This topic describes the fields of 14 log types that are supported by Security Center.
Network logs
Domain Name System (DNS) resolution logs
| Field name | Description | Example |
|---|---|---|
| additional | Additional fields. Separate multiple additional fields with vertical bars (|). | No |
| additional_num | The number of additional fields. | 0 |
| answer | DNS responses. Separate multiple DNS responses with vertical bars (|). | abc.com A IN 52 1.2.3.4 |
| answer_num | The number of DNS responses. | 1 |
| authority | Authority fields. | a1.a2.com NS IN 17597 b1.b2.com |
| authority_num | The number of authority fields. | 1 |
| client_subnet | The subnet of the client. | 172.168.100.1 |
| dst_ip | The destination IP address. | 1.2.3.4 |
| dst_port | The destination port. | 53 |
| in_out | The direction of data transmission. Valid values:
|
out |
| qid | The query ID. | 12345 |
| qname | The domain name that is queried. | abc.com |
| qtype | The query type. | A |
| query_datetime | The timestamp of the query. Unit: millisecond. | 1537840756263 |
| rcode | The code returned. | 0 |
| region | The ID of the source region. Valid values:
|
1 |
| response_datetime | The return time. | 2018-09-25 09:59:16 |
| src_ip | The source IP address. | 1.2.3.4 |
| src_port | The source port. | 22 |
Local DNS logs
| Field name | Description | Example |
|---|---|---|
| answer_rda | DNS responses. Separate multiple DNS responses with vertical bars (|). | abc.com |
| answer_ttl | The cycles of DNS responses. Separate multiple cycles with vertical bars (|). | 100 |
| answer_type | The types of DNS responses. Separate multiple types with vertical bars (|). | 1 |
| anwser_name | The names of DNS responses. Separate multiple names with vertical bars (|). | abc.com |
| dest_ip | The destination IP address. | 1.2.3.4 |
| dest_port | The destination port. | 53 |
| group_id | The group ID. | 3 |
| hostname | The hostname. | host.abc.com |
| id | The query ID. | 64588 |
| instance_id | The instance ID. | i-2zeg4zldn8zypsfg**** |
| internet_ip | The Internet IP address. | 1.2.3.4 |
| ip_ttl | The IP cycle. | 64 |
| query_name | The domain name that is queried. | abc.com |
| query_type | The query type. | A |
| src_ip | The source IP address. | 1.2.3.4 |
| src_port | The source port. | 1234 |
| time | The timestamp of the query. Unit: second. | 1537840756 |
| time_usecond | The response time. Unit: microsecond. | 49069 |
| tunnel_id | The channel ID. | 514763 |
Network session logs
| Field name | Description | Example |
|---|---|---|
| asset_type | The associated asset type. Valid values:
|
ECS |
| dst_ip | The destination IP address. | 1.2.3.4 |
| dst_port | The destination port. | 53 |
| proto | The protocol type. Valid values:
|
tcp |
| session_time | The time when the session started. | 2018-09-25 09:59:49 |
| src_ip | The source IP address. | 1.2.3.4 |
| src_port | The source port. | 54 |
Web access logs
| Field name | Description | Example |
|---|---|---|
| content_length | The content length. | 123 |
| dst_ip | The destination IP address. | 1.2.3.4 |
| dst_port | The destination port. | 54 |
| host | The host that is accessed. | 47.XX.XX.158:8080 |
| jump_location | The redirection address. | 123 |
| method | The method of the HTTP request. | GET |
| referer | The HTTP referer. The field contains the address of the web page which is linked to the resource being requested. | www.abc.com |
| request_datetime | The time when the request was initiated. | 2018-09-25 09:58:37 |
| ret_code | The status code returned. | 200 |
| rqs_content_type | The type of the request content. | text/plain;charset=utf-8 |
| rsp_content_type | The type of the response content. | text/plain; charset=utf-8 |
| src_ip | The source IP address. | 1.2.3.4 |
| src_port | The source port. | 54 |
| uri | The request URL. | /report |
| user_agent | The request that is destined for the client. | okhttp/3.2.0 |
| x_forward_for | The information about route redirection. | 1.2.3.4 |
Security logs
Vulnerability logs
| Field name | Description | Example |
|---|---|---|
| name | The name of the vulnerability. | oval:com.redhat.rhsa:def:20182390 |
| alias_name | The alias of the vulnerability. | RHSA-2018:2390: kernel security and bug fix update |
| op | The operation information. Valid values:
|
new |
| status | The vulnerability status. | 1 |
| tag | The tag of the vulnerability. Valid values:
|
oval |
| type | The type of the vulnerability. Valid values:
|
sys |
| uuid | The UUID of the server. | 1234-b7ca-4a0a-9267-123456 |
Baseline logs
| Field name | Description | Example |
|---|---|---|
| level | The severity of the vulnerability. Valid values:
|
low |
| op | The operation information. Valid values:
|
new |
| risk_name | The name of the risky item. | Password compliance checks. |
| status | The status information. For more information, see Status codes of security logs. | 1 |
| sub_type_alias | The alias of the sub type (Chinese). | System account security. |
| sub_type_name | The name of the sub type. | system_account_security |
| type_name | The name of the check type. | account |
| type_alias | The alias of the check type (Chinese). | cis |
| uuid | The UUID of the server where risky items are detected. | 12345-b7ca-4a0a-9267-123456 |
Types and subtypes of baseline items.
| type_name | sub_type_name |
|---|---|
| system | baseline |
| weak_password | postsql_weak_password |
| database | redis_check |
| account | system_account_security |
| account | system_account_security |
| weak_password | mysq_weak_password |
| weak_password | ftp_anonymous |
| weak_password | rdp_weak_password |
| system | group_policy |
| system | register |
| account | system_account_security |
| weak_password | sqlserver_weak_password |
| system | register |
| weak_password | ssh_weak_password |
| weak_password | ftp_weak_password |
| cis | centos7 |
| cis | tomcat7 |
| cis | memcached-check |
| cis | mongodb-check |
| cis | ubuntu14 |
| cis | win2008_r2 |
| system | file_integrity_mon |
| cis | linux-httpd-2.2-cis |
| cis | linux-docker-1.6-cis |
| cis | SUSE11 |
| cis | redhat6 |
| cis | bind9.9 |
| cis | centos6 |
| cis | debain8 |
| cis | redhat7 |
| cis | SUSE12 |
| cis | ubuntu16 |
Status codes of security logs
| Status code | Description |
|---|---|
| 1 | The vulnerability is unfixed. |
| 2 | The system failed to fix the vulnerability. |
| 3 | The system failed to undo the fix. |
| 4 | The system is fixing the vulnerability. |
| 5 | The system is undoing the fix. |
| 6 | The system is verifying the fix. |
| 7 | The system has fixed the vulnerability. |
| 8 | The system has fixed the vulnerability. A system restart is required. |
| 9 | The system has undone the fix. |
| 10 | The vulnerability is ignored. |
| 11 | The system has undone the fix. A system restart is required. |
| 12 | The vulnerability does not exist. |
| 20 | The vulnerability has expired. |
Security alert logs
| Field name | Description | Example |
|---|---|---|
| data_source | The data source. For more information, see Data source of security alerts. | aegis_login_log |
| level | The severity of the alert event. Valid values:
|
suspicious |
| name | The name of the alert. | Suspicious Process-SSH-based Remote Execution of Non-interactive Commands |
| op | The operation information. Valid values:
|
new |
| status | The status information. For more information, see Status codes of security logs. | 1 |
| uuid | The UUID of the server where the alert is generated. | 12345-b7ca-4a0a-9267-123456 |
The data_source fields of security alerts
| Value | Description |
|---|---|
| aegis_suspicious_event | Server exceptions |
| aegis_suspicious_file_v2 | Webshell |
| aegis_login_log | Unusual logons |
| security_event | Security Center exceptions |
Host logs
Process initiation logs
| Field name | Description | Example |
|---|---|---|
| uuid | The UUID of the server where the process runs. | 5d83b26b-b7ca-4a0a-9267-123456 |
| ip | The IP address of the client host. | 1.2.3.4 |
| cmdline | The complete command to start the process. | cmd.exe /C "netstat -ano“ |
| username | The user name. | administrator |
| uid | The user ID (UID). | 123 |
| pid | The process ID. | 7100 |
| filename | The name of the process file. | cmd.exe |
| filepath | The full path of the process file. | C:/Windows/SysWOW64/cmd.exe |
| groupname | The user group. | group1 |
| ppid | The ID of the parent process. | 2296 |
| pfilename | The name of the parent process file. | client.exe |
| pfilepath | The full path of the parent process file. | D:/client/client.exe |
Process snapshot logs
| Field name | Description | Example |
|---|---|---|
| uuid | The UUID of the server where the process runs. | 5d83b26b-b7ca-4a0a-9267-123456 |
| ip | The IP address of the client host. | 1.2.3.4 |
| cmdline | The complete command to start the process. | cmd.exe /C "netstat -ano" |
| pid | The process ID. | 7100 |
| name | The name of the process file. | cmd.exe |
| path | The full path of the process file. | C:/Windows/SysWOW64/cmd.exe |
| md5 | The MD5 hash value of the process file.
Note MD5 algorithm is not supported for files that exceed 1 MB.
|
d0424c22dfa03f6e4d5289f7f5934dd4 |
| pname | The name of the parent process file. | client.exe |
| start_time | The time when the process started. Built-in fields. | 2018-01-18 20:00:12 |
| user | The username. | administrator |
| uid | The UID. | 123 |
Logon logs
Note Repeated logons in one minute are stored in the same log, and the
warn_count field indicates the number of logons.
| Field name | Description | Example |
|---|---|---|
| uuid | The UUID of the logon server. | 5d83b26b-b7ca-4a0a-9267-123456 |
| ip | The IP address of the client host. | 1.2.3.4 |
| warn_ip | The source IP address. | 1.2.3.4 |
| warn_port | The logon port. | 22 |
| warn_type | The logon type. Valid values:
|
SSHLOGIN |
| warn_user | The username used for the logon. | admin |
| warn_count | The number of logons. Repeated logons in one minute are stored in the same log. For
example, if the value of warn_count is 3, the server is logged on to for three times in one minute.
|
3 |
Brute-force cracking logs
| Field name | Description | Example |
|---|---|---|
| uuid | The UUID of the server that is cracked. | 5d83b26b-b7ca-4a0a-9267-123456 |
| ip | The IP address of the server. | 1.2.3.4 |
| warn_ip | The source IP address. | 1.2.3.4 |
| warn_port | The logon port. | 22 |
| warn_type | The logon type. Valid values:
|
SSHLOGIN |
| warn_user | The username used for the logon. | admin |
| warn_count | The number of failed logon attempts. | 3 |
Network connection logs
Note Changes in network connections are collected by the server every 10 seconds to 1 minute.
The changes are collected from when the connection is established to when it ends.
| Field name | Description | Example |
|---|---|---|
| uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-123456 |
| ip | The IP address of the server. | 1.2.3.4 |
| src_ip | The source IP address. | 1.2.3.4 |
| src_port | The source port. | 41897 |
| dst_ip | The destination IP address. | 1.2.3.4 |
| dst_port | The destination port. | 22 |
| proc_name | The process name. | java |
| proc_path | The path of the process. | /hsdata/jdk1.7.0_79/bin/java |
| proto | The protocol. Valid values:
|
tcp |
| status | The connection status. For more information, see Status codes of network connections. | 5 |
Status codes of network connections
| Status | Description |
|---|---|
| 1 | closed |
| 2 | listen |
| 3 | syn send |
| 4 | syn recv |
| 5 | establisted |
| 6 | close wait |
| 7 | closing |
| 8 | fin_wait1 |
| 9 | fin_wait2 |
| 10 | time_wait |
| 11 | delete_tcb |
Port listening snapshots
| Field name | Description | Example |
|---|---|---|
| uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-123456 |
| ip | The IP address of the server. | 1.2.3.4 |
| proto | The protocol used for the communication. Valid values:
|
tcp |
| src_ip | The IP address that is listened. | 1.2.3.4 |
| src_port | The listening port. | 41897 |
| pid | The process ID. | 7100 |
| proc_name | The process name. | kubelet |
Account snapshots
Note The account snapshots display the account information detected in your assets.
| Field name | Description | Example |
|---|---|---|
| uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-123456 |
| ip | The IP address of the server. | 1.2.3.4 |
| user | The username. | nscd |
| perm | Indicates whether the account has root permissions. Valid values:
|
0 |
| home_dir | The home directory. | /Users/abc |
| groups | The group to which the user belongs. N/A indicates that the user does not belong to any group.
|
["users", "root"] |
| last_chg | The date when the password was last modified. | 2017-08-24 |
| shell | The Linux shell command. | /sbin/nologin |
| domain | The Windows domain. N/A indicates that the user does not belong to any domain.
|
administrator |
| tty | The terminal used for the logon. N/A indicates not applicable.
|
pts/3 |
| warn_time | The date when the system sends the notification that indicates the expiration date
of the password. never indicates that notifications are disabled.
|
2017-08-24 |
| account_expire | The date when the account expires. never indicates that the account never expires.
|
2017-08-24 |
| passwd_expire | The date when the password expires. never indicates that the password never expires.
|
2017-08-24 |
| login_ip | The IP address of the last remote logon. N/A indicates not applicable.
|
1.2.3.4 |
| last_logon | The date and time of the last logon. N/A indicates not applicable.
|
2017-08-21 09:21:21 |
| status | The account status. Valid values:
|
0 |