This topic describes the fields of Security Center logs. Security Center logs include network logs, security logs, and host logs.
Network logs
- DNS logs
Log field Description __topic__ The topic of a log. Valid value: sas-log-dns. owner_id The ID of an Alibaba Cloud account. additional The fields in the additional section. Multiple values are separated by vertical bars (|). additional_num The number of fields in the additional section. answer The DNS responses. Multiple values are separated by vertical bars (|). answer_num The number of DNS responses. authority The fields in the authority section. authority_num The number of fields in the authority section. client_subnet The subnet where a client resides. dst_ip The IP address of a destination server. dst_port The destination port. in_out The direction of data flows. Valid values: - in: inbound
- out: outbound
qid The ID of a query. qname The domain name that is queried. qtype The type of a resource that is queried. query_datetime The timestamp of a query. Unit: milliseconds. rcode The code of a response. region The ID of a source region. Valid values: - 1: China (Beijing)
- 2: China (Qingdao)
- 3: China (Hangzhou)
- 4: China (Shanghai)
- 5: China (Shenzhen)
- 6: Others
response_datetime The time when a response is returned. src_ip The IP address of a source server. src_port The source port. - Local DNS logs
Log field Description __topic__ The topic of a log. Valid value: local-dns. owner_id The ID of an Alibaba Cloud account. answer_rdata The DNS responses. Multiple values are separated by vertical bars (|). answer_ttl The time-to-live (TTL) of resource records in DNS responses. Multiple values are separated by vertical bars (|). answer_type The types of resource records in DNS responses. Multiple values are separated by vertical bars (|). anwser_name The domain names in DNS responses. Multiple values are separated by vertical bars (|). dest_ip The IP address of a destination server. dest_port The destination port. group_id The ID of the group to which a host belongs. hostname The hostname. id The ID of a query. instance_id The ID of an instance. internet_ip The public IP address of a host. ip_ttl The TTL of the data packets that are sent by a host. query_name The domain name that is queried. query_type The type of a resource that is queried. src_ip The IP address of a source server. src_port The source port. time The timestamp of a query. Unit: seconds. time_usecond The response time. Unit: microseconds. tunnel_id The ID of a DNS tunnel. - Network session logs
Log field Description __topic__ The topic of a log. Valid value: sas-log-session. owner_id The ID of an Alibaba Cloud account. asset_type The type of an associated Alibaba Cloud service, for example, ECS, SLB, or ApsaraDB RDS. dst_ip The IP address of a destination server. dst_port The destination port. proto The type of a transport layer protocol, for example, TCP or UDP. session_time The duration of a session. src_ip The IP address of a source server. src_port The source port. - Web logs
Log field Description __topic__ The topic of a log. Valid value: sas-log-http. owner_id The ID of an Alibaba Cloud account. content_length The content length of an HTTP request message. dst_ip The IP address of a destination server. dst_port The destination port. host The hostname of a web server. jump_location The IP address of an HTTP redirect. method The HTTP request method. referer The Referer HTTP header. This field includes the address of the web page that sends a request. request_datetime The time when a request is sent. ret_code The HTTP status code. rqs_content_type The content type of an HTTP request message. rsp_content_type The content type of an HTTP response message. src_ip The IP address of a source server. src_port The source port. uri The URI of a request. user_agent The user agent of a client that sends a request. x_forward_for The X-Forwarded-For (XFF) HTTP header.
Security logs
- Vulnerability logs
Log field Description __topic__ The topic of a log. Valid value: sas-vul-log. owner_id The ID of an Alibaba Cloud account. name The name of a vulnerability. alias_name The alias of a vulnerability. op The action that is performed on a vulnerability. Valid values: - new: detects a new vulnerability.
- verify: verifies a vulnerability.
- fix: fixes a vulnerability.
status The status of a vulnerability. For more information, see Status codes of security logs. tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish different emergency (EMG) vulnerabilities. type The type of a vulnerability. Valid values: - sys: Windows vulnerability
- cve: Linux vulnerability
- cms: Web CMS vulnerability
- EMG: emergency vulnerability
uuid The universally unique identifier (UUID) of a client. - Baseline logs
Log field Description __topic__ The topic of a log. Valid value: sas-hc-log. owner_id The ID of an Alibaba Cloud account. level The level of a baseline. op The action that is performed on a baseline. Valid values: - new: detects a new baseline.
- verify: verifies a baseline.
risk_name The name of a baseline risk. status The status of a baseline. For more information, see Status codes of security logs. sub_type_alias The subtype alias of a baseline. sub_type_name The subtype of a baseline. type_name The type of a baseline. For more information, see Types and subtypes of baselines. type_alias The type alias of a baseline. uuid The UUID of a client. check_item The name of a check item. check_level The level of a check item. check_type The type of a check item. Table 1. Types and subtypes of baselines type_name sub_type_name system baseline weak_password postsql_weak_password database redis_check account system_account_security account system_account_security weak_password mysq_weak_password weak_password ftp_anonymous weak_password rdp_weak_password system group_policy system register account system_account_security weak_password sqlserver_weak_password system register weak_password ssh_weak_password weak_password ftp_weak_password cis centos7 cis tomcat7 cis memcached-check cis mongodb-check cis ubuntu14 cis win2008_r2 system file_integrity_mon cis linux-httpd-2.2-cis cis linux-docker-1.6-cis cis SUSE11 cis redhat6 cis bind9.9 cis centos6 cis debain8 cis redhat7 cis SUSE12 cis ubuntu16 Table 2. Status codes of security logs Status code Description 1 Unfixed. 2 Fix failed. 3 Rollback failed. 4 Fixing. 5 Rolling back. 6 Verifying. 7 Fixed. 8 Fixed. Waiting for a restart. 9 Rollback succeeded. 10 Ignored. 11 Rollback succeeded. Waiting for a restart. 12 No longer exists. 20 Expired. - Security alert logs
Log field Description __topic__ The topic of a log. Valid value: sas-security-log. data_source The data source. For more information, see Values of the data_source field in security alert logs. level The severity level of an alert. name The name of an alert. op The action that is performed on an alert. Valid values: - new: An alert is triggered.
- dealing: An alert is being processed.
status The status of an alert. For more information, see Status codes of security logs. uuid The UUID of a client. detail The details of an alert. unique_info The unique identifier of an alert for a single server. Table 3. Values of the data_source field in security alert logs Value Description aegis_suspicious_event Server exceptions aegis_suspicious_file_v2 Webshell aegis_login_log Suspicious logons security_event Security Center exceptions
Host logs
- Process startup logs
Log field Description __topic__ The topic of a log. Valid value: aegis-log-process. uuid The UUID of a client. ip The IP address of a client. cmdline The full command line that starts a process. username The username. uid The ID of a user. pid The ID of a process. filename The name of a process file. filepath The full path of a process file. groupname The name of a user group. ppid The ID of a parent process. pfilename The name of a parent process file. pfilepath The full path of a parent process file. cmd_chain The process chain. containerhostname The hostname of a container. containerpid The process ID of a container. containerimageid The ID of an image. containerimagename The name of an image. containername The name of a container. containerid The ID of a container. cwd The current working directory (CWD) of a running process. - Process snapshot logs
Log field Description __topic__ The topic of a log. Valid value: aegis-snapshot-process. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. cmdline The full command line that starts a process. pid The ID of a process. name The name of a process file. path The full path of a process file. md5 The MD5 hash of a process file. If the process file exceeds 1 MB, the MD5 hash is not calculated. pname The name of a parent process file. start_time The time when a process starts. This field is a built-in field. user The username. uid The ID of a user. - Logon logs The logon attempts within 1 minute are recorded in one log.
Log field Description __topic__ The topic of a log. Valid value: aegis-log-login. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. warn_ip The IP address of a source server. warn_port The logon port. warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN. warn_user The logon username. warn_count The number of logon attempts. In this example, the value 3 indicates that two logon requests are sent 1 minute before the current logon. - Brute-force cracking logs
Log field Description __topic__ The topic of a log. Valid value: aegis-log-crack. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. warn_ip The IP address of a source server. warn_port The logon port. warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN. warn_user The logon username. warn_count The number of failed logon attempts. - Network connection logs The changes in network connections are collected on the host every 10 seconds to 1 minute.
Log field Description __topic__ The topic of a log. Valid value: aegis-log-network. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. src_ip The IP address of a source server. src_port The source port. dst_ip The IP address of a destination server. dst_port The destination port. proc_name The name of a process. proc_path The path of a process file. proto The protocol that is used to establish a network connection. status The connection status. For more information, see Status codes of network connections. Table 4. Status codes of network connections Status code Description 1 closed 2 listen 3 syn send 4 syn recv 5 establisted 6 close wait 7 closing 8 fin_wait1 9 fin_wait2 10 time_wait 11 delete_tcb - Port listening snapshot logs
Log field Description __topic__ The topic of a log. Valid value: aegis-snapshot-port. owner_id The ID of an Alibaba Cloud account. uuid The UUID of a client. ip The IP address of a client. proto The protocol that is used by a listener. src_ip The IP address that is listened on. src_port The port that is listened on. pid The ID of a process. proc_name The name of a process. - Account snapshot logs
Log field Description __topic__ The topic of a log. Valid value: aegis-snapshot-host. owner_id The ID of an Alibaba Cloud account. name The name of a vulnerability. alias_name The alias of a vulnerability. op The action that is performed on a vulnerability. Valid values: - new: detects a new vulnerability.
- verify: verifies a vulnerability.
- fix: fixes a vulnerability.
status The connection status. For more information, see Status codes of network connections. tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish different emergency (EMG) vulnerabilities. type The type of a vulnerability. Valid values: - sys: Windows vulnerability
- cve: Linux vulnerability
- cms: Web CMS vulnerability
- EMG: emergency vulnerability
uuid The UUID of a client. - DNS request logs
Log field Description __topic__ The topic of the log. The value is fixed as aegis-log-dns-query. ali_uid The ID of the Alibaba Cloud account. uuid The UUID of the client. ip The IP address of the machine on which the client is installed. pid The process ID of the DNS requester. ppid The parent process ID of the DNS requester. time The time when the DNS request is initiated. domain The domain name that is contained in the DNS request. proc_path The path to the process that initiates the DNS request. proc_cmdline The command line of the process that initiates the DNS request. proc_cmd_chain The process chain of the DNS requester. sas_group_name The name of the asset group in Security Center. instance_id The ID of the instance.