By default, Threat Detection Service (TDS) enables security logs, network logs, and host logs, with 14 subtypes in total to protect your assets in real time.
By default, all these three types of logs are enabled in Security Center.
- Security logs
- Vulnerability logs
- Baseline logs
- Security alerting logs
- Network logs
- DNS logs
- Local DNS logs
- Network session logs
- Web logs
Note Only enterprise edition users support viewing Network logs, while advanced edition users do not. That is, advanced edition users can only view the Security logs and Server logs on the console log analysis page. - Server logs
- Process initiation logs
- Network connection logs
- System logon logs
- Brute-force cracking logs
- Process snapshots
- Account snapshots
- Port listening snapshots
Security logs
The parameters of security logs are described in the following table:
| Log source | Topic (__topic__)
|
Description | Note |
|---|---|---|---|
| Vulnerability logs. | sas-vul-log | Vulnerability logs. | Real-time collection. |
| Baseline logs | sas-hc-log | Baseline logs | Real-time collection. |
| Security alerting logs. | sas-security-log | Security alerting logs. | Real-time collection. |
Network logs
Parameters of network logs are described in the following table:
| Log source | Topic (__topic__)
|
Description | Note |
|---|---|---|---|
| DNS logs | sas-log-dns | DNS logs of the public network. | Collection delayed for two hours. |
| Local DNS logs | local-dns | DNS resolution logs between ECS instances in the same Alibaba Cloud domain. | Collection delayed for one hour. |
| Network session log | sas-log-session | Network logs with specific protocols. | Collection delayed for one hour. |
| Web log | sas-log-web | HTTP logs | Collection delayed for one hour. |
Server logs
The parameters of the server logs are described in the following table:
| Log source | Topic (__topic__)
|
Description | Note |
|---|---|---|---|
| Process initiation log | aegis-log-process | Logs of process initiation on the server. | Real-time collection. When the collection process starts, it uploads reports immediately. |
| Network connection log | aegis-log-network | Quintuple information attached to the host. | Real-time collection on Windows. Collection on Linux with a delay of ten seconds. The information is uploaded incrementally. |
| System logon log | aegis-log-login | Logs of successful SSH and RDP logons. | Real-time collection. |
| Brute-force cracking log | aegis-log-crack | Logon failure logs. | Real-time collection. |
| Process snapshots | aegis-snapshot-process | Logs of process initiation on the server. | Data is not available until the feature for collecting asset fingerprints is enabled. Collects the data of each server once a day at random times. |
| Account snapshots | aegis-snapshot-host | Account snapshot information on the host | Data is not available until the feature for acquiring asset fingerprints is enabled. Collects the data of each server once a day at random times. |
| Port listening snapshots | aegis-snapshot-port | Information on port listening snapshots on the host. | Data is not available until the feature of collecting asset fingerprints is enabled. Collects the data of each server once a day at random times. |
Security operation logs
Security operation logs provide the following types of logs, which are used to search
for different data._ Topic __To distinguish:
| Log source | Description | Note |
|---|---|---|
| Vulnerability logs. | Vulnerability logs. | Logs are generated by Security operations. Real-time collection. |
| Baseline logs | Baseline logs | Logs are generated by Security operations. Real-time collection. |
| Security alerting logs. | Security alerting logs. | Logs are generated by Security operations. Real-time collection. |