This topic describes the fields of 14 log types that are supported by Security Center.

Network logs

Domain Name System (DNS) resolution logs

Field name Description Example
additional Additional fields. Separate multiple additional fields with vertical bars (|). No
additional_num The number of additional fields. 0
answer DNS responses. Separate multiple DNS responses with vertical bars (|). abc.com A IN 52 1.2.3.4
answer_num The number of DNS responses. 1
authority Authority fields. a1.a2.com NS IN 17597 b1.b2.com
authority_num The number of authority fields. 1
client_subnet The subnet of the client. 172.168.100.1
dst_ip The destination IP address. 1.2.3.4
dst_port The destination port. 53
in_out The direction of data transmission. Valid values:
  • in: inbound
  • out: outbound
out
qid The query ID. 12345
qname The domain name that is queried. abc.com
qtype The query type. A
query_datetime The timestamp of the query. Unit: millisecond. 1537840756263
rcode The code returned. 0
region The ID of the source region. Valid values:
  • 1: China (Beijing)
  • 2: China (Qingdao)
  • 3: China (Hangzhou)
  • 4: China (Shanghai)
  • 5: China (Shenzhen)
  • 6: other regions
1
response_datetime The return time. 2018-09-25 09:59:16
src_ip The source IP address. 1.2.3.4
src_port The source port. 22

Local DNS logs

Field name Description Example
answer_rda DNS responses. Separate multiple DNS responses with vertical bars (|). abc.com
answer_ttl The cycles of DNS responses. Separate multiple cycles with vertical bars (|). 100
answer_type The types of DNS responses. Separate multiple types with vertical bars (|). 1
anwser_name The names of DNS responses. Separate multiple names with vertical bars (|). abc.com
dest_ip The destination IP address. 1.2.3.4
dest_port The destination port. 53
group_id The group ID. 3
hostname The hostname. host.abc.com
id The query ID. 64588
instance_id The instance ID. i-2zeg4zldn8zypsfg****
internet_ip The Internet IP address. 1.2.3.4
ip_ttl The IP cycle. 64
query_name The domain name that is queried. abc.com
query_type The query type. A
src_ip The source IP address. 1.2.3.4
src_port The source port. 1234
time The timestamp of the query. Unit: second. 1537840756
time_usecond The response time. Unit: microsecond. 49069
tunnel_id The channel ID. 514763

Network session logs

Field name Description Example
asset_type The associated asset type. Valid values:
  • ECS
  • SLB
  • RDS
ECS
dst_ip The destination IP address. 1.2.3.4
dst_port The destination port. 53
proto The protocol type. Valid values:
  • tcp
  • udp
tcp
session_time The time when the session started. 2018-09-25 09:59:49
src_ip The source IP address. 1.2.3.4
src_port The source port. 54

Web access logs

Field name Description Example
content_length The content length. 123
dst_ip The destination IP address. 1.2.3.4
dst_port The destination port. 54
host The host that is accessed. 47.XX.XX.158:8080
jump_location The redirection address. 123
method The method of the HTTP request. GET
referer The HTTP referer. The field contains the address of the web page which is linked to the resource being requested. www.abc.com
request_datetime The time when the request was initiated. 2018-09-25 09:58:37
ret_code The status code returned. 200
rqs_content_type The type of the request content. text/plain;charset=utf-8
rsp_content_type The type of the response content. text/plain; charset=utf-8
src_ip The source IP address. 1.2.3.4
src_port The source port. 54
uri The request URL. /report
user_agent The request that is destined for the client. okhttp/3.2.0
x_forward_for The information about route redirection. 1.2.3.4

Security logs

Vulnerability logs

Field name Description Example
name The name of the vulnerability. oval:com.redhat.rhsa:def:20182390
alias_name The alias of the vulnerability. RHSA-2018:2390: kernel security and bug fix update
op The operation information. Valid values:
  • new: detects a new vulnerability
  • verity: verifies the fix
  • fix: fixes the vulnerability
new
status The vulnerability status. 1
tag The tag of the vulnerability. Valid values:
  • oval
  • system
  • cms
oval
type The type of the vulnerability. Valid values:
  • sys: a Windows vulnerability
  • cve: a Linux vulnerability
  • cms: a web-CMS vulnerability
  • EMG: an emergency vulnerability
sys
uuid The UUID of the server. 1234-b7ca-4a0a-9267-123456

Baseline logs

Field name Description Example
level The severity of the vulnerability. Valid values:
  • high: high severity
  • medium: medium severity
  • low: low severity
low
op The operation information. Valid values:
  • new: detects a new risk
  • verity: verifies the fix
new
risk_name The name of the risky item. Password compliance checks.
status The status information. For more information, see Status codes of security logs. 1
sub_type_alias The alias of the sub type (Chinese). System account security.
sub_type_name The name of the sub type. system_account_security
type_name The name of the check type. account
type_alias The alias of the check type (Chinese). cis
uuid The UUID of the server where risky items are detected. 12345-b7ca-4a0a-9267-123456

Types and subtypes of baseline items.

type_name sub_type_name
system baseline
weak_password postsql_weak_password
database redis_check
account system_account_security
account system_account_security
weak_password mysq_weak_password
weak_password ftp_anonymous
weak_password rdp_weak_password
system group_policy
system register
account system_account_security
weak_password sqlserver_weak_password
system register
weak_password ssh_weak_password
weak_password ftp_weak_password
cis centos7
cis tomcat7
cis memcached-check
cis mongodb-check
cis ubuntu14
cis win2008_r2
system file_integrity_mon
cis linux-httpd-2.2-cis
cis linux-docker-1.6-cis
cis SUSE11
cis redhat6
cis bind9.9
cis centos6
cis debain8
cis redhat7
cis SUSE12
cis ubuntu16

Status codes of security logs

Status code Description
1 The vulnerability is unfixed.
2 The system failed to fix the vulnerability.
3 The system failed to undo the fix.
4 The system is fixing the vulnerability.
5 The system is undoing the fix.
6 The system is verifying the fix.
7 The system has fixed the vulnerability.
8 The system has fixed the vulnerability. A system restart is required.
9 The system has undone the fix.
10 The vulnerability is ignored.
11 The system has undone the fix. A system restart is required.
12 The vulnerability does not exist.
20 The vulnerability has expired.

Security alert logs

Field name Description Example
data_source The data source. For more information, see Data source of security alerts. aegis_login_log
level The severity of the alert event. Valid values:
  • serious: high severity
  • suspicious: medium severity
  • remind: low severity
suspicious
name The name of the alert. Suspicious Process-SSH-based Remote Execution of Non-interactive Commands
op The operation information. Valid values:
  • new: generates a new alert
  • dealing: handles the alert
new
status The status information. For more information, see Status codes of security logs. 1
uuid The UUID of the server where the alert is generated. 12345-b7ca-4a0a-9267-123456

The data_source fields of security alerts

Value Description
aegis_suspicious_event Server exceptions
aegis_suspicious_file_v2 Webshell
aegis_login_log Unusual logons
security_event Security Center exceptions

Host logs

Process initiation logs

Field name Description Example
uuid The UUID of the server where the process runs. 5d83b26b-b7ca-4a0a-9267-123456
ip The IP address of the client host. 1.2.3.4
cmdline The complete command to start the process. cmd.exe /C "netstat -ano“
username The user name. administrator
uid The user ID (UID). 123
pid The process ID. 7100
filename The name of the process file. cmd.exe
filepath The full path of the process file. C:/Windows/SysWOW64/cmd.exe
groupname The user group. group1
ppid The ID of the parent process. 2296
pfilename The name of the parent process file. client.exe
pfilepath The full path of the parent process file. D:/client/client.exe

Process snapshot logs

Field name Description Example
uuid The UUID of the server where the process runs. 5d83b26b-b7ca-4a0a-9267-123456
ip The IP address of the client host. 1.2.3.4
cmdline The complete command to start the process. cmd.exe /C "netstat -ano"
pid The process ID. 7100
name The name of the process file. cmd.exe
path The full path of the process file. C:/Windows/SysWOW64/cmd.exe
md5 The MD5 hash value of the process file.
Note MD5 algorithm is not supported for files that exceed 1 MB.
d0424c22dfa03f6e4d5289f7f5934dd4
pname The name of the parent process file. client.exe
start_time The time when the process started. Built-in fields. 2018-01-18 20:00:12
user The username. administrator
uid The UID. 123

Logon logs

Note Repeated logons in one minute are stored in the same log, and the warn_count field indicates the number of logons.
Field name Description Example
uuid The UUID of the logon server. 5d83b26b-b7ca-4a0a-9267-123456
ip The IP address of the client host. 1.2.3.4
warn_ip The source IP address. 1.2.3.4
warn_port The logon port. 22
warn_type The logon type. Valid values:
  • SSHLOGIN: Secure Shell (SSH) logons
  • RDPLOGIN: Remote desktop logons
  • IPCLOGIN
SSHLOGIN
warn_user The username used for the logon. admin
warn_count The number of logons. Repeated logons in one minute are stored in the same log. For example, if the value of warn_count is 3, the server is logged on to for three times in one minute. 3

Brute-force cracking logs

Field name Description Example
uuid The UUID of the server that is cracked. 5d83b26b-b7ca-4a0a-9267-123456
ip The IP address of the server. 1.2.3.4
warn_ip The source IP address. 1.2.3.4
warn_port The logon port. 22
warn_type The logon type. Valid values:
  • SSHLOGIN: SSH logons
  • RDPLOGIN: Remote desktop logons
  • IPCLOGIN
SSHLOGIN
warn_user The username used for the logon. admin
warn_count The number of failed logon attempts. 3

Network connection logs

Note Changes in network connections are collected by the server every 10 seconds to 1 minute. The changes are collected from when the connection is established to when it ends.
Field name Description Example
uuid The UUID of the server. 5d83b26b-b7ca-4a0a-9267-123456
ip The IP address of the server. 1.2.3.4
src_ip The source IP address. 1.2.3.4
src_port The source port. 41897
dst_ip The destination IP address. 1.2.3.4
dst_port The destination port. 22
proc_name The process name. java
proc_path The path of the process. /hsdata/jdk1.7.0_79/bin/java
proto The protocol. Valid values:
  • tcp
  • udp
  • raw (raw socket)
tcp
status The connection status. For more information, see Status codes of network connections. 5

Status codes of network connections

Status Description
1 closed
2 listen
3 syn send
4 syn recv
5 establisted
6 close wait
7 closing
8 fin_wait1
9 fin_wait2
10 time_wait
11 delete_tcb

Port listening snapshots

Field name Description Example
uuid The UUID of the server. 5d83b26b-b7ca-4a0a-9267-123456
ip The IP address of the server. 1.2.3.4
proto The protocol used for the communication. Valid values:
  • tcp
  • udp
  • raw (raw socket)
tcp
src_ip The IP address that is listened. 1.2.3.4
src_port The listening port. 41897
pid The process ID. 7100
proc_name The process name. kubelet

Account snapshots

Note The account snapshots display the account information detected in your assets.
Field name Description Example
uuid The UUID of the server. 5d83b26b-b7ca-4a0a-9267-123456
ip The IP address of the server. 1.2.3.4
user The username. nscd
perm Indicates whether the account has root permissions. Valid values:
  • 0: no.
  • 1: yes.
0
home_dir The home directory. /Users/abc
groups The group to which the user belongs. N/A indicates that the user does not belong to any group. ["users", "root"]
last_chg The date when the password was last modified. 2017-08-24
shell The Linux shell command. /sbin/nologin
domain The Windows domain. N/A indicates that the user does not belong to any domain. administrator
tty The terminal used for the logon. N/A indicates not applicable. pts/3
warn_time The date when the system sends the notification that indicates the expiration date of the password. never indicates that notifications are disabled. 2017-08-24
account_expire The date when the account expires. never indicates that the account never expires. 2017-08-24
passwd_expire The date when the password expires. never indicates that the password never expires. 2017-08-24
login_ip The IP address of the last remote logon. N/A indicates not applicable. 1.2.3.4
last_logon The date and time of the last logon. N/A indicates not applicable. 2017-08-21 09:21:21
status The account status. Valid values:
  • 0: disabled.
  • 1: functioning.
0