By default, Security Center collects security logs, network logs, and host logs for the log analysis feature to protect your assets in real time.
By default, Security Center collects the following types of logs:
- Security logs
- Vulnerability logs
- Baseline logs
- Alert logs
- Network logs
- Domain Name System (DNS) logs
- Internal DNS logs
- Network session logs
- Web access logs
Note Only users of the Security Center Enterprise and Ultimate editions can view network logs. Users of the Security Center Anti-virus or Advanced edition cannot view network logs. On the Log Analysis page of the Security Center console, users of the Anti-virus or Advanced edition can view only security and host logs. - Host logs
- Process startup logs
- Network connection logs
- Logon logs
- Brute-force attack logs
- Process snapshots
- Account snapshots
- Port snapshots
Security logs
The following table describes the parameters of security logs.
| Log type | Topic (__topic__) |
Description | Collection cycle |
|---|---|---|---|
| Vulnerability logs | sas-vul-log | Vulnerability-related logs | Logs are collected in real time. |
| Baseline logs | sas-hc-log | Baseline risk-related logs | Logs are collected in real time. |
| Alert logs | sas-security-log | Alert logs | Logs are collected in real time. |
Network logs
The following table describes the parameters of network logs.
| Log type | Topic (__topic__) |
Description | Collection cycle |
|---|---|---|---|
| DNS logs | sas-log-dns | DNS logs of the Internet | Logs are collected 2 hours after the logs are generated. |
| Internal DNS logs | local-dns | DNS logs between ECS instances in the same Alibaba Cloud domain | Logs are collected 1 hour after the logs are generated. |
| Network session logs | sas-log-session | Network logs of specific protocols | Logs are collected 1 hour after the logs are generated. |
| Web access logs | sas-log-http | HTTP traffic logs generated when a server communicates with the Internet | Logs are collected 1 hour after the logs are generated. |
Host logs
The following table describes the parameters of host logs.
| Log type | Topic (__topic__) |
Description | Collection cycle |
|---|---|---|---|
| Process startup logs | aegis-log-process | Logs related to the startup of server processes | Logs are collected in real time. When a process starts, it is immediately reported. |
| Network connection logs | aegis-log-network | Logs related to the 5-tuples that are connected to servers |
|
| Logon logs | aegis-log-login | Logs of successful SSH and RDP logons | Logs are collected in real time. |
| Brute-force attack logs | aegis-log-crack | Logs related to logon failures | Logs are collected in real time. |
| Process snapshots | aegis-snapshot-process | Information about the snapshots of processes on servers | Data is available only after asset fingerprint collection is enabled. The data of each server is collected once a day at random times. |
| Account snapshots | aegis-snapshot-host | Information about the snapshots of accounts on servers | Data is available only after asset fingerprint collection is enabled. The data of each server is collected once a day at random times. |
| Port snapshots | aegis-snapshot-port | Information about the snapshots of port listening on servers | Data is available only after asset fingerprint collection is enabled. The data of each server is collected once a day at random times. |