Security Center:[Notice] Log dictionary upgrade to V2.0

Dear Alibaba Cloud users,

Starting August 1, 2024, Security Center upgrades log dictionaries from V1.0 to V2.0. Log dictionaries define the fields collected and stored by the log analysis feature. V2.0 uses unified field names across Alibaba Cloud security products such as Security Center and Cloud Firewall, enabling cross-product log queries.

Differences between V1.0 and V2.0 log dictionaries

• V1.0 log dictionaries are supported by the log analysis feature until August 1, 2024. For more information, see Log types and log fields of the v1.0 log dictionaries.

• On August 1, 2024, Security Center releases V2.0 log dictionaries. V2.0 adds new log fields and renames some existing fields (field meanings remain unchanged), and supports log collection across multiple Alibaba Cloud security services. For supported fields and descriptions, see Log categories and fields.

The following lists the differences between V1.0 and V2.0 log dictionaries. Unlisted fields remain the same in both versions.

• Network logs

  Differences between V1.0 and V2.0 log dictionaries

  Log type	Change type	Field name V1.0	Field name V2.0
  Web Access Log	Field name change	content_length	response_content_length
  		method	request_method
  		referer	http_referer
  		ret_code	status
  		rqs_content_type	content_type
  		rsp_content_type	response_content_type
  		uri	request_uri
  		user_agent	http_user_agent
  		x_forward_for	http_x_forward_for
  DNS Log	Field name change	in_out	net_connect_dir
  		qname	query_name
  		qtype	query_type
  Network Session Log	Field name change	in_out	net_connect_dir
  		proto	l4_proto
  Local DNS Log	Field name change	dest_ip	dst_ip
  		dest_port	dst_port
  		hostname	host
  		time	start_time

• Host logs

  Differences between V1.0 and V2.0 log dictionaries

  Log type	Change type	Field name V1.0	Field name V2.0
  Logon Log	Field name change	ip	host_ip
  		warn_ip	src_ip
  		warn_port	dst_port
  		warn_type	login_type
  		warn_user	username
  		warn_count	login_count
  	New field	None	start_time
  Network Connection Log	Field name change	dir	net_connect_dir
  		ip	host_ip
  		parent_proc_file_name	parent_proc_name
  		proc_stime	proc_start_time
  		proto	connection_type
  	New field	None	start_time
  Process Startup Log	Field name change	containerhostname	container_hostname
  		containerid	container_id
  		containerimageid	container_image_id
  		containerimagename	container_image_name
  		containername	container_name
  		containerpid	container_pid
  		filename	proc_name
  		filepath	proc_path
  		ip	host_ip
  		pfilename	parent_proc_name
  		pfilepath	parent_proc_path
  		stime	proc_start_time
  		pstime	parent_proc_start_time
  	New field	None	start_time
  Brute-force Attack Log	Field name change	ip	host_ip
  		warn_count	login_count
  		warn_ip	src_ip
  		warn_type	login_type
  		warn_port	dst_port
  		warn_user	username
  	New field	None	start_time
  Account Snapshot Log	Field name change	ip	host_ip
  		user	username
  	New field	None	start_time
  Network Snapshot Log	Field name change	dir	net_connect_dir
  		ip	host_ip
  		proto	connection_type
  	New field	None	start_time
  Process Snapshot Log	Field name change	ip	host_ip
  		name	proc_name
  		path	proc_path
  		start_time	proc_start_time
  	New field	None	start_time
  DNS Query Log	Field name change	ip	host_ip
  		proc_cmdline	cmdline
  		proc_cmd_chain	cmd_chain
  	New field	None	start_time
  Client Event Log	Field name change	client_ip	host_ip
  	New field	None	start_time

• Security logs

  Differences between V1.0 and V2.0 log dictionaries

  Log type	Change type	Field name V1.0	Field name V2.0
  Vulnerability Log	Field name change	alias_name	vul_alias_name
  		necessity	risk_level
  		machine_name	instance_name
  		name	vul_name
  		op	operation
  	New field	None	start_time
  Baseline Log	Field name change	check_item	check_item_name
  		check_level	check_item_level
  		level	risk_level
  		op	operation
  		sub_type_alias	sub_type_alias_name
  		type_alias	type_alias_name
  	New field	None	start_time
  Alert Log	Field name change	op	operation
  	New field	None	start_time
  Configuration Assessment Log	Field name change	check_show_name	check_item_name
  	New field	None	start_time
  Network Defense Log	Field name change	dest_ip	dst_ip
  		dest_port	dst_port
  		model	final_action
  	New field	None	start_time
  Application Protection Log	Field name change	confidence	confidence_level
  		content	request_body
  		content_length	request_content_length
  		ip	host_ip
  		jdk	jdk_version
  		method	request_method
  		os	platform
  		os_arch	arch
  		os_version	kernel_version
  		remote	src_ip
  		result	final_action
  		rule_result	rule_action
  		severity	risk_level
  	New field	None	start_time

Automatic upgrade schedule

• Starting August 1, 2024, V2.0 log dictionaries are automatically applied when you create Logstores by purchasing the Security Center log analysis feature.

• For Logstores created before August 1, 2024, Security Center plans to automatically use V2.0 log dictionaries to record the fields of logs that are delivered later than October 30, 2024. Before October 30, 2024, you can continue to use V1.0 log dictionaries or manually upgrade the dictionaries to V2.0. The upgrade does not affect stored data or historical data integrity and availability.

If you encounter issues or require assistance during the upgrade, submit a ticket.

Upgrade impact

• If you have not purchased the log analysis feature, this upgrade does not affect you.

• If you purchased the log analysis feature before August 1, 2024, and consume logs or use custom alerts in the following scenarios, take action accordingly. You can manually upgrade log dictionaries to V2.0 when you use applications that consume log analysis data.

Scenario	Solution
Query data in Simple Log Service	After the upgrade, use V2.0 field names in your queries.
Deliver Simple Log Service data to external databases for association analysis	Modify the field mappings between the data stored in Simple Log Service ( SLS) and other databases . For more information, see Manage a data shipping job. Add the mappings between the modified field name and the newly added field to ensure that logs using dictionaries V2.0 can be delivered and the delivered data stored in V1.0 remains unaffected. Manually upgrade log dictionaries to V2.0. For more information, see Manually upgrade log dictionaries to V2.0. Verify that log delivery tasks complete successfully and the delivered data meets expectations.
Configure custom alert rules based on Simple Log Service log fields	You must modify custom alert rules before October 30, 2024 to allow the rules to take effect after V2.0 log dictionaries are applied. For more information about how to modify an alert rule, see Manage alert rules. Manually upgrade log dictionaries to V2.0. For more information, see Manually upgrade log dictionaries to V2.0.
Deliver Simple Log Service data to external databases for secondary development and reporting	Complete secondary development based on V2.0 log dictionaries before October 30, 2024. Manually upgrade log dictionaries to V2.0. For specific operations, see Manually upgrade log dictionaries to V2.0. Check whether the logs are delivered and whether the data delivered to the database meets expectations.

Manually upgrade log dictionaries to V2.0

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

2. In the left-side navigation pane, choose Risk Governance > Log Analysis.

3. In the upper-right corner of the Log Analysis page, move the pointer over Dictionary Version: V1.0 and click Upgrade Now.

4. In the Upgrade Notes message, click Upgrade Now.