This topic describes the fields in the 16 types of Security Center logs.
Network logs
DNS logs
Field | Description |
__topic__ | The topic of the log. Valid value: sas-log-dns. |
additional | The additional field. Multiple fields are separated with vertical bars (|). |
additional_num | The number of additional fields. |
answer | The Domain Name System (DNS) response. Multiple responses are separated with vertical bars (|). |
answer_num | The number of DNS responses. |
authority | The authority field. |
authority_num | The number of authority fields. |
client_subnet | The subnet of the client. |
dst_ip | The destination IP address. |
dst_port | The destination port. |
in_out | The direction of data transmission. Valid values:
|
qid | The ID of the query. |
qname | The domain name that is queried. |
qtype | The type of the query. |
query_datetime | The timestamp of the query. Unit: milliseconds. |
rcode | The response code. |
region | The ID of the source region. Valid values:
|
response_datetime | The response time. |
src_ip | The source IP address. |
src_port | The source port. |
Internal DNS logs
Field | Description |
__topic__ | The topic of the log. Valid value: local-dns. |
answer_rda | The DNS response. Multiple responses are separated with vertical bars (|). |
answer_ttl | The time to live (TTL) of the DNS response. Multiple TTLs are separated with vertical bars (|). |
answer_type | The type of the DNS response. Multiple types are separated with vertical bars (|). |
anwser_name | The name of the DNS response. Multiple names are separated with vertical bars (|). |
dest_ip | The destination IP address. |
dest_port | The destination port. |
group_id | The group ID. |
hostname | The name of the host. |
id | The ID of the query. |
instance_id | The instance ID. |
internet_ip | The public IP address. |
ip_ttl | The TTL of the IP address. |
query_name | The domain name that is queried. |
query_type | The type of the query. Valid values:
|
src_ip | The source IP address. |
src_port | The source port. |
time | The timestamp of the query. Unit: seconds. |
time_usecond | The response duration. Unit: microseconds. |
tunnel_id | The ID of the tunnel. |
Network session logs
Field | Description |
__topic__ | The topic of the log. Valid value: sas-log-session. |
asset_type | The type of the asset from which the log is collected. Valid values:
|
dst_ip | The destination IP address. |
dst_port | The destination port. |
proto | The type of the protocol. Valid values:
|
session_time | The time when the session starts. |
src_ip | The source IP address. |
src_port | The source port. |
Web access logs
Field | Description |
__topic__ | The topic of the log. Valid value: sas-log-http. |
content_length | The length of the message body. Unit: bytes. |
dst_ip | The destination IP address. |
dst_port | The destination port. |
host | The host that is accessed. |
jump_location | The redirection address. |
method | The HTTP request method. |
referer | The HTTP referer field. The field contains the URL of the web page that is linked to the resource being requested. |
request_datetime | The time when the request is initiated. |
ret_code | The HTTP status code returned. |
rqs_content_type | The type of the request content. |
rsp_content_type | The type of the response content. |
src_ip | The source IP address. |
src_port | The source port. |
uri | The request URI. |
user_agent | The user agent that initiates the request. |
x_forward_for | The routing information. |
Security logs
Vulnerability logs
Field | Description |
__topic__ | The topic of the log. Valid value: sas-vul-log. |
name | The name of the vulnerability. |
alias_name | The alias of the vulnerability. |
op | The operation that is performed on the vulnerability. Valid values:
|
status | The status of the vulnerability. |
tag | The tag that is added to the vulnerability. Valid values:
|
type | The type of the vulnerability. Valid values:
|
uuid | The UUID of the server. |
Baseline logs
Field | Description |
__topic__ | The topic of the log. Valid value: sas-hc-log. |
level | The severity of the risk item. Valid values:
|
op | The operation. Valid values:
|
risk_name | The name of the risk item. |
status | The information about the status. For more information, see Status codes in security logs. |
sub_type_alias | The alias of the baseline subtype in Chinese. |
sub_type_name | The name of the baseline subtype. |
type_name | The name of the baseline type. |
type_alias | The alias of the baseline type in Chinese. |
uuid | The UUID of the server on which the risk item is detected. |
Baseline types and subtypes
Type name | Subtype name | Description |
hc_exploit | hc_exploit_redis | High risk exploit - Redis unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_activemq | High risk exploit - ActiveMQ unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_couchdb | High risk exploit - CouchDB unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_docker | High risk exploit - Docker unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_es | High risk exploit - Elasticsearch unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_hadoop | High risk exploit - Hadoop unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_jboss | High risk exploit - Jboss unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_jenkins | High risk exploit - Jenkins unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_k8s_api | High risk exploit - Kubernetes-Apiserver unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_ldap | High risk exploit - LDAP unauthorized access high exploit vulnerability risk (Windows) |
hc_exploit | hc_exploit_ldap_linux | High risk exploit - OpenLDAP unauthorized access high exploit vulnerability risk (Linux) |
hc_exploit | hc_exploit_memcache | High risk exploit - Memcached unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_mongo | High risk exploit - Mongodb unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_pgsql | High risk exploit - PostgreSQL unauthorized access high exploit vulnerability risk baseline |
hc_exploit | hc_exploit_rabbitmq | High risk exploit - RabbitMQ unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_rsync | High risk exploit - rsync unauthorized access high exploit vulnerability risk |
hc_exploit | hc_exploit_tomcat | High risk exploit - Apache Tomcat AJP file inclusion vulnerability risk |
hc_exploit | hc_exploit_zookeeper | High risk exploit - ZooKeeper unauthorized access high exploit vulnerability risk |
hc_container | hc_docker | Alibaba Cloud standard - Docker security baseline check |
hc_container | hc_middleware_ack_master | CIS standard - Kubernetes (ACK) master node security baseline check |
hc_container | hc_middleware_ack_node | CIS standard - Kubernetes (ACK) node security baseline check |
hc_container | hc_middleware_k8s | Alibaba Cloud standard - Kubernetes master node security baseline check |
hc_container | hc_middleware_k8s_node | Alibaba Cloud standard - Kubernetes node security baseline check |
cis | hc_suse 15_djbh | SUSE Linux 15 compliance baseline check for Multi-Level Protection Scheme (MLPS) Level 3 |
cis | hc_aliyun_linux3_djbh_l3 | Alibaba Cloud Linux 3 compliance baseline check for MLPS Level 3 |
cis | hc_aliyun_linux_djbh_l3 | Alibaba Cloud Linux/Alibaba Cloud Linux (Alinux) 2 compliance baseline check for MLPS Level 3 |
cis | hc_bind_djbh | Bind compliance baseline check for MLPS Level 3 |
cis | hc_centos 6_djbh_l3 | CentOS Linux 6 compliance baseline check for MLPS Level 3 |
cis | hc_centos 7_djbh_l3 | CentOS Linux 7 compliance baseline check for MLPS Level 3 |
cis | hc_centos 8_djbh_l3 | CentOS Linux 8 compliance baseline check for MLPS Level 3 |
cis | hc_debian_djbh_l3 | Debian Linux 8/9/10 compliance baseline check for MLPS Level 3 |
cis | hc_iis_djbh | IIS compliance baseline check for MLPS Level 3 |
cis | hc_informix_djbh | Informix compliance baseline check for MLPS Level 3 |
cis | hc_jboss_djbh | Jboss compliance baseline check for MLPS Level 3 |
cis | hc_mongo_djbh | MongoDB compliance baseline check for MLPS Level 3 |
cis | hc_mssql_djbh | SQL Server compliance baseline check for MLPS Level 3 |
cis | hc_mysql_djbh | MySQL compliance baseline check for MLPS Level 3 |
cis | hc_nginx_djbh | Nginx compliance baseline check for MLPS Level 3 |
cis | hc_oracle_djbh | Oracle compliance baseline check for MLPS Level 3 |
cis | hc_pgsql_djbh | PostgreSQL compliance baseline check for MLPS Level 3 |
cis | hc_redhat 6_djbh_l3 | Red Hat Enterprise Linux 6 compliance baseline check for MLPS Level 3 |
cis | hc_redhat_djbh_l3 | Red Hat Enterprise Linux 7 compliance baseline check for MLPS Level 3 |
cis | hc_redis_djbh | Redis compliance baseline check for MLPS Level 3 |
cis | hc_suse 10_djbh_l3 | SUSE Linux 10 compliance baseline check for MLPS Level 3 |
cis | hc_suse 12_djbh_l3 | SUSE Linux 12 compliance baseline check for MLPS Level 3 |
cis | hc_suse_djbh_l3 | SUSE Linux 11 compliance baseline check for MLPS Level 3 |
cis | hc_ubuntu 14_djbh_l3 | Ubuntu 14 compliance baseline check for MLPS Level 3 |
cis | hc_ubuntu_djbh_l3 | Ubuntu 16/18/20 compliance baseline check for MLPS Level 3 |
cis | hc_was_djbh | WebSphere Application Server compliance baseline check for MLPS Level 3 |
cis | hc_weblogic_djbh | WebLogic compliance baseline check for MLPS Level 3 |
cis | hc_win 2008_djbh_l3 | Windows Server 2008 R2 compliance baseline check for MLPS Level 3 |
cis | hc_win 2012_djbh_l3 | Windows Server 2012 R2 compliance baseline check for MLPS Level 3 |
cis | hc_win 2016_djbh_l3 | Windows Server 2016/2019 compliance baseline check for MLPS Level 3 |
cis | hc_aliyun_linux_djbh_l2 | Alibaba Cloud Linux/Alibaba Cloud Linux (Alinux) 2 compliance baseline check for MLPS Level 2 |
cis | hc_centos 6_djbh_l2 | CentOS Linux 6 compliance baseline check for MLPS Level 2 |
cis | hc_centos 7_djbh_l2 | CentOS Linux 7 compliance baseline check for MLPS Level 2 |
cis | hc_debian_djbh_l2 | Debian Linux 8 compliance baseline check for MLPS Level 2 |
cis | hc_redhat 7_djbh_l2 | Red Hat Enterprise Linux 7 compliance baseline check for MLPS Level 2 |
cis | hc_ubuntu_djbh_l2 | Linux Ubuntu 16/18 compliance baseline check for MLPS Level 2 |
cis | hc_win 2008_djbh_l2 | Windows Server 2008 R2 compliance baseline check for MLPS Level 2 |
cis | hc_win 2012_djbh_l2 | Windows Server 2012 R2 compliance baseline check for MLPS Level 2 |
cis | hc_win 2016_djbh_l2 | Windows Server 2016/2019 compliance baseline check for MLPS Level 2 |
cis | hc_aliyun_linux_cis | CIS standard - Alibaba Cloud Linux/Alibaba Cloud Linux (Alinux) 2 security baseline check |
cis | hc_centos 6_cis_rules | CIS standard - CentOS Linux 6 security baseline check |
cis | hc_centos 7_cis_rules | CIS standard - CentOS Linux 7 security baseline check |
cis | hc_centos 8_cis_rules | CIS standard - CentOS Linux 8 security baseline check |
cis | hc_debian 8_cis_rules | CIS standard - Debian Linux 8 security baseline check |
cis | hc_ubuntu 14_cis_rules | CIS standard - Ubuntu Linux 14 LTS security baseline check |
cis | hc_ubuntu 16_cis_rules | CIS standard - Ubuntu Linux 16/18/20 LTS security baseline check |
cis | hc_win 2008_cis_rules | CIS standard - Windows Server 2008 R2 security baseline check |
cis | hc_win 2012_cis_rules | CIS standard - Windows Server 2012 R2 security baseline check |
cis | hc_win 2016_cis_rules | CIS standard - Windows Server 2016/2019 R2 security baseline check |
cis | hc_kylin_djbh_l3 | Kylin compliance baseline check for MLPS Level 3 |
cis | hc_uos_djbh_l3 | UOS compliance baseline check for MLPS Level 3 |
hc_best_security | hc_aliyun_linux | Alibaba Cloud standard - Alibaba Cloud Linux/Alibaba Cloud Linux (Alinux) 2 security baseline check |
hc_best_security | hc_centos 6 | Alibaba Cloud standard - CentOS Linux 6 security baseline check |
hc_best_security | hc_centos 7 | Alibaba Cloud standard - CentOS Linux 7/8 security baseline check |
hc_best_security | hc_debian | Alibaba Cloud standard - Debian Linux 8/9/10 security baseline check |
hc_best_security | hc_redhat 6 | Alibaba Cloud standard - Red Hat Enterprise Linux 6 security baseline check |
hc_best_security | hc_redhat 7 | Alibaba Cloud standard - Red Hat Enterprise Linux 7/8 security baseline check |
hc_best_security | hc_ubuntu | Alibaba Cloud standard - Ubuntu security baseline check |
hc_best_security | hc_windows_2008 | Alibaba Cloud standard - Windows Server 2008 R2 security baseline check |
hc_best_security | hc_windows_2012 | Alibaba Cloud standard - Windows Server 2012 R2 security baseline check |
hc_best_security | hc_windows_2016 | Alibaba Cloud standard - Windows Server 2016/2019 security baseline check |
hc_best_security | hc_db_mssql | Alibaba Cloud standard - SQL Server security baseline check |
hc_best_security | hc_memcached_ali | Alibaba Cloud standard - Memcached security baseline check |
hc_best_security | hc_mongodb | Alibaba Cloud standard - MongoDB version 3.x security baseline check |
hc_best_security | hc_mysql_ali | Alibaba Cloud standard - MySQL security baseline check |
hc_best_security | hc_oracle | Alibaba Cloud standard - Oracle 11g security baseline check |
hc_best_security | hc_pgsql_ali | Alibaba Cloud standard - PostgreSQL security baseline check |
hc_best_security | hc_redis_ali | Alibaba Cloud standard - Redis security baseline check |
hc_best_security | hc_apache | Alibaba Cloud standard - Apache security baseline check |
hc_best_security | hc_iis_8 | Alibaba Cloud standard - IIS 8 security baseline check |
hc_best_security | hc_nginx_linux | Alibaba Cloud standard - Nginx security baseline check |
hc_best_security | hc_suse 15 | Alibaba Cloud standard - SUSE Linux 15 security baseline check |
hc_best_security | tomcat 7 | Alibaba Cloud standard - Apache Tomcat security baseline check |
weak_password | hc_mongodb_pwd | Weak password - MongoDB logon weak password check (version 2.x supported) |
weak_password | hc_weakpwd_ftp_linux | Weak password - FTP logon weak password check |
weak_password | hc_weakpwd_linux_sys | Weak password - Linux logon weak password check |
weak_password | hc_weakpwd_mongodb 3 | Weak password - MongoDB logon weak password check |
weak_password | hc_weakpwd_mssql | Weak password - SQL Server database logon weak password check |
weak_password | hc_weakpwd_mysql_linux | Weak password - MySQL database logon weak password check |
weak_password | hc_weakpwd_mysql_win | Weak password - MySQL database logon weak password check (Windows) |
weak_password | hc_weakpwd_openldap | Weak password - OpenLDAP logon weak password check |
weak_password | hc_weakpwd_oracle | Weak password - Oracle logon weak password check |
weak_password | hc_weakpwd_pgsql | Weak password - PostgreSQL database logon weak password check |
weak_password | hc_weakpwd_pptp | Weak password - pptpd logon weak password check |
weak_password | hc_weakpwd_redis_linux | Weak password - Redis database logon weak password check |
weak_password | hc_weakpwd_rsync | Weak password - rsync logon weak password check |
weak_password | hc_weakpwd_svn | Weak password - svn logon weak password check |
weak_password | hc_weakpwd_tomcat_linux | Weak password - Apache Tomcat console weak password check |
weak_password | hc_weakpwd_vnc | Weak password - VncServer weak password check |
weak_password | hc_weakpwd_weblogic | Weak password - WebLogic Server 12c logon weak password check |
weak_password | hc_weakpwd_win_sys | Weak password - Windows logon weak password check |
Status codes in security logs
Status code | Description |
1 | Unfixed. |
2 | Fixing failed. |
3 | Rollback failed. |
4 | Fixing. |
5 | Rolling back. |
6 | Verifying. |
7 | Fixed. |
8 | Fixed and to be restarted. |
9 | Rolled back. |
10 | Ignored. |
11 | Rolled back and to be restarted. |
12 | No longer exists. |
20 | Expired. |
Status codes in alert logs
Status code | Description |
1 | Unhandled. |
2 | Ignored. |
4 | Confirmed. |
8 | Marked as false positives. |
16 | Handling. |
32 | Handled. |
64 | Expired. |
128 | Deleted. |
512 | Automatic blocking. |
513 | Automatically blocked. |
Status codes in baseline logs
Status code | Description |
1 | Failed. |
2 | Verifying. |
3 | Passed. |
5 | Expired. |
6 | Ignored. |
7 | Fixing. |
Alert logs
Field | Description |
__topic__ | The topic of the log. Valid value: sas-security-log. |
data_source | The data source. For more information, see Data sources of alerts. |
level | The risk level of the alert. Valid values:
|
name | The name of the alert. |
op | The operation. Valid values:
|
status | The information about the status. For more information, see Status codes in security logs. |
uuid | The UUID of the server on which the alert is generated. |
detail | The details of the alert. Note The value of the detail field in a log varies based on the alert type. If you have questions about the parameters in the detail field when you view alert logs, you can submit a ticket to contact technical support. |
unique_info | The unique identifier of the alert. |
Data sources of alerts
Value | Description |
aegis_suspicious_event | Host exceptions |
aegis_suspicious_file_v2 | Webshells |
aegis_login_log | Unusual logons |
security_event | Security Center exceptions |
Configuration assessment logs
Field | Description |
__topic__ | The topic of the log. Valid value: sas-cspm-log. |
check_id | The ID of the check item. You can call the ListCheckResult operation to query the ID of the check item. For more information, see ListCheckResult. |
instance_id | The ID of the instance. |
instance_name | The name of the instance. |
instance_result | The impacts of risks. The value is a JSON string. |
instance_sub_type | The subtype of the instance.
|
instance_type | The type of the instance. Valid values:
|
region_id | The region ID of the instance. |
requirement_id | The requirement item ID. You can call the ListCheckStandard operation to query the ID. For more information, see ListCheckStandard. |
risk_level | The risk level. Valid values:
|
section_id | The section ID. You can call the ListCheckResult operation to query the ID. For more information, see ListCheckResult. |
standard_id | The standard ID. You can call the ListCheckStandard operation to query the ID. For more information, see ListCheckStandard. |
status | The status of the check item. Valid values:
|
vendor | The cloud service provider. Valid value: ALIYUN. |
Host logs
Process startup logs
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-log-process. |
uuid | The UUID of the server where the process runs. |
ip | The IP address of the client host. |
cmdline | The complete command to start the process. |
username | The username. |
uid | The ID of the user. |
pid | The ID of the process. |
filename | The name of the process file. |
filepath | The full path of the process file. |
groupname | The name of the user group. |
ppid | The ID of the parent process. |
pfilename | The name of the parent process file. |
pfilepath | The full path of the parent process file. |
cmd_chain | The process chain. |
containerhostname | The name of the server in the container. |
containerpid | The ID of the process in the container. |
containerimageid | The ID of the image. |
containerimagename | The name of the image. |
containername | The name of the container. |
containerid | The ID of the container. |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. |
cmd_index | The index of a parameter in the command line. Every two indexes are grouped to identify the start of a parameter and the end of the parameter. |
comm | The command name that is related to the process. |
gid | The ID of the process group. |
parent_cmd_line | The command line of the parent process. |
pid_start_time | The time when the parent process was started. |
srv_cmd | The command line of the ancestor process. |
stime | The time when the process was started. |
Process snapshot logs
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-snapshot-process. |
uuid | The UUID of the server where the process runs. |
ip | The IP address of the client host. |
cmdline | The complete command to start the process. |
pid | The process ID. |
name | The name of the process file. |
path | The full path of the process file. |
md5 | The MD5 hash value of the process file. Note The MD5 algorithm is not supported for files that exceed 1 MB in size. |
pname | The name of the parent process file. |
start_time | The time when the process was started. This is a built-in field. |
user | The username. |
uid | The ID of the user. |
Logon logs
The repeated logon attempts within 1 minute are recorded in one log. The warn_count
field indicates the number of logon attempts.
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-log-login. |
uuid | The UUID of the server that is logged on to. |
ip | The IP address of the client host. |
warn_ip | The source IP address. |
warn_port | The logon port. |
warn_type | The logon type. Valid values:
|
warn_user | The username that is used for logon. |
warn_count | The number of logon attempts. The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the |
Brute-force attack logs
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-log-crack. |
uuid | The UUID of the server that is under the brute-force attack. |
ip | The IP address of the server. |
warn_ip | The source IP address. |
warn_port | The logon port. |
warn_type | The logon type. Valid values:
|
warn_user | The username that is used for logon. |
warn_count | The number of failed logon attempts. |
Network connection logs
Changes in the network connections of a server are collected by the server every 10 seconds to 1 minute. The server collects the changes only from the time when a connection is established to the time when the connection ends.
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-log-network. |
uuid | The UUID of the server. |
ip | The IP address of the server. |
src_ip | The source IP address. |
src_port | The source port. |
dst_ip | The destination IP address. |
dst_port | The destination port. |
proc_name | The process name. |
proc_path | The path to the process. |
proto | The protocol. Valid values:
|
status | The status of the network connection. For more information, see Status codes of network connections. |
cmd_chain | The process chain. |
pid | The process ID. |
ppid | The ID of the parent process. |
container_hostname | The name of the server in the container. |
container_pid | The ID of the process in the container. |
container_image_id | The image ID. |
container_image_name | The image name. |
container_name | The container name. |
container_id | The container ID. |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. |
parent_proc_file_name | The name of the parent process file. |
proc_start_time | The time when the process was started. |
srv_comm | The command name that is related to the ancestor process. |
uid | The ID of the user who started the process. |
username | The name of the user who started the process. |
Status codes of network connections
Status code | Description |
1 | closed |
2 | listen |
3 | syn send |
4 | syn recv |
5 | established |
6 | close wait |
7 | closing |
8 | fin_wait1 |
9 | fin_wait2 |
10 | time_wait |
11 | delete_tcb |
Logs of port listening snapshots
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-snapshot-port. |
uuid | The UUID of the server. |
ip | The IP address of the server. |
proto | The communication protocol. Valid values:
|
src_ip | The IP address of the listener. |
src_port | The listener port. |
pid | The process ID. |
proc_name | The process name. |
Account snapshot logs
The account snapshots contain information about the accounts that are detected in your assets.
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-snapshot-host. |
uuid | The UUID of the server. |
ip | The IP address of the server. |
user | The username. |
perm | Indicates whether you can log on to the server as a root user. Valid values:
|
home_dir | The home directory. |
groups | The group to which the user belongs. The value |
last_chg | The date when the password was last modified. |
shell | The Linux shell command. |
domain | The Windows domain. The value |
tty | The device that is logged on to. The value |
warn_time | The date when you are notified of password expiration. The value |
account_expire | The date when the account expires. The value |
passwd_expire | The date when the password expires. The value |
login_ip | The IP address from which the last remote logon was initiated. The value |
last_logon | The date and time of the last logon. The value |
status | The status of the account. Valid values:
|
DNS request logs
Field | Description |
__topic__ | The topic of the log. Valid value: aegis-log-dns-query. |
domain | The domain name that is included the DNS request. |
ip | The IP address that is included in the DNS request. |
pid | The ID of the process that initiates the DNS request. |
ppid | The ID of the parent process that initiates the DNS request. |
proc_cmd_chain | The chain of the process that initiates the DNS request. |
proc_cmdline | The command line of the process that initiates the DNS request. |
proc_path | The path to the process that initiates the DNS request. |
time | The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated. |
uuid | The UUID of the server that initiates the DNS request. |