This topic describes the fields of 14 log types that are supported by Security Center.
Network logs
Domain Name System (DNS) resolution logs
Field name | Description | Example |
---|---|---|
additional | Additional fields. Separate multiple additional fields with vertical bars (|). | No |
additional_num | The number of additional fields. | 0 |
answer | DNS responses. Separate multiple DNS responses with vertical bars (|). | abc.com A IN 52 1.2.3.4 |
answer_num | The number of DNS responses. | 1 |
authority | Authority fields. | a1.a2.com NS IN 17597 b1.b2.com |
authority_num | The number of authority fields. | 1 |
client_subnet | The subnet of the client. | 172.168.100.1 |
dst_ip | The destination IP address. | 1.2.3.4 |
dst_port | The destination port. | 53 |
in_out | The direction of data transmission. Valid values:
|
out |
qid | The query ID. | 12345 |
qname | The domain name that is queried. | abc.com |
qtype | The query type. | A |
query_datetime | The timestamp of the query. Unit: millisecond. | 1537840756263 |
rcode | The code returned. | 0 |
region | The ID of the source region. Valid values:
|
1 |
response_datetime | The return time. | 2018-09-25 09:59:16 |
src_ip | The source IP address. | 1.2.3.4 |
src_port | The source port. | 22 |
Local DNS logs
Field name | Description | Example |
---|---|---|
answer_rda | DNS responses. Separate multiple DNS responses with vertical bars (|). | abc.com |
answer_ttl | The cycles of DNS responses. Separate multiple cycles with vertical bars (|). | 100 |
answer_type | The types of DNS responses. Separate multiple types with vertical bars (|). | 1 |
anwser_name | The names of DNS responses. Separate multiple names with vertical bars (|). | abc.com |
dest_ip | The destination IP address. | 1.2.3.4 |
dest_port | The destination port. | 53 |
group_id | The group ID. | 3 |
hostname | The hostname. | host.abc.com |
id | The query ID. | 64588 |
instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | The Internet IP address. | 1.2.3.4 |
ip_ttl | The IP cycle. | 64 |
query_name | The domain name that is queried. | abc.com |
query_type | The query type. | A |
src_ip | The source IP address. | 1.2.3.4 |
src_port | The source port. | 1234 |
time | The timestamp of the query. Unit: second. | 1537840756 |
time_usecond | The response time. Unit: microsecond. | 49069 |
tunnel_id | The channel ID. | 514763 |
Network session logs
Field name | Description | Example |
---|---|---|
asset_type | The associated asset type. Valid values:
|
ECS |
dst_ip | The destination IP address. | 1.2.3.4 |
dst_port | The destination port. | 53 |
proto | The protocol type. Valid values:
|
tcp |
session_time | The time when the session started. | 2018-09-25 09:59:49 |
src_ip | The source IP address. | 1.2.3.4 |
src_port | The source port. | 54 |
Web access logs
Field name | Description | Example |
---|---|---|
content_length | The content length. | 123 |
dst_ip | The destination IP address. | 1.2.3.4 |
dst_port | The destination port. | 54 |
host | The host that is accessed. | 47.XX.XX.158:8080 |
jump_location | The redirection address. | 123 |
method | The method of the HTTP request. | GET |
referer | The HTTP referer. The field contains the address of the web page which is linked to the resource being requested. | www.abc.com |
request_datetime | The time when the request was initiated. | 2018-09-25 09:58:37 |
ret_code | The status code returned. | 200 |
rqs_content_type | The type of the request content. | text/plain;charset=utf-8 |
rsp_content_type | The type of the response content. | text/plain; charset=utf-8 |
src_ip | The source IP address. | 1.2.3.4 |
src_port | The source port. | 54 |
uri | The request URL. | /report |
user_agent | The request that is destined for the client. | okhttp/3.2.0 |
x_forward_for | The information about route redirection. | 1.2.3.4 |
Security logs
Vulnerability logs
Field name | Description | Example |
---|---|---|
name | The name of the vulnerability. | oval:com.redhat.rhsa:def:20182390 |
alias_name | The alias of the vulnerability. | RHSA-2018:2390: kernel security and bug fix update |
op | The operation information. Valid values:
|
new |
status | The vulnerability status. | 1 |
tag | The tag of the vulnerability. Valid values:
|
oval |
type | The type of the vulnerability. Valid values:
|
sys |
uuid | The UUID of the server. | 1234-b7ca-4a0a-9267-123456 |
Baseline logs
Field name | Description | Example |
---|---|---|
level | The severity of the vulnerability. Valid values:
|
low |
op | The operation information. Valid values:
|
new |
risk_name | The name of the risky item. | Password compliance checks. |
status | The status information. For more information, see Status codes of security logs. | 1 |
sub_type_alias | The alias of the sub type (Chinese). | System account security. |
sub_type_name | The name of the sub type. | system_account_security |
type_name | The name of the check type. | account |
type_alias | The alias of the check type (Chinese). | cis |
uuid | The UUID of the server where risky items are detected. | 12345-b7ca-4a0a-9267-123456 |
Types and subtypes of baseline items.
type_name | sub_type_name |
---|---|
system | baseline |
weak_password | postsql_weak_password |
database | redis_check |
account | system_account_security |
account | system_account_security |
weak_password | mysq_weak_password |
weak_password | ftp_anonymous |
weak_password | rdp_weak_password |
system | group_policy |
system | register |
account | system_account_security |
weak_password | sqlserver_weak_password |
system | register |
weak_password | ssh_weak_password |
weak_password | ftp_weak_password |
cis | centos7 |
cis | tomcat7 |
cis | memcached-check |
cis | mongodb-check |
cis | ubuntu14 |
cis | win2008_r2 |
system | file_integrity_mon |
cis | linux-httpd-2.2-cis |
cis | linux-docker-1.6-cis |
cis | SUSE11 |
cis | redhat6 |
cis | bind9.9 |
cis | centos6 |
cis | debain8 |
cis | redhat7 |
cis | SUSE12 |
cis | ubuntu16 |
Status codes of security logs
Status code | Description |
---|---|
1 | The vulnerability is unfixed. |
2 | The system failed to fix the vulnerability. |
3 | The system failed to undo the fix. |
4 | The system is fixing the vulnerability. |
5 | The system is undoing the fix. |
6 | The system is verifying the fix. |
7 | The system has fixed the vulnerability. |
8 | The system has fixed the vulnerability. A system restart is required. |
9 | The system has undone the fix. |
10 | The vulnerability is ignored. |
11 | The system has undone the fix. A system restart is required. |
12 | The vulnerability does not exist. |
20 | The vulnerability has expired. |
Security alert logs
Field name | Description | Example |
---|---|---|
data_source | The data source. For more information, see Data source of security alerts. | aegis_login_log |
level | The severity of the alert event. Valid values:
|
suspicious |
name | The name of the alert. | Suspicious Process-SSH-based Remote Execution of Non-interactive Commands |
op | The operation information. Valid values:
|
new |
status | The status information. For more information, see Status codes of security logs. | 1 |
uuid | The UUID of the server where the alert is generated. | 12345-b7ca-4a0a-9267-123456 |
The data_source fields of security alerts
Value | Description |
---|---|
aegis_suspicious_event | Server exceptions |
aegis_suspicious_file_v2 | Webshell |
aegis_login_log | Unusual logons |
security_event | Security Center exceptions |
Host logs
Process initiation logs
Field name | Description | Example |
---|---|---|
uuid | The UUID of the server where the process runs. | 5d83b26b-b7ca-4a0a-9267-123456 |
ip | The IP address of the client host. | 1.2.3.4 |
cmdline | The complete command to start the process. | cmd.exe /C "netstat -ano“ |
username | The user name. | administrator |
uid | The user ID (UID). | 123 |
pid | The process ID. | 7100 |
filename | The name of the process file. | cmd.exe |
filepath | The full path of the process file. | C:/Windows/SysWOW64/cmd.exe |
groupname | The user group. | group1 |
ppid | The ID of the parent process. | 2296 |
pfilename | The name of the parent process file. | client.exe |
pfilepath | The full path of the parent process file. | D:/client/client.exe |
Process snapshot logs
Field name | Description | Example |
---|---|---|
uuid | The UUID of the server where the process runs. | 5d83b26b-b7ca-4a0a-9267-123456 |
ip | The IP address of the client host. | 1.2.3.4 |
cmdline | The complete command to start the process. | cmd.exe /C "netstat -ano" |
pid | The process ID. | 7100 |
name | The name of the process file. | cmd.exe |
path | The full path of the process file. | C:/Windows/SysWOW64/cmd.exe |
md5 | The MD5 hash value of the process file.
Note MD5 algorithm is not supported for files that exceed 1 MB.
|
d0424c22dfa03f6e4d5289f7f5934dd4 |
pname | The name of the parent process file. | client.exe |
start_time | The time when the process started. Built-in fields. | 2018-01-18 20:00:12 |
user | The username. | administrator |
uid | The UID. | 123 |
Logon logs
Note Repeated logons in one minute are stored in the same log, and the
warn_count
field indicates the number of logons.
Field name | Description | Example |
---|---|---|
uuid | The UUID of the logon server. | 5d83b26b-b7ca-4a0a-9267-123456 |
ip | The IP address of the client host. | 1.2.3.4 |
warn_ip | The source IP address. | 1.2.3.4 |
warn_port | The logon port. | 22 |
warn_type | The logon type. Valid values:
|
SSHLOGIN |
warn_user | The username used for the logon. | admin |
warn_count | The number of logons. Repeated logons in one minute are stored in the same log. For
example, if the value of warn_count is 3, the server is logged on to for three times in one minute.
|
3 |
Brute-force cracking logs
Field name | Description | Example |
---|---|---|
uuid | The UUID of the server that is cracked. | 5d83b26b-b7ca-4a0a-9267-123456 |
ip | The IP address of the server. | 1.2.3.4 |
warn_ip | The source IP address. | 1.2.3.4 |
warn_port | The logon port. | 22 |
warn_type | The logon type. Valid values:
|
SSHLOGIN |
warn_user | The username used for the logon. | admin |
warn_count | The number of failed logon attempts. | 3 |
Network connection logs
Note Changes in network connections are collected by the server every 10 seconds to 1 minute.
The changes are collected from when the connection is established to when it ends.
Field name | Description | Example |
---|---|---|
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-123456 |
ip | The IP address of the server. | 1.2.3.4 |
src_ip | The source IP address. | 1.2.3.4 |
src_port | The source port. | 41897 |
dst_ip | The destination IP address. | 1.2.3.4 |
dst_port | The destination port. | 22 |
proc_name | The process name. | java |
proc_path | The path of the process. | /hsdata/jdk1.7.0_79/bin/java |
proto | The protocol. Valid values:
|
tcp |
status | The connection status. For more information, see Status codes of network connections. | 5 |
Status codes of network connections
Status | Description |
---|---|
1 | closed |
2 | listen |
3 | syn send |
4 | syn recv |
5 | establisted |
6 | close wait |
7 | closing |
8 | fin_wait1 |
9 | fin_wait2 |
10 | time_wait |
11 | delete_tcb |
Port listening snapshots
Field name | Description | Example |
---|---|---|
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-123456 |
ip | The IP address of the server. | 1.2.3.4 |
proto | The protocol used for the communication. Valid values:
|
tcp |
src_ip | The IP address that is listened. | 1.2.3.4 |
src_port | The listening port. | 41897 |
pid | The process ID. | 7100 |
proc_name | The process name. | kubelet |
Account snapshots
Note The account snapshots display the account information detected in your assets.
Field name | Description | Example |
---|---|---|
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-123456 |
ip | The IP address of the server. | 1.2.3.4 |
user | The username. | nscd |
perm | Indicates whether the account has root permissions. Valid values:
|
0 |
home_dir | The home directory. | /Users/abc |
groups | The group to which the user belongs. N/A indicates that the user does not belong to any group.
|
["users", "root"] |
last_chg | The date when the password was last modified. | 2017-08-24 |
shell | The Linux shell command. | /sbin/nologin |
domain | The Windows domain. N/A indicates that the user does not belong to any domain.
|
administrator |
tty | The terminal used for the logon. N/A indicates not applicable.
|
pts/3 |
warn_time | The date when the system sends the notification that indicates the expiration date
of the password. never indicates that notifications are disabled.
|
2017-08-24 |
account_expire | The date when the account expires. never indicates that the account never expires.
|
2017-08-24 |
passwd_expire | The date when the password expires. never indicates that the password never expires.
|
2017-08-24 |
login_ip | The IP address of the last remote logon. N/A indicates not applicable.
|
1.2.3.4 |
last_logon | The date and time of the last logon. N/A indicates not applicable.
|
2017-08-21 09:21:21 |
status | The account status. Valid values:
|
0 |