All Products
Search
Document Center

Simple Log Service:Usage notes

Last Updated:Mar 01, 2024

Alibaba Cloud Simple Log Service and Security Center jointly launch the log analysis feature that allows you to collect, query, analyze, transform, and consume risk data in real time. You can use the log analysis feature to monitor and handle potential risks of servers and implement centralized management of cloud resources. This topic describes the assets, billing, and limits of the log analysis feature.

Limits

  • You can write only Security Center logs to the dedicated Logstore. You cannot modify the attributes of the Logstore, such as the log retention period.

  • Security Center logs must be retained for at least 180 days to comply with the Cybersecurity Law of the People's Republic of China. We recommend that you allocate a log storage capacity of 40 GB for each server.

  • Security Center Basic Edition does not support the log analysis feature. Security Center Ultimate Edition and Enterprise Edition support query for network logs, security logs, and host logs. Security Center Advanced Edition and Anti-virus Edition support query for security logs and host logs. For more information about the billing of these editions, see Billing overview.

Assets

  • Dedicated project and Logstore

    After you enable the log analysis feature, Simple Log Service creates a project named sas-log-Alibaba Cloud account ID-Region ID and a dedicated Logstore named sas-log by default. The following table describes the regions.

    Region of Security Center

    Region of the Simple Log Service project

    China

    China (Hangzhou)

    Outside China

    Singapore

    Important
    • Do not delete the project or Logstore that is related to Security Center logs. Otherwise, Security Center logs cannot be sent to Simple Log Service.

      If you accidentally delete the dedicated Logstore, you are prompted that the sas-log Logstore does not exist, and all log data in the Logstore is deleted. In this case, submit a ticket to restore the Logstore. If you re-enable the log analysis feature after the Logstore is restored, the lost logs cannot be restored.

    • If you have enabled the pay-by-ingested-data billing mode, Simple Log Service creates a dedicated Logstore that uses the pay-by-ingested-data billing mode by default. If you want to switch the billing mode from pay-by-ingested-data to pay-by-feature, you can modify the configuration of the Logstore. For more information, see Modify the configurations of a Logstore.

  • Dedicated dashboards

    Security Center logs are classified into three types. After you enable the log analysis feature of Security Center, Simple Log Service generates nine dashboards by default.

    Important

    We recommend that you do not make changes to the dedicated dashboards because the dashboards may be upgraded or updated at any time. You can create a custom dashboard to display query results. For more information, see Create a dashboard.

Supported log types

Security Center Enterprise Edition and Ultimate Edition support 16 subtypes of logs that belong to the host, security, and network log types. Security Center Anti-virus Edition and Advanced Edition support 12 subtypes of logs that belong to the host and security log types.

Network log types

Log type

__topic__

Description

Collection cycle

Web access logs

sas-log-http

Logs of user requests to web servers and responses from the web servers, including the IP address of the user, the request time, the request method, the request URL, the HTTP status code, and the response size.

Web access logs are used to analyze web traffic and user behavior, identify access patterns and exceptions, and optimize website performance.

In most cases, logs are collected 1 to 12 hours after the logs are generated.

Domain Name System (DNS) logs

sas-log-dns

Logs of DNS resolution details, including the requested domain name, query type, IP address of the client, and response value.

You can monitor the request and response process of DNS resolution, and identify abnormal resolution behavior, DNS hijacking, and DNS poisoning based on DNS logs.

Internal DNS logs

local-dns

Logs of DNS queries and responses on the local DNS server, including the requested domain name, query type, IP address of the client, and response value.

You can obtain the information about DNS queries in your network, and identify issues such as abnormal query behavior, domain hijacking, and DNS poisoning based on internal DNS logs.

Network session logs

sas-log-session

Logs of network connections and data transmission, including the details of network sessions. The details include the session start time, source IP address, destination IP address, protocol, and ports.

Network session logs are generally used to monitor network traffic, identify potential threats, and optimize network performance.

Host log types

Log type

__topic__

Description

Collection cycle

Logon logs

aegis-log-login

Logs of user logons to servers, including the logon time, logon user, logon method, and logon IP address.

Logon logs can help you monitor user activities, and identify and respond to abnormal behavior at the earliest opportunity. This helps ensure system security.

Note

Security Center does not collect the logs of logons to servers that run Windows Server 2008.

Logs are collected in real time.

Network connection logs

aegis-log-network

Logs of network connections, including the 5-tuples of connections to servers, connection time, and connection status.

Network connection logs can help you detect suspicious connections, identify potential network attacks, and optimize network performance.

Note

A server collects only some states of network connections from establishment to termination.

Logs are collected in real time.

Process startup logs

aegis-log-process

Logs of server process startups, including the startup time, startup command, and parameters.

You can obtain the startup status and configurations of server processes, and identify issues such as abnormal processes, malware intrusion, and threats based on process startup logs.

Logs are collected in real time. When a process starts, the logs are immediately collected.

Brute-force attack logs

aegis-log-crack

Logs of brute-force attacks, including information about logon attempts, and attempts to crack systems, applications, or accounts.

You can obtain the information about brute-force attacks on systems or applications, and identify unusual logon attempts, weak passwords, and credential leaks based on brute-force attack logs. You can also use brute-force attack logs to trace malicious users and collect evidence to assist the security team in incident response and investigation.

Logs are collected in real time.

Account snapshot logs

aegis-snapshot-host

Logs of accounts in systems or applications, including the basic information about accounts. The basic information includes the username, password policy, and logon history of an account.

You can obtain the changes of accounts and identify potential risks at the earliest opportunity by comparing the account snapshot logs at different points in time. The risks include access from unauthorized accounts and abnormal account status.

  • If you configure an automatic collection task for asset fingerprints, asset fingerprints are automatically collected based on the specified frequency. For more information about how to configure an automatic collection task for asset fingerprints, see Use the asset fingerprints feature.

  • If you do not configure an automatic collection task, fingerprints of each server are collected once a day at random time.

Network snapshot logs

aegis-snapshot-port

Logs of network connections, including the 5-tuples of connections, connection status, and associated processes.

You can obtain the information about network sockets in the system, identify abnormal connections and potential network attacks, and optimize network performance based on network snapshot logs.

Process snapshot logs

aegis-snapshot-process

Logs of processes in the system, including the process ID, process name, and process start time.

You can obtain the information about processes in the system and resource usage of the processes, and identify issues such as abnormal processes, excessive CPU utilization, and memory leaks based on process snapshot logs.

DNS request logs

aegis-log-dns-query

Logs of DNS requests sent by servers, including the requested domain name, query type, and query source.

You can obtain the information about DNS queries in the network, and identify issues such as abnormal queries, domain hijacking, and DNS poisoning based on DNS request logs.

Logs are collected in real time.

Security log types

Log type

__topic__

Description

Collection cycle

Vulnerability logs

sas-vul-log

Logs of vulnerabilities that are detected in the systems or applications, including the vulnerability name, vulnerability status, and handling action.

You can obtain the information about the vulnerabilities, security risks, and attack trends in the system, and take proper measures at the earliest opportunity based on vulnerability logs.

Logs are collected in real time.

Baseline logs

sas-hc-log

Logs of baseline check results, including the baseline severity, baseline type, and risk level.

You can obtain the baseline security status and potential risks in the system based on baseline logs.

Note

The logs record only the data of check items that fail the check the first time and the data of the check items that have passed the previous checks but failed a new check.

Alert logs

sas-security-log

Logs of security events and alerts generated in the system and applications, including the alert data source, alert detail, and alert level.

You can obtain the security events and threats in the system and take proper measures at the earliest opportunity based on alert logs.

Configuration assessment logs

sas-cspm-log

Logs related to configuration assessment, including the check results of configuration assessment and the operations that add risk items to the whitelist.

You can obtain the information about the errors and potential risks in the configurations of cloud services based on configuration assessment logs.

Network defense logs

sas-net-block

Logs of network attack events, including key information such as the attack type, source IP address, and destination IP address.

You can obtain network security events and implement proper response and defense measures to improve network security and reliability based on network defense logs.

Application protection logs

sas-rasp-log

Logs of attacks on applications, including key information such as the attack type, attack pattern, and attacker IP address.

You can obtain the information about the security events that occur in applications and implement proper response and defense measures to improve application security and reliability based on application protection logs.

Billing

  • If the pay-by-feature billing mode is used for the dedicated Logstore, you are not charged for the read and write traffic, index traffic, storage, number of shards, or number of read and write operations in the dedicated Logstore. You are charged for Internet traffic, data transformation, and data shipping. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-feature.

  • If the dedicated Logstore uses the pay-by-ingested-data billing mode, you are not charged for the read and write traffic, index traffic, storage, number of shards, number of read and write operations, data transformation, or data shipping in the dedicated Logstore. You are charged only for read traffic over the Internet. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-ingested-data.

  • The fees that are generated for the log analysis feature are included in the bills of Security Center. For more information, see Billing overview.

References