By default, Security Center collects security logs, network logs, and host logs for the log analysis feature to protect your assets in real time.

By default, Security Center collects the following types of logs:

  • Security logs
    • Vulnerability logs
    • Baseline logs
    • Alert logs
  • Network logs
    • Domain Name System (DNS) logs
    • Internal DNS logs
    • Network session logs
    • Web access logs
    Note Only users of the Security Center Enterprise and Ultimate editions can view network logs. Users of the Security Center Anti-virus or Advanced edition cannot view network logs. On the Log Analysis page of the Security Center console, users of the Anti-virus or Advanced edition can view only security and host logs.
  • Host logs
    • Process startup logs
    • Network connection logs
    • Logon logs
    • Brute-force attack logs
    • Process snapshots
    • Account snapshots
    • Port snapshots

Security logs

The following table describes the parameters of security logs.

Log type Topic (__topic__) Description Collection cycle
Vulnerability logs sas-vul-log Vulnerability-related logs Logs are collected in real time.
Baseline logs sas-hc-log Baseline risk-related logs Logs are collected in real time.
Alert logs sas-security-log Alert logs Logs are collected in real time.

Network logs

The following table describes the parameters of network logs.

Log type Topic (__topic__) Description Collection cycle
DNS logs sas-log-dns DNS logs of the Internet Logs are collected 2 hours after the logs are generated.
Internal DNS logs local-dns DNS logs between ECS instances in the same Alibaba Cloud domain Logs are collected 1 hour after the logs are generated.
Network session logs sas-log-session Network logs of specific protocols Logs are collected 1 hour after the logs are generated.
Web access logs sas-log-http HTTP traffic logs generated when a server communicates with the Internet Logs are collected 1 hour after the logs are generated.

Host logs

The following table describes the parameters of host logs.

Log type Topic (__topic__) Description Collection cycle
Process startup logs aegis-log-process Logs related to the startup of server processes Logs are collected in real time. When a process starts, it is immediately reported.
Network connection logs aegis-log-network Logs related to the 5-tuples that are connected to servers
  • Windows operating systems: Logs are collected in real time.
  • Linux operating systems: Logs are collected every 10 seconds. Incremental logs are reported.
Logon logs aegis-log-login Logs of successful SSH and RDP logons Logs are collected in real time.
Brute-force attack logs aegis-log-crack Logs related to logon failures Logs are collected in real time.
Process snapshots aegis-snapshot-process Information about the snapshots of processes on servers Data is available only after asset fingerprint collection is enabled. The data of each server is collected once a day at random times.
Account snapshots aegis-snapshot-host Information about the snapshots of accounts on servers Data is available only after asset fingerprint collection is enabled. The data of each server is collected once a day at random times.
Port snapshots aegis-snapshot-port Information about the snapshots of port listening on servers Data is available only after asset fingerprint collection is enabled. The data of each server is collected once a day at random times.