThe ID of an Alibaba Cloud account.
    uuidThe UUID of a client.
    ipThe IP address of a client.
    protoThe protocol that is used by a listener.
    src_ipThe IP address that is listened on.
    src_portThe port that is listened on.
    pidThe ID of a process.
    proc_nameThe name of a process.
  • Account snapshot logs
    Log fieldDescription
    __topic__The topic of a log. Valid value: aegis-snapshot-host.
    owner_idThe ID of an Alibaba Cloud account.
    nameThe name of a vulnerability.
    alias_nameThe alias of a vulnerability.
    opThe action that is performed on a vulnerability. Valid values:
    • new: detects a new vulnerability.
    • verify: verifies a vulnerability.
    • fix: fixes a vulnerability.
    statusThe connection status. For more information, see Status codes of network connections.
    tagThe tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish different emergency (EMG) vulnerabilities.
    typeThe type of a vulnerability. Valid values:
    • sys: Windows vulnerability
    • cve: Linux vulnerability
    • cms: Web CMS vulnerability
    • EMG: emergency vulnerability
    uuidThe UUID of a client.
  • DNS request logs
    Log fieldDescription
    __topic__The topic of the log. The value is fixed as aegis-log-dns-query.
    ali_uidThe ID of the Alibaba Cloud account.
    uuidThe UUID of the client.
    ipThe IP address of the machine on which the client is installed.
    pidThe process ID of the DNS requester.
    ppidThe parent process ID of the DNS requester.
    timeThe time when the DNS request is initiated.
    domainThe domain name that is contained in the DNS request.
    proc_pathThe path to the process that initiates the DNS request.
    proc_cmdlineThe command line of the process that initiates the DNS request.
    proc_cmd_chainThe process chain of the DNS requester.
    sas_group_nameThe name of the asset group in Security Center.
    instance_idThe ID of the instance.