By default, Threat Detection Service (TDS) enables security logs, network logs, and host logs, with 14 subtypes in total to protect your assets in real time.

By default, all these three types of logs are enabled in Security Center.

  • Security logs
    • Vulnerability logs
    • Baseline logs
    • Security alerting logs
  • Network logs
    • DNS logs
    • Local DNS logs
    • Network session logs
    • Web logs
    Note Only enterprise edition users support viewing Network logs, while advanced edition users do not. That is, advanced edition users can only view the Security logs and Server logs on the console log analysis page.
  • Server logs
    • Process initiation logs
    • Network connection logs
    • System logon logs
    • Brute-force cracking logs
    • Process snapshots
    • Account snapshots
    • Port listening snapshots

Security logs

The parameters of security logs are described in the following table:

Log source Topic (__topic__) Description Note
Vulnerability logs. sas-vul-log Vulnerability logs. Real-time collection.
Baseline logs sas-hc-log Baseline logs Real-time collection.
Security alerting logs. sas-security-log Security alerting logs. Real-time collection.

Network logs

Parameters of network logs are described in the following table:

Log source Topic (__topic__) Description Note
DNS logs sas-log-dns DNS logs of the public network. Collection delayed for two hours.
Local DNS logs local-dns DNS resolution logs between ECS instances in the same Alibaba Cloud domain. Collection delayed for one hour.
Network session log sas-log-session Network logs with specific protocols. Collection delayed for one hour.
Web log sas-log-web HTTP logs Collection delayed for one hour.

Server logs

The parameters of the server logs are described in the following table:

Log source Topic (__topic__) Description Note
Process initiation log aegis-log-process Logs of process initiation on the server. Real-time collection. When the collection process starts, it uploads reports immediately.
Network connection log aegis-log-network Quintuple information attached to the host. Real-time collection on Windows. Collection on Linux with a delay of ten seconds. The information is uploaded incrementally.
System logon log aegis-log-login Logs of successful SSH and RDP logons. Real-time collection.
Brute-force cracking log aegis-log-crack Logon failure logs. Real-time collection.
Process snapshots aegis-snapshot-process Logs of process initiation on the server. Data is not available until the feature for collecting asset fingerprints is enabled. Collects the data of each server once a day at random times.
Account snapshots aegis-snapshot-host Account snapshot information on the host Data is not available until the feature for acquiring asset fingerprints is enabled. Collects the data of each server once a day at random times.
Port listening snapshots aegis-snapshot-port Information on port listening snapshots on the host. Data is not available until the feature of collecting asset fingerprints is enabled. Collects the data of each server once a day at random times.

Security operation logs

Security operation logs provide the following types of logs, which are used to search for different data._ Topic __To distinguish:

Log source Description Note
Vulnerability logs. Vulnerability logs. Logs are generated by Security operations. Real-time collection.
Baseline logs Baseline logs Logs are generated by Security operations. Real-time collection.
Security alerting logs. Security alerting logs. Logs are generated by Security operations. Real-time collection.