This topic describes the fields of Security Center logs. Security Center logs include network logs, security logs, and host logs.

Network logs

  • DNS logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: sas-log-dns.
    owner_id The ID of an Alibaba Cloud account.
    additional The fields in the additional section. Multiple values are separated by vertical bars (|).
    additional_num The number of fields in the additional section.
    answer The DNS responses. Multiple values are separated by vertical bars (|).
    answer_num The number of DNS responses.
    authority The fields in the authority section.
    authority_num The number of fields in the authority section.
    client_subnet The subnet where a client resides.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    in_out The direction of data flows. Valid values:
    • in: inbound
    • out: outbound
    qid The ID of a query.
    qname The domain name that is queried.
    qtype The type of a resource that is queried.
    query_datetime The timestamp of a query. Unit: milliseconds.
    rcode The code of a response.
    region The ID of a source region. Valid values:
    • 1: China (Beijing)
    • 2: China (Qingdao)
    • 3: China (Hangzhou)
    • 4: China (Shanghai)
    • 5: China (Shenzhen)
    • 6: Others
    response_datetime The time when a response is returned.
    src_ip The IP address of a source server.
    src_port The source port.
  • Local DNS logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: local-dns.
    owner_id The ID of an Alibaba Cloud account.
    answer_rdata The DNS responses. Multiple values are separated by vertical bars (|).
    answer_ttl The time-to-live (TTL) of resource records in DNS responses. Multiple values are separated by vertical bars (|).
    answer_type The types of resource records in DNS responses. Multiple values are separated by vertical bars (|).
    anwser_name The domain names in DNS responses. Multiple values are separated by vertical bars (|).
    dest_ip The IP address of a destination server.
    dest_port The destination port.
    group_id The ID of the group to which a host belongs.
    hostname The hostname.
    id The ID of a query.
    instance_id The ID of an instance.
    internet_ip The public IP address of a host.
    ip_ttl The TTL of the data packets that are sent by a host.
    query_name The domain name that is queried.
    query_type The type of a resource that is queried.
    src_ip The IP address of a source server.
    src_port The source port.
    time The timestamp of a query. Unit: seconds.
    time_usecond The response time. Unit: microseconds.
    tunnel_id The ID of a DNS tunnel.
  • Network session logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: sas-log-session.
    owner_id The ID of an Alibaba Cloud account.
    asset_type The type of an associated Alibaba Cloud service, for example, ECS, SLB, or ApsaraDB RDS.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    proto The type of a transport layer protocol, for example, TCP or UDP.
    session_time The duration of a session.
    src_ip The IP address of a source server.
    src_port The source port.
  • Web logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: sas-log-http.
    owner_id The ID of an Alibaba Cloud account.
    content_length The content length of an HTTP request message.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    host The hostname of a web server.
    jump_location The IP address of an HTTP redirect.
    method The HTTP request method.
    referer The Referer HTTP header. This field includes the address of the web page that sends a request.
    request_datetime The time when a request is sent.
    ret_code The HTTP status code.
    rqs_content_type The content type of an HTTP request message.
    rsp_content_type The content type of an HTTP response message.
    src_ip The IP address of a source server.
    src_port The source port.
    uri The URI of a request.
    user_agent The user agent of a client that sends a request.
    x_forward_for The X-Forwarded-For (XFF) HTTP header.

Security logs

  • Vulnerability logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: sas-vul-log.
    owner_id The ID of an Alibaba Cloud account.
    name The name of a vulnerability.
    alias_name The alias of a vulnerability.
    op The action that is performed on a vulnerability. Valid values:
    • new: detects a new vulnerability.
    • verify: verifies a vulnerability.
    • fix: fixes a vulnerability.
    status The status of a vulnerability. For more information, see Table 2.
    tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish different emergency (EMG) vulnerabilities.
    type The type of a vulnerability. Valid values:
    • sys: Windows vulnerability
    • cve: Linux vulnerability
    • cms: Web CMS vulnerability
    • EMG: emergency vulnerability
    uuid The universally unique identifier (UUID) of a client.
  • Baseline logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: sas-hc-log.
    owner_id The ID of an Alibaba Cloud account.
    level The level of a baseline.
    op The action that is performed on a baseline. Valid values:
    • new: detects a new baseline.
    • verify: verifies a baseline.
    risk_name The name of a baseline risk.
    status The status of a baseline. For more information, see Table 2.
    sub_type_alias The subtype alias of a baseline.
    sub_type_name The subtype of a baseline.
    type_name The type of a baseline. For more information, see Table 1.
    type_alias The type alias of a baseline.
    uuid The UUID of a client.
    check_item The name of a check item.
    check_level The level of a check item.
    check_type The type of a check item.
    Table 1. Types and subtypes of baselines
    type_name sub_type_name
    system baseline
    weak_password postsql_weak_password
    database redis_check
    account system_account_security
    account system_account_security
    weak_password mysq_weak_password
    weak_password ftp_anonymous
    weak_password rdp_weak_password
    system group_policy
    system register
    account system_account_security
    weak_password sqlserver_weak_password
    system register
    weak_password ssh_weak_password
    weak_password ftp_weak_password
    cis centos7
    cis tomcat7
    cis memcached-check
    cis mongodb-check
    cis ubuntu14
    cis win2008_r2
    system file_integrity_mon
    cis linux-httpd-2.2-cis
    cis linux-docker-1.6-cis
    cis SUSE11
    cis redhat6
    cis bind9.9
    cis centos6
    cis debain8
    cis redhat7
    cis SUSE12
    cis ubuntu16
    Table 2. Status codes of security logs
    Status code Description
    1 Unfixed.
    2 Fix failed.
    3 Rollback failed.
    4 Fixing.
    5 Rolling back.
    6 Verifying.
    7 Fixed.
    8 Fixed. Waiting for a restart.
    9 Rollback succeeded.
    10 Ignored.
    11 Rollback succeeded. Waiting for a restart.
    12 No longer exists.
    20 Expired.
  • Security alert logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: sas-security-log.
    data_source The data source. For more information, see Table 3.
    level The severity level of an alert.
    name The name of an alert.
    op The action that is performed on an alert. Valid values:
    • new: An alert is triggered.
    • dealing: An alert is being processed.
    status The status of an alert. For more information, see Table 2.
    uuid The UUID of a client.
    detail The details of an alert.
    unique_info The unique identifier of an alert for a single server.
    Table 3. Values of the data_source field in security alert logs
    Value Description
    aegis_suspicious_event Server exceptions
    aegis_suspicious_file_v2 Webshell
    aegis_login_log Suspicious logons
    security_event Security Center exceptions

Host logs

  • Process startup logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: aegis-log-process.
    uuid The UUID of a client.
    ip The IP address of a client.
    cmdline The full command line that starts a process.
    username The username.
    uid The ID of a user.
    pid The ID of a process.
    filename The name of a process file.
    filepath The full path of a process file.
    groupname The name of a user group.
    ppid The ID of a parent process.
    pfilename The name of a parent process file.
    pfilepath The full path of a parent process file.
    cmd_chain The process chain.
    containerhostname The hostname of a container.
    containerpid The process ID of a container.
    containerimageid The ID of an image.
    containerimagename The name of an image.
    containername The name of a container.
    containerid The ID of a container.
    cwd The current working directory (CWD) of a running process.
  • Process snapshot logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: aegis-snapshot-process.
    owner_id The ID of an Alibaba Cloud account.
    uuid The UUID of a client.
    ip The IP address of a client.
    cmdline The full command line that starts a process.
    pid The ID of a process.
    name The name of a process file.
    path The full path of a process file.
    md5 The MD5 hash of a process file. If the process file exceeds 1 MB, the MD5 hash is not calculated.
    pname The name of a parent process file.
    start_time The time when a process starts. This field is a built-in field.
    user The username.
    uid The ID of a user.
  • Logon logs
    The logon attempts within 1 minute are recorded in one log entry.
    Log field Description
    __topic__ The topic of a log entry. Valid value: aegis-log-login.
    owner_id The ID of an Alibaba Cloud account.
    uuid The UUID of a client.
    ip The IP address of a client.
    warn_ip The IP address of a source server.
    warn_port The logon port.
    warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
    warn_user The logon username.
    warn_count The number of logon attempts. In this example, the value 3 indicates that two logon requests are sent 1 minute before the current logon.
  • Brute-force cracking logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: aegis-log-crack.
    owner_id The ID of an Alibaba Cloud account.
    uuid The UUID of a client.
    ip The IP address of a client.
    warn_ip The IP address of a source server.
    warn_port The logon port.
    warn_type The type of a logon. Valid values: SSHLOGIN, RDPLOGIN, and IPCLOGIN.
    warn_user The logon username.
    warn_count The number of failed logon attempts.
  • Network connection logs
    The changes in network connections are collected on the host every 10 seconds to 1 minute.
    Log field Description
    __topic__ The topic of a log entry. Valid value: aegis-log-network.
    owner_id The ID of an Alibaba Cloud account.
    uuid The UUID of a client.
    ip The IP address of a client.
    src_ip The IP address of a source server.
    src_port The source port.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    proc_name The name of a process.
    proc_path The path of a process file.
    proto The protocol that is used to establish a network connection.
    status The connection status. For more information, see Table 4.
    Table 4. Status codes of network connections
    Status code Description
    1 closed
    2 listen
    3 syn send
    4 syn recv
    5 establisted
    6 close wait
    7 closing
    8 fin_wait1
    9 fin_wait2
    10 time_wait
    11 delete_tcb
  • Port listening snapshot logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: aegis-snapshot-port.
    owner_id The ID of an Alibaba Cloud account.
    uuid The UUID of a client.
    ip The IP address of a client.
    proto The protocol that is used by a listener.
    src_ip The IP address that is listened on.
    src_port The port that is listened on.
    pid The ID of a process.
    proc_name The name of a process.
  • Account snapshot logs
    Log field Description
    __topic__ The topic of a log entry. Valid value: aegis-snapshot-host.
    owner_id The ID of an Alibaba Cloud account.
    name The name of a vulnerability.
    alias_name The alias of a vulnerability.
    op The action that is performed on a vulnerability. Valid values:
    • new: detects a new vulnerability.
    • verify: verifies a vulnerability.
    • fix: fixes a vulnerability.
    status The connection status. For more information, see Table 4.
    tag The tag of a vulnerability, for example, oval, system, or cms. This field is used to distinguish different emergency (EMG) vulnerabilities.
    type The type of a vulnerability. Valid values:
    • sys: Windows vulnerability
    • cve: Linux vulnerability
    • cms: Web CMS vulnerability
    • EMG: emergency vulnerability
    uuid The UUID of a client.