[Notice] CTDR upgrade - Security Center - Alibaba Cloud Documentation Center

The Cloud Threat Detection and Response (CTDR) has been upgraded to version 2.0, allowing for seamless integration of standardized logs from third-party cloud providers and offline IDC security vendors. This upgrade also modifies the log fields.

Affected users

Alibaba Cloud users who activated CTDR before and on April 3, 2025.

Warning

In multi-account setups, member accounts without CTDR orders will lose access to CTDR after the upgrade. To use CTDR, these accounts must purchase it separately.
The delegated administrator (DA) can still add logs from member accounts through the Integration Center - Multi-account Access feature, regardless of whether the member accounts purchased CTDR.
You must upgrade each site separately because the China site (aliyun.com) and the international site (alibabacloud.com) have separate data and tasks for CTDR.

Upgrade time

The system will automatically upgrade all accounts on October 15, 2025.
You can also log on to the Security Center console between June 30, 2025 (included) and October 15, 2025, complete the upgrade assessment according to the upgrade guide, and click Upgrade Now to complete the self-service upgrade.

Note

If you need to extend the upgrade transition period due to special scenarios (such as business compatibility testing or device maintenance), submit a ticket.

Impacts on legacy orders

Affected scope: Subscription orders that only purchased CTDR log storage capacity before April 26, 2024 (included).
To enable CTDR 2.0 features, you need to activate Log data to add or Log storage capacity. After upgrading legacy orders, Log data to add will be automatically configured to ensure the normal operation of services without additional charges. However, there are limits on the added data. The formula for calculating the log data quota is as follows:
Log data to add = CTDR log storage capacity/30 × 1.2 (compatibility coefficient), with the calculation result rounded up to the nearest multiple of 10.
Note
For example:
Before upgrade: Log storage capacity (GB/month) = 3000 (GB/month).
After upgrade: Log storage capacity (GB/month) = 3000 (GB/month), Log data to add (GB/day) = 3000/30 × 1.2 = 120 (GB/day).
Orders after April 26, 2024 are not affected in terms of cost. The quotas for Log data to add and Log storage capacity will remain unchanged for those orders.

CTDR 1.0 vs 2.0

CTDR features and logs and alert fields will be upgraded to version 2.0. For field changes, see Standardized log field changes. Historical data delivered to Logstores will not be deleted and will keep the 1.0 structure. The differences between 1.0 and 2.0 are as follows:

Feature	CTDR 1.0	CTDR 2.0
Service integration	Designed around Alibaba Cloud's cloud-native services, CTDR 1.0 uses a service-to-service integration approach. Supports logs from other cloud service providers and on-premises security vendors, with strict structural requirements for log integration.	Upgrades to Integration Center, enabling standardized log integration. Supports logs from Alibaba Cloud cloud-native services, other cloud service providers, and on-premises security vendors, with two standardized log integration methods: "real-time consumption" and "scan query." Important Logs already integrated with CTDR 1.0 will remain intact.
Rule management	Features a graphical interface for configuring custom rules.	Upgrades to SQL syntax for custom rules, utilizing batch processing for threat detection and enabling historical data analysis. Supports custom rules based on playbooks.
Log management	Utilizes a single Logstore for wide table storage, with all logs stored in the Logstore (cloud_siem) of the project (cloud_siem-data-Alibaba Cloud account-RegionID). Does not support direct delivery of Security Center cloud-native audit logs; logs must be delivered after service integration. Delivery is based on integrated vendors and services.	Comes with multiple standardized Logstores. Important After the upgrade, new logs will not be written to the V1.0 Logstore (cloud_siem), but historical logs can still be queried. New logs will be directed to corresponding new Logstores based on service integration settings. Alibaba Cloud Security Center logs are delivered directly to Log Management, independent of service integration policies, allowing you to enable or disable delivery as needed. Logs integrated through "real-time consumption" will be automatically delivered if Log Storage Capacity is purchased. Enabling or disabling delivery switch is not supported. CTDR 2.0 updates the standardized log fields. For field changes, see Standardized log field changes.
Multi-account Management	Delegated administrator (DA) is bound as the global account administrator. DA can switch between "global account view" and "current account view."	CTDR multi-account settings are now merged into Security Center multi-account management. DAs are set through Security Center. In CTDR multi-account management scenarios, member account alert logs are integrated via the "multi-account integration settings" feature in the Integration Center. View switching is no longer supported.

Discontinued logs

After upgrading to CTDR 2.0, the following seven types of Alibaba Cloud service logs will no longer be supported:

Service	Log	Reason for discontinuation
Security Center	Port snapshot log	Duplicate data source. You can access the "Network snapshot log" data source instead.
Anti-DDoS	Anti-DDoS Proxy (Previous Version) flow log	Previous version of Anti-DDoS Proxy is offline.
Anti-DDoS	Anti-DDoS Origin log	Anti-DDoS Origin log is planned to be discontinued.
Cloud Firewall	Cloud Firewall alert log	Duplicate data source. The original custom Simple Log Service data source will be discontinued and replaced by a new data source based on predefined log service. Note The new data source name will remain "Cloud Firewall alert log". For the fields of the new data source, see Cloud Firewall alert logs, Cloud Firewall real-time alert logs.
Web Application Firewall	WAF CDN flow log	CDN planning is paused. It will be replaced by the new DCDN WAF blocking log. For field descriptions, see DCDN WAF blocking logs.
Alibaba Cloud CDN	CDN WAF flow log	CDN planning is paused. It will be replaced by the new DCDN WAF blocking log.
Security Center	File read and write logs	Upgrade. No longer needs this data source.

Standardized log field changes

Security Center logs

Account snapshot logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
host_uuid	uuid	Host ID
is_root	perm	Whether root permission is available. 0: No root permission. 1: Has root permission.
group_name	groups	User group
account_expire_time	account_expire	Account expiration time
log_time	log_time	Log timestamp in seconds
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
last_login_time	last_logon	Date and time of the last account logon. N/A indicates never logged in.
sub_user_id	user_id	Account ID/ID of the Alibaba Cloud account to which the logs belong
main_user_id	cloud_user_id	Cloud account ID. For Alibaba Cloud accounts, it is the same as aliuid. For other cloud accounts, it is the attached account ID.
None	username	Account name
None	domain	Domain name
None	home_dir	Home directory
None	status	User account status. 0: Account is prohibited from logging in. 1: Account can log in normally.
None	login_ip	Remote IP address of the last account logon. N/A indicates never logged in.
None	host_name	Host name
None	host_ip	Host IP
None	category	Activity directory
None	schema	Activity classification
None	log_uuid	Log flag
None	product_code	Cloud service code
None	extend_content	Extension field content
snapshot_id	None	Offline
asset_type	None	Offline
asset_id	None	Offline
log_name	None	Offline
gmt_create	None	Offline
gmt_modified	None	Offline
account_id	None	Offline
password_expire_time	None	Offline
src_ip	None	Offline

Brute-force attack logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud log owner account ID
log_code	log_code	Log code, specific data source integrated
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
host_uuid	uuid	Host ID
dst_ip	dst_ip	Destination IP
login_count	login_count	Logon count
src_ip	src_ip	Source IP
u_name	username	Logon account name
None	invalid_user	Whether the user is valid invalid_user
None	login_type	Logon type
None	extend_content	Extension field content
None	log_uuid	Log flag
None	dst_port	Client host port
host_name	None	Offline
net_connect_dir	None	Offline
log_name	None	Offline
src_port	None	Offline
occur_time	None	Offline
time_zone	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
ecs_instance_id	None	Offline
vpc_instance_id	None	Offline
resource_group_name	None	Offline
connect_count	None	Offline
protocol_name	None	Offline
transport_protocol_name	None	Offline
login_status	None	Offline
ip_version	None	Offline
asset_ip	None	Offline
class_name	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
os_name	None	Offline
os_type	None	Offline
raw_data	None	Offline
remote_ip	None	Offline

CSPM logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
log_time	log_time	Log timestamp in seconds
main_user_id	cloud_user_id	Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
instance_id	instance_id	Check object instance ID
instance_name	instance_name	Check object instance name
instance_sub_type	instance_sub_type	Product subtype
instance_type	instance_type	Product type
region_id	region_id	Region
risk_level	risk_level	Risk level: 1, 2, 3, 4, 5.
status	status	Check status: 1:unfixed 2:fixfailed 3:fixed 4:ignored
vendor	vendor	Vendor to which the checked instance belongs
None	risk_detail	Check item details
None	risk_criterion	Risk criterion
None	risk_name	Risk name
None	risk_type	Risk type
None	category	Activity directory
None	schema	Activity classification
None	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
None	product_code	Cloud service code
None	extend_content	Extension field content
None	log_uuid	Log flag
check_id	None	Offline
check_item_code	None	Offline
check_item_name	None	Offline
log_name	None	Offline
occur_time	None	Offline
instance_result	None	Offline
requirement_id	None	Offline
requirement_name	None	Offline
section_id	None	Offline
section_name	None	Offline
standard_id	None	Offline
standard_name	None	Offline
requirement_code	None	Offline
section_code	None	Offline

DNS request logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
host_uuid	uuid	Host ID
proc_id	pid	Process ID
proc_path	proc_path	Process path
cmd_line	cmdline	Command line
cmd_chain	cmd_chain	Process command line
domain	domain	Process DNS request
parent_proc_id	ppid	Parent process ID
ip	host_ip	Host IP
log_time	log_time	Log timestamp in seconds
main_user_id	cloud_user_id	Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
product_code	product_code	Cloud service code
category_name	category	Activity directory
activity_name	schema	Activity classification
host_name	host_name	Hostname
None	uid	Account ID
None	username	Account name
None	parent_proc_path	Parent process path
None	pcmdline	Parent command line
None	pstime	Parent process start time
None	stime	Process start time
None	container_hostname	Server name in container
None	container_id	Container ID
None	container_image_id	Image ID
None	container_image_name	Image name
None	container_name	Container name
None	container_pid	Process ID in container
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
file_path	None	Offline
sls_capacity	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
asset_list	None	Offline
time_zone	None	Offline
ecs_instance_id	None	Offline
vpc_instance_id	None	Offline
proc_name	None	Offline
occur_time	None	Offline
scan_time	None	Offline
log_protocol_action	None	Offline
log_protocol_type	None	Offline
app	None	Offline
trace_id	None	Offline
bind	None	Offline
version	None	Offline
client_mode	None	Offline
app_version	None	Offline
safe_mode	None	Offline
type	None	Offline
seq	None	Offline
dns_query_name	None	Offline
dns_query_time	None	Offline
file_name	None	Offline
class_name	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
os_name	None	Offline
os_type	None	Offline
raw_data	None	Offline

File read and write logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
log_code	log_code	Log code, specific data source integrated
category_name	category	Activity directory
activity_name	schema	Activity classification
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
product_code	product_code	Cloud service code
host_uuid	uuid	Host ID
host_name	host_name	Hostname
cmd_line	cmdline	Command line
parent_file_path	parent_proc_path	Parent process path
proc_id	pid	Process ID
parent_proc_id	ppid	Parent process ID
proc_path	proc_path	Process path
proc_start_time	stime	Process start time
parent_proc_start_time	pstime	Parent process start time
file_path	file_path	Process file write path
container_id	container_id	Container ID
container_name	container_name	Container name
container_image_id	container_image_id	Image ID
container_image_name	container_image_name	Image name
cmd_chain	cmd_chain	Process command line
None	host_ip	Host IP
None	uid	Account ID
None	pcmdline	Parent command line
None	username	Account name
None	container_hostname	Server name in container
None	extend_content	Extension field content
None	log_uuid	Log flag
None	container_pid	Process ID in container
log_name	None	Offline
time_zone	None	Offline
occur_time	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
ecs_instance_id	None	Offline
vpc_instance_id	None	Offline
parent_file_name	None	Offline
container_file_path	None	Offline
k8s_pod_name	None	Offline
k8s_name_space	None	Offline
k8s_node_id	None	Offline
k8s_node_name	None	Offline
k8s_cluster_id	None	Offline
cmd_chain_index	None	Offline
proc_name	None	Offline
file_name	None	Offline
sid	None	Offline
srv_cmd_line	None	Offline
class_name	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
os_name	None	Offline
os_type	None	Offline
raw_data	None	Offline

Baseline logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
start_time	start_time	Start timestamp in seconds, also used to indicate the occurrence time
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
log_code	log_code	Log code, specific data source integrated
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
category_name	category	Activity directory
activity_name	schema	Activity classification
host_uuid	uuid	Host ID
host_name	host_name	Hostname
risk_level	risk_level	Risk level: 1, 2, 3, 4, 5.
risk_name	risk_name	Risk name
status	status	Check status: 1:unfixed 2:fixfailed 3:fixed 4:ignored
None	instance_id	Host instance ID
None	risk_type	Host baseline risk type
None	risk_detail	Risk details
None	risk_criterion	Risk standard
None	host_ip	Host IP
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
check_item	None	Offline
check_level	None	Offline
check_type	None	Offline
level	None	Offline
operation	None	Offline
sub_type_alias	None	Offline
sub_type_name	None	Offline
type_alias	None	Offline
type_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
asset_list	None	Offline
time_zone	None	Offline
ecs_instance_id	None	Offline
vpc_instance_id	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
os_name	None	Offline
os_type	None	Offline
raw_data	None	Offline

Logon logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
log_code	log_code	Log code, specific data source connection
category_name	category	Activity directory
activity_name	schema	Activity classification
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
product_code	product_code	Cloud service code
host_uuid	uuid	Host ID
dst_ip	dst_ip	IP of the logon host
dst_port	dst_port	Client host port
src_ip	src_ip	Source IP
u_name	username	Logon account name
login_type	login_type	Logon type
None	extend_content	Extension field content
None	log_uuid	Log flag
host_name	None	Offline
ip	None	Offline
client_ip	None	Offline
is_login_success	None	Offline
log_count	None	Offline
proc_id	None	Offline
proto	None	Offline
invalid_user	None	Offline
client_mode	None	Offline
occur_time	None	Offline
asset_id	None	Offline
asset_type	None	Offline
asset_name	None	Offline
asset_list	None	Offline
time_zone	None	Offline
vpc_instance_id	None	Offline
ecs_instance_id	None	Offline
transport_protocol_name	None	Offline
ip_version	None	Offline
login_status	None	Offline
login_count	None	Offline
os_name	None	Offline
os_type	None	Offline
raw_data	None	Offline
asset_ip	None	Offline
class_name	None	Offline
log_name	None	Offline
remote_ip	None	Offline

Network connection logs

V1.0 field	V2.0 field	Description
main_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
sub_user_id	cloud_user_id	Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
log_code	log_code	Log code, specific data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
host_uuid	uuid	Host ID
host_name	host_name	Hostname
src_ip	src_ip	Source IP
src_port	src_port	Source port
dst_ip	dst_ip	Destination IP
dst_port	dst_port	Destination port
parent_proc_id	Process ID
proc_path	proc_path	Process path
proc_start_time	stime	Process start time
proc_id	pid	Process ID
parent_proc_path	parent_proc_path	Parent process path
parent_proc_start_time	pstime	Parent process start time
status	status	Network connection status: 1: TCP_STATE_CLOSED (connection closed/not opened) 2: TCP_STATE_LISTEN (listening) 3: TCP_STATE_SYN_SENT (SYN packet sent) 4: TCP_STATE_SYN_RCVD (SYN packet received) 5: TCP_STATE_ESTABLISHED (connection established) 6: TCP_STATE_CLOSE_WAIT (waiting for closure) 7: TCP_STATE_CLOSING (both parties are closing the connection) 8: TCP_STATE_FIN_WAIT1 (active closer sends FIN and waits for ACK) 9: TCP_STATE_FIN_WAIT2 (active closer receives ACK) 10: TCP_STATE_LAST_ACK (passive closer waits for ACK) 11: TCP_STATE_TIME_WAIT (active closer receives FIN and sends ACK)
cmd_line	cmdline	Command line
net_connect_dir	net_connect_dir	Network connection direction
container_id	container_id	Container ID
container_image_id	container_image_id	Image ID
container_image_name	container_image_name	Image name
container_name	container_name	Container name
container_host_name	container_hostname	Server name inside the container
cmd_chain	cmd_chain	Process command line
uid	uid	Account ID
u_name	username	Account name
None	container_pid	Process ID inside the container
None	extend_content	Extension field content
None	log_uuid	Log flag
cwd	None	Offline
tty	None	Offline
scan_time	None	Offline
log_name	None	Offline
proc_name	None	Offline
file_path	None	Offline
file_name	None	Offline
parent_proc_name	None	Offline
parent_file_name	None	Offline
parent_file_path	None	Offline
proto	None	Offline
docker_proc_path	None	Offline
k8s_cluster_id	None	Offline
k8s_name_space	None	Offline
k8s_node_id	None	Offline
k8s_node_name	None	Offline
k8s_pod_name	None	Offline
cmd_chain_index	None	Offline
container_mip	None	Offline
ccp	None	Offline
client_mode	None	Offline
log_match	None	Offline
raw_ts	None	Offline
raw_cpu	None	Offline
srv_comm	None	Offline
asset_id	None	Offline
asset_type	None	Offline
asset_name	None	Offline
asset_list	None	Offline
asset_port	None	Offline
container_machine_ip	None	Offline
ecs_instance_id	None	Offline
vpc_instance_id	None	Offline
occur_time	None	Offline
time_zone	None	Offline
cmd_line_format	None	Offline
transport_protocol_name	None	Offline
transport_protocol_status	None	Offline
ip_version	None	Offline
asset_ip	None	Offline
class_name	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
os_name	None	Offline
os_type	None	Offline
remote_ip	None	Offline
remote_port	None	Offline

Port snapshot logs

V1.0 field	V2.0 field	Description
main_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
sub_user_id	cloud_user_id	Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
log_code	log_code	Log code, specific data source integrated
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
host_name	host_name	Hostname
proc_id	pid	Process ID
proc_path	proc_path	Process path
net_connect_dir	net_connect_dir	Network connection direction
src_ip	src_ip	Source IP
src_port	src_port	Source port
dst_ip	dst_ip	Destination IP
dst_port	dst_port	Destination port
proto	l4_protocol	Protocol
cmd_line	cmdline	Command line
proc_name	proc_name	Process name
status	status	Network connection status 1: TCP_STATE_CLOSED (Connection closed/not opened) 2: TCP_STATE_LISTEN (Listening) 3: TCP_STATE_SYN_SENT (SYN packet sent) 4: TCP_STATE_SYN_RCVD (SYN packet received) 5: TCP_STATE_ESTABLISHED (Connection established) 6: TCP_STATE_CLOSE_WAIT (Waiting for closure) 7: TCP_STATE_CLOSING (Both parties are closing the connection) 8: TCP_STATE_FIN_WAIT1 (Active closer sends FIN waiting for ACK) 9: TCP_STATE_FIN_WAIT2 (Active closer receives ACK) 10: TCP_STATE_LAST_ACK (Passive closer waiting for ACK) 11: TCP_STATE_TIME_WAIT (Active closer receives FIN and sends ACK)
host_uuid	uuid	Host ID
None	host_ip	Host IP
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
type	None	Offline
file_name	None	Offline
parent_cmd_line	None	Offline
parent_proc_id	None	Offline
parent_file_path	None	Offline
parent_proc_path	None	Offline
err_msg	None	Offline
ime	None	Offline
client_mode	None	Offline
occur_time	None	Offline
asset_id	None	Offline
asset_type	None	Offline
asset_list	None	Offline
ecs_instance_id	None	Offline
vpc_instance_id	None	Offline
transport_protocol_name	None	Offline
transport_protocol_status	None	Offline
time_zone	None	Offline
ip_version	None	Offline
asset_ip	None	Offline
asset_type	None	Offline
class_name	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
os_name	None	Offline
os_type	None	Offline
raw_data	None	Offline
remote_ip	None	Offline
remote_port	None	Offline
time	None	Offline

Process startup logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	Account ID/Alibaba Cloud log owner account ID
log_code	log_code	Log code, specific data source integrated
product_code	product_code	Cloud service code
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
host_uuid	uuid	Host ID
uid	uid	Account ID
u_name	username	Account name
host_name	host_name	Hostname
proc_id	pid	Process ID
cmd_line	cmdline	Command line
proc_path	proc_path	Process path
file_path	file_path	File written by process
parent_proc_id	ppid	Parent process ID
parent_cmd_line	pcmdline	Parent command line
parent_proc_path	parent_proc_path	Parent process path
proc_start_time	stime	Process start time
cmd_chain	cmd_chain	Process command line
pstime	pstime	Parent process start time
container_host_name	container_hostname	Server name inside container
container_id	container_id	Container ID
container_image_id	container_image_id	Image ID
container_image_name	container_image_name	Image name
container_name	container_name	Container name
None	extend_content	Extension field content
None	log_uuid	Log flag
None	container_pid	Process ID inside container
None	host_ip	Host IP
log_name	None	Offline
scan_time	None	Offline
euid	None	Offline
euid_name	None	Offline
gid	None	Offline
gid_name	None	Offline
egroup_id	None	Offline
egroup_name	None	Offline
sid	None	Offline
tty	None	Offline
cwd	None	Offline
parent_file_name	None	Offline
parent_proc_name	None	Offline
file_name	None	Offline
proc_name	None	Offline
parent_file_path	None	Offline
perm	None	Offline
index	None	Offline
file_gid	None	Offline
file_uid	None	Offline
file_uid_name	None	Offline
file_gid_name	None	Offline
docker_file_path	None	Offline
docker_container_id	None	Offline
docker_image_id	None	Offline
docker_image_name	None	Offline
k8s_pod_name	None	Offline
k8s_name_space	None	Offline
k8s_node_id	None	Offline
k8s_node_name	None	Offline
k8s_cluster_id	None	Offline
cmd_chain_index	None	Offline
host_instance_id	None	Offline
occur_time	None	Offline
vpc_instance_id	None	Offline
ecs_instance_id	None	Offline
asset_id	None	Offline
asset_type	None	Offline
asset_name	None	Offline
asset_list	None	Offline
comm	None	Offline
pcomm	None	Offline
srv_cmd_line	None	Offline
cmd_line_format	None	Offline
container_machine_ip	None	Offline
container_file_path	None	Offline
container_type	None	Offline
client_mode	None	Offline
time_zone	None	Offline
class_name	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
os_name	None	Offline
os_type	None	Offline

Alert logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
log_time	log_time	Log timestamp, in seconds
start_time	start_time	Start timestamp, in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp, in seconds
main_user_id	user_id	Alibaba Cloud log owner account ID
sub_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
product_code	product_code	Cloud service code
category_name	category	Activity directory
activity_name	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	rule_id	Rule ID, empty for Security Center
None	confidence_score	Alert confidence score (0-100)
None	att_ck	ATT&CK field
None	alert_name	Alert name
None	alert_type	Alert type
None	alert_level	Alert level: 1-Information 2-Low 3-Medium 4-High 5-Critical
None	alert_description	Alert description
None	action	Alert action: pass, alert, drop.
None	relate_alert_uuids	Associated alerts
None	alert_uuid	Alert flag
None	payload	Attack payload
log_name	None	Offline
client_mode	None	Offline
cmd_line	None	Offline
cwd	None	Offline
docker_container_id	None	Offline
err_msg	None	Offline
euid	None	Offline
md5	None	Offline
file_name	None	Offline
proc_name	None	Offline
parent_cmd_line	None	Offline
file_path	None	Offline
proc_path	None	Offline
proc_id	None	Offline
parent_proc_name	None	Offline
parent_file_name	None	Offline
parent_proc_path	None	Offline
parent_file_path	None	Offline
parent_proc_id	None	Offline
sid	None	Offline
srv_cmd	None	Offline
type	None	Offline
uid	None	Offline
user	None	Offline
uuid	None	Offline
asset_id	None	Offline
asset_type	None	Offline
occur_time	None	Offline
class_name	None	Offline
asset_name	None	Offline
raw_data	None	Offline
asset_list	None	Offline
time_zone	None	Offline
proc_start_time	None	Offline
parent_proc_start_time	None	Offline
container_id	None	Offline
srv_cmd_line	None	Offline
u_name	None	Offline
host_uuid	None	Offline
os_type	None	Offline
os_name	None	Offline
vpc_instance_id	None	Offline
ecs_instance_id	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
host_name	None	Offline

Vulnerability logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source integrated
vul_alias	vul_alias_name	Vulnerability alias
vul_code	vul_code	Vulnerability number: AVD or CVE number
status	status	Check status: 1:unfixed 2:fixfailed 3:fixed 4:ignored
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
host_uuid	uuid	Host ID
vul_detail	vul_detail	Vulnerability details
main_user_id	user_id	Alibaba Cloud account ID that owns the log
sub_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
end_time	end_time	End timestamp in seconds
asset_id	asset_ip	Remote scan, IP of the scanned asset
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
product_code	product_code	Cloud service code
vul_level	vul_level	Vulnerability level: 1, 2, 3, 4, 5.
vul_type	vul_type	Vulnerability type
None	cwe_id	CWE vulnerability type; https://avd.aliyun.com/detail/AVD-2023-1678778
None	cvss	CVSS score
None	asset_url	Remote scan, URL being scanned
None	asset_port	Remote scan, port of the scanned asset
None	extend_content	Extension field content
None	log_uuid	Log flag
None	vul_name	Vulnerability name
log_name	None	Offline
necessity	None	Offline
operation	None	Offline
tag	None	Offline
type	None	Offline
asset_type	None	Offline
time_zone	None	Offline
raw_data	None	Offline
asset_list	None	Offline
vpc_instance_id	None	Offline
sas_group_name	None	Offline
ecs_instance_id	None	Offline
inter_ip	None	Offline
intra_ip	None	Offline
host_name	None	Offline
risk_level	None	Offline

WAF logs

WAF alert logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source integrated
main_user_id	user_id	Alibaba Cloud account ID that owns the log
sub_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the bound account ID.
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
log_time	log_time	Log timestamp in seconds
start_time	start_time	Start timestamp in seconds, also used to indicate when the event occurred
end_time	end_time	End timestamp in seconds
scheme	schema	Activity classification
domain	host	Domain name under attack
waf_rule_id	rule_id	ID of the basic protection rule that the client request matched. Note This rule ID corresponds to the rule ID that you can view in the rule hit records on the Basic Protection Rule tab of the Security Report page. For more information, see Security reports.
request_uri	request_uri	Full request path with parameters
request_path	request_path	Relative path of the request, specifically the part of the requested URL after the domain name and before the question mark (?) (not including the query string).
request_body	request_body	Request body
request_method	request_method	Method of the client request.
request_params	querystring	Query string in the client request, specifically the part of the requested URL after the question mark (?).
http_user_agent	http_user_agent	User-Agent field in the HTTP request header, which includes client browser identifier, operating system identifier, and other information about the request source.
http_cookie	http_cookie	Cookie field in the HTTP request header, which represents the cookie information of the client source.
log_uuid	log_uuid	Log identifier
final_action	action	Alert action: pass, alert, drop.
src_ip	src_ip	Attack source IP
attack_ip	real_client_ip	Custom field in the HTTP request header, mainly used to store the real request IP, generally corresponding to the first x_forward_for. If this field does not exist, the connection IP field can be established
alert_name	alert_name	Alert name
alert_type	alert_type	Alert type
alert_level	alert_level	Alert level: 1, 2, 3, 4, 5.
None	product_code	Cloud service code
None	category	Activity directory
None	extend_content	Extended field content
None	request_length	Size of the client request in bytes, including the request line, request headers, and request body
None	alert_description	Alert description
None	att_ck	ATT&CK field
None	confidence_score	Confidence score
None	content_type	HTTP request body format
None	dst_ip	Specific network device IP, for example, WAF engine IP and gateway IP of SLB
None	dst_port	Specific network device port number, for example, WAF engine IP and SLB gateway port
None	http_referer	Referer field in the HTTP request header, which indicates the source URL information of the request.
None	http_x_forwarded_for	X-Forwarded-For (XFF) field in the client request header, used to identify the original IP address of the client that connects to the web server through an HTTP proxy or load balancer.
None	payload	Attack payload
None	relate_alert_uuids	Related alerts
None	response_info	Response body
None	response_set_cookie	Response cookie
None	status	HTTP status code received by the client. For example, 200 (indicates a successful request).
log_name	None	Offline
waf_agent_key	None	Offline
matched_host	None	Offline
src_country_id	None	Offline
final_disable_log	None	Offline
waf_disable_log	None	Offline
final_rule_id	None	Offline
final_plugin	None	Offline
waf_rule_type	None	Offline
final_rule_type	None	Offline
src_prov_id	None	Offline
cluster_name	None	Offline
prod_source	None	Offline
alert_uuid	None	Offline
method	None	Offline
waf_agent_ip	None	Offline
waf_test	None	Offline
defense_action	None	Offline
final_test	None	Offline
attack_time	None	Offline
region_code	None	Offline
cluster	None	Offline
plugins	None	Offline
waf_reserved2	None	Offline
waf_host_name	None	Offline
request_time	None	Offline
remote_ip	None	Offline
waf_reserved	None	Offline
asset_id	None	Offline
asset_type	None	Offline
occur_time	None	Offline
alert_name_cn	None	Offline
alert_type_cn	None	Offline
alert_desc	None	Offline
alert_desc_cn	None	Offline
alert_desc_en	None	Offline
alert_name_code	None	Offline
alert_type_code	None	Offline
alert_name_en	None	Offline
alert_type_en	None	Offline
alert_title	None	Offline
alert_title_cn	None	Offline
alert_title_en	None	Offline
region_name	None	Offline
src_country_name	None	Offline
src_prov_name	None	Offline
is_new	None	Offline

WAF CDN flow logs, WAF flow logs, WAF 3.0 flow logs

V1.0 field	V2.0 field	Field description
log_code	log_code	Log code, specific data source integrated
content_type	content_type	HTTP request body format.
final_action	final_action	The final protection executed by WAF on the client request. Values: block: indicates blocking. captcha_strict: indicates strict slider verification. captcha: indicates normal slider verification. sigchl: indicates dynamic token verification. js: indicates JavaScript verification.
final_plugin	final_plugin	The protection module corresponding to the final protection action (final_action) executed by WAF on the client request. Values: waf: indicates basic protection rules. acl: indicates IP blacklist, custom rules (access control). cc: indicates CC security protection, custom protection policies (CC attack protection). antiscan: indicates scan protection. dlp: indicates data leakage prevention. scene: indicates scenario-specific configuration (APP is also included) intelligence: indicates bot threat intelligence. wxbb: indicates app protection. sema: indicates semantic protection. scc_gdrl: indicates peak traffic throttling. major_protection: indicates major event support scenario protection. compliance: indicates protocol violation (protocol compliance). If a request does not trigger any protection module (including cases where it matches a pass rule, or when the client completes slider or JS verification and triggers a pass), this field will not be recorded. If a request triggers multiple protection modules simultaneously, only the protection module corresponding to the final protection action (final_action) will be recorded.
final_rule_id	final_rule_id	The ID of the protection rule finally applied by WAF to the client request, which is the ID of the protection rule corresponding to final_action.
final_rule_type	final_rule_type	The subtype of the protection rule (final_rule_id) finally applied by WAF to the client request. For example, under the `final_plugin:waf` type, there are subtypes such as `final_rule_type:sqli`, `final_rule_type:xss`, etc.
domain	host	Host field in the HTTP request.
http_cookie	http_cookie	Cookie field in the HTTP request header, which represents the cookie information of the client source.
http_referer	http_referer	Referer field in the HTTP request header, which indicates the source URL information of the request.
http_user_agent	http_user_agent	User-Agent field in the HTTP request header, which includes client browser identifier, operating system identifier, and other information about the request source.
http_x_forwarded_for	http_x_forwarded_for	X-Forwarded-For (XFF) field in the client request header, used to identify the original IP address of the client that connects to the web server through an HTTP proxy or load balancer.
request_params	querystring	Query string in the client request, specifically the part of the requested URL after the question mark (?).
src_ip	src_ip	IP that establishes the connection with WAF. If WAF connects directly with the client, this field is equivalent to the client IP. If there are other Layer 7 proxies in front of WAF (such as CDN), this field represents the IP of the proxy immediately upstream of WAF.
request_length	request_length	Size of the client request in bytes, including the request line, request headers, and request body.
request_method	request_method	Method of the client request.
request_path	request_path	Relative path of the request, specifically the part of the requested URL after the domain name and before the question mark (?) (not including the query string).
request_time_msec	duration	Time taken to process the client request. Unit: milliseconds.
status	status	HTTP status code received by the client. For example, 200 (indicates a successful request).
start_time	start_time	Start timestamp in seconds, also used to indicate when the event occurred.
main_user_id	cloud_user_id	Other cloud account ID. Or Alibaba Cloud
sub_user_id	user_id	Alibaba Cloud account ID that owns the log
request_body	request_body	Request body
dst_ip	dst_ip	Specific network device IP, for example, WAF engine IP and SLB gateway IP.
dst_port	dst_port	Specific network device port number, for example, WAF engine IP and SLB gateway port.
end_time	end_time	End timestamp in seconds
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
log_time	log_time	Log timestamp in seconds
None	product_code	Cloud service code
None	real_client_ip	Custom field in the HTTP request header, mainly used to store the real request IP, generally corresponding to the first x_forward_for. If this field does not exist, the connection IP field can be established
None	response_content_type	Response content_type
None	response_content_length	Response body length in bytes
None	response_set_cookie	Response cookie
None	response_info	Response body
None	request_uri	Full request path with parameters
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extended field content
None	log_uuid	Log identifier
None	request_content_length	Request body length in bytes
ali_uid	None	Offline
log_name	None	Offline
acl_rule_type	None	Offline
bypass_matched_ids	None	Offline
cc_rule_type	None	Offline
http_scheme	None	Offline
matched_host	None	Offline
remote_ip	None	Offline
remote_port	None	Offline
request_traceid	None	Offline
server_port	None	Offline
server_protocol	None	Offline
upstream_addr	None	Offline
upstream_response_time	None	Offline
upstream_status	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline

Cloud Firewall logs

Cloud Firewall alert logs, Cloud Firewall real-time alert logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
start_time	start_time	Start timestamp in seconds, also used to indicate the time of event occurrence
end_time	end_time	End timestamp in seconds
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
rule_id	rule_id	Rule ID
net_connect_dir	net_connect_dir	Direction (in/out)
src_ip	src_ip	Source IP
dst_ip	dst_ip	Destination IP
log_uuid	log_uuid	Log flag
alert_level	alert_level	Alert level 1-Information 2-Low 3-Medium 4-High 5-Critical
dst_port	dst_port	Destination port
src_port	src_port	Source port
log_time	log_time	Log timestamp in seconds
defense_action	action	Alert action: pass, alert, drop.
alert_name	alert_name	Alert name
alert_type	alert_type	Alert type
alert_desc	alert_description	Alert description
payload	payload	Attack payload
att_ck	att_ck	att&ck field
uuid	alert_uuid	Alert flag
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	l4_protocol	Network protocol (tcp, udp, icmp)
None	l7_protocol	Layer 7 protocol (Https, Http)
None	traffic_type	Collection method 0-Unknown 1-Packet collection 2-Flow collection
None	confidence_score	Confidence score
None	file_name	File name
None	md5	File Md5
None	relate_alert_uuids	Associated alerts
attack_ip	None	Offline
ioc_ip	None	Offline
log_name	None	Offline
rule_result	None	Offline
op_level	None	Offline
rule_source	None	Offline
alert_json	None	Offline
asset_ip	None	Offline
asset_port	None	Offline
vul_level	None	Offline
alert_cnt	None	Offline
total_cnt	None	Offline
src_ip_region	None	Offline
dst_ip_region	None	Offline
occur_time	None	Offline
alert_name_code	None	Offline
alert_type_code	None	Offline
app_proto_type	None	Offline
domain	None	Offline
url	None	Offline
ip_proto_type	None	Offline
alert_name_cn	None	Offline
alert_name_en	None	Offline
alert_type_cn	None	Offline
alert_type_en	None	Offline
enable_status	None	Offline
alert_desc_cn	None	Offline
alert_desc_en	None	Offline
region_name	None	Offline
malware_type	None	Offline
alert_src_prod	None	Offline
alert_src_prod_module	None	Offline
mode	None	Offline

Cloud Firewall flow logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
log_time	log_time	Log timestamp in seconds
start_time	start_time	Start timestamp in seconds, also used to indicate the time of event occurrence
end_time	end_time	End timestamp in seconds
net_connect_dir	net_connect_dir	Direction (in/out)
dst_ip	dst_ip	Destination IP
dst_port	dst_port	Destination port
ip_proto_type	l3_protocol	ipv4,ipv6
rule_result	action	Action executed after traffic hits the access control policy. Values: pass: Allow. alert: Observation. drop: Reject. Action executed when traffic hits an intrusion prevention event. Values: alert: Alert notification. drop: Block.
src_ip	src_ip	Source IP
src_port	src_port	Source port
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	l4_protocol	Network protocol (tcp, udp, icmp)
None	l7_protocol	Layer 7 protocol (Https, Http)
None	traffic_type	Collection method 0-Unknown 1-Packet collection 2-Flow collection
log_name	None	Offline
acl_rule_id	None	Offline
app_proto_type	None	Offline
attack_name	None	Offline
attack_type	None	Offline
country_id	None	Offline
domain	None	Offline
in_bps	None	Offline
in_packet_bytes	None	Offline
in_packet_count	None	Offline
in_pps	None	Offline
ips_ai_rule_id	None	Offline
ips_rule_id	None	Offline
ips_rule_name	None	Offline
ips_rule_name_en	None	Offline
log_type	None	Offline
out_bps	None	Offline
out_packet_bytes	None	Offline
out_packet_count	None	Offline
out_pps	None	Offline
proxy_acl_rule_id	None	Offline
region_code	None	Offline
src_private_ip	None	Offline
start_time_min	None	Offline
tcp_seq	None	Offline
total_bps	None	Offline
total_packet_bytes	None	Offline
total_packet_count	None	Offline
total_pps	None	Offline
url	None	Offline
vul_level	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
rule_source	None	Offline

Anti-DDoS Proxy flow logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
log_time	log_time	Log timestamp in seconds
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud account ID that owns the log
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
http_content_type	content_type	HTTP request body format.
http_host	host	Host field in the HTTP request.
http_cookie	http_cookie	Cookie field in the HTTP request header, indicating the cookie information from the source client.
http_referer	http_referer	Referer field in the HTTP request header, indicating the source URL information of the request.
http_user_agent	http_user_agent	User-Agent field in the HTTP request header, containing information such as the client browser identifier and operating system identifier of the request source.
http_x_forward_for	http_x_forwarded_for	X-Forwarded-For (XFF) field in the client request header, used to identify the original IP address of the client connecting to the web server through an HTTP proxy or load balancing.
http_x_real_ip	real_client_ip	Custom field in the HTTP request header, mainly used to store the real request IP that initiated the request, generally corresponding to the first IP in x_forward_for. If this field does not exist, the connection IP field can be established.
request_length	request_length	Number of bytes in the client request, including the request line, request header, and request body. Unit: Byte.
request_method	request_method	Method of the client request.
request_path	request_path	Relative path being requested, specifically referring to the part of the requested URL after the domain name and before the question mark (?) (not including the query string).
response_code	status	HTTP status code received by the client. For example, 200 (indicating the request was successful).
request_paramters	querystring	Query string in the client request, specifically referring to the part of the requested URL after the question mark (?).
src_ip	src_ip	IP that established the connection
dst_ip	dst_ip	Specific network device IP
dst_port	dst_port	Port number of the specific network device
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	request_body	Access request body
None	duration	Time used to process the client request. Unit: milliseconds.
None	request_content_length	Access request body length, unit: bytes
None	response_content_type	Response content_type
None	response_content_length	Response body length, unit: bytes
None	response_set_cookie	Response cookie
None	response_info	Response body
None	request_uri	Full request path + parameters
None	final_action	Final action of the device
None	final_plugin	Final protected module of the device
None	final_rule_id	ID of the rule last hit by the device
None	final_rule_type	Type of the rule last hit by the device
log_name	None	Offline
request_time_msec	None	Offline
domain	None	Offline
log_topic	None	Offline
request_body_size	None	Offline
http_scheme	None	Offline
matched_host	None	Offline
isp_line	None	Offline
remote_ip	None	Offline
remote_port	None	Offline
remote_addr	None	Offline
request_time	None	Offline
cc_action	None	Offline
cc_blocks	None	Offline
last_result	None	Offline
cc_phase	None	Offline
defense_action	None	Offline
defense_rule	None	Offline
ua_browser	None	Offline
ua_browser_family	None	Offline
ua_browser_type	None	Offline
ua_browser_version	None	Offline
ua_device_type	None	Offline
ua_os	None	Offline
ua_os_family	None	Offline
upstream_addr	None	Offline
upstream_ip	None	Offline
upstream_port	None	Offline
upstream_response_time_msec	None	Offline
upstream_response_code	None	Offline
request_id	None	Offline
log_id	None	Offline
occur_time	None	Offline
src_port	None	Offline
src_addr	None	Offline
dst_addr	None	Offline
app_protocol	None	Offline
net_connect_dir	None	Offline
asset_type	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_ip	None	Offline
asset_port	None	Offline
asset_addr	None	Offline
attack_ip	None	Offline
attack_port	None	Offline
attack_addr	None	Offline

Bastionhost logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
content	event_detail	Event details
event	event_type	Event type: cmd.Command: command character cmd.Command.policy: commands processed by control policy graph.Text: graph text graph.Keyboard: graph keyboard event file.Upload: upload file file.Download: download file file.Rename: rename file file.Delete: delete file file.DeleteDir: delete folder file.CreateDir: create folder login.CSLogin: user CS logon Session.session: a session
bst_instance_id	instance_id	Bastionhost instance ID
resource_name	resource_name	Asset name
result	event_result	Event result
session_id	session_id	Session ID
client_ip	src_ip	Connection IP
uid	uid	Bastionhost user ID
u_name	user_name	Bastionhost username
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
log_time	log_time	Log timestamp, in seconds
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud log owner account ID
start_time	start_time	Start timestamp, in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp, in seconds
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	resource_ip	Asset IP
log_name	None	Offline
ali_uid	None	Offline
log_level	None	Offline
log_version	None	Offline
dst_ip	None	Offline
asset_id	None	Offline
asset_type	None	Offline
file_event_file_size	None	Offline
file_event_speed	None	Offline
file_event_status	None	Offline
file_event_take	None	Offline

CDN flow logs

V1.0 fields	V2.0 fields	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	Alibaba Cloud log owner account ID
log_code	log_code	Log code, specific access data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate when the event occurs
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
domain	host	Host field in HTTP request.
http_method	request_method	Method requested by the client.
request_path	request_path	Requested relative path, specifically the part after the domain name and before the question mark (?) in the requested URL (excluding the query string).
request_parameters	querystring	Query string in the client request, specifically the part after the question mark (?) in the requested URL.
request_url	request_uri	Full request path + parameters
src_ip	src_ip	IP that establishes the connection
request_length	request_length	Number of bytes in the client request, including the request line, request header, and request body. Unit: Byte.
http_status	status	HTTP status code received by the client. For example, 200 (indicates a successful request).
dst_ip	dst_ip	Specific network device IP. For example, for WAF it is the WAF engine IP, for Server Load Balancer it is the gateway IP
dst_port	dst_port	Port number of the specific network device. For example, for WAF it is the WAF engine IP, for Server Load Balancer it is the gateway port
http_conent_type	content_type	HTTP request body format.
user_agent	http_user_agent	User-Agent field in the HTTP request header, including browser identification, operating system identification, and other information about the source of the request.
http_x_forworded_for	http_x_forwarded_for	X-Forwarded-For (XFF) field in the client request header, used to identify the most original IP address of the client connecting to the web server through HTTP proxy or load balancing.
None	extend_content	Extension field content
None	log_uuid	Log flag
None	http_cookie	Cookie field in the HTTP request header, representing the cookie information of the client source.
None	http_referer	Referer field in the HTTP request header, representing the source URL information of the request.
None	real_client_ip	Custom field in the HTTP request header, mainly used to store the real request IP, generally corresponding to the first x_forward_for. If this field does not exist, the connection IP field can be established
None	duration	Time taken to process the client request. Unit: milliseconds.
None	request_body	Access request body
None	request_content_length	Access request body length, unit: bytes
None	final_action	Final action of the device
None	final_plugin	Final protected module of the device
None	final_rule_id	Final rule ID hit by the device
None	final_rule_type	Final rule type hit by the device
None	response_content_length	Response body length, unit: bytes
None	response_content_type	Response content_type
None	response_info	Response body
None	response_set_cookie	Response cookie
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
reqeust_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
http_scheme	None	Offline
proxy_ip	None	Offline
remote_ip	None	Offline
remote_port	None	Offline
request_id	None	Offline
response_body_size	None	Offline
net_connect_dir	None	Offline
raw_data	None	Offline

Dynamic Content Delivery Network (DCDN) logs

DCDN user access logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
category_name	category	Activity directory
activity_class_name	schema	Activity classification
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
product_code	product_code	Cloud service code
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the bound account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_time	log_time	Log timestamp, in seconds
real_client_ip	real_client_ip	Custom field in HTTP request header, mainly used to store the real request IP. Generally corresponds to the first x_forward_for. If this field does not exist, an IP field can be established for connection.
content_type	content_type	HTTP request body format.
host	host	Host field in HTTP request.
request_method	request_method	Request method of the client.
request_length	request_length	Number of bytes in the client request, including the request line, request header, and request body. Unit: Byte.
src_ip	src_ip	IP that establishes connection
status	status	HTTP status code received by the client. For example, 200 (indicates the request was successful).
dst_ip	dst_ip	Specific network device IP. For example, WAF engine IP and gateway IP of Server Load Balancer
dst_port	dst_port	Specific network device port number. For example, WAF engine IP and gateway port of Server Load Balancer
request_uri	request_uri	Full request path + parameters
querystring	querystring	Query string in the client request, specifically the part after the question mark (?) in the requested URL.
http_user_agent	http_user_agent	User-Agent field in the HTTP request header, including client browser identification, operating system identification, and other information about the request source.
http_x_forwarded_for	http_x_forwarded_for	X-Forwarded-For (XFF) field in the client request header, used to identify the most original IP address of the client connecting to the web server through HTTP proxy or load balancing.
None	start_time	Start timestamp, in seconds, also used to indicate the time of occurrence
None	end_time	End timestamp, in seconds
None	extend_content	Extension field content
None	log_uuid	Log flag
None	final_action	Final action of the device
None	final_plugin	Final protected module of the device
None	final_rule_id	ID of the rule last hit by the device
None	final_rule_type	Type of the rule last hit by the device
None	response_content_type	Response content_type
None	response_content_length	Response body length, unit: bytes
None	response_set_cookie	Response cookie
None	response_info	Response body
None	duration	Time used to process the client request. Unit: milliseconds.
None	http_cookie	Cookie field in the HTTP request header, representing the cookie information of the client source.
None	http_referer	Referer field in the HTTP request header, indicating the source URL information of the request.
None	request_body	Access request body
None	request_content_length	Access request body length, unit: bytes
None	request_path	Requested relative path, specifically the part after the domain name and before the question mark (?) in the requested URL (excluding the query string).
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
request_body_size	None	Offline
hit_info	None	Offline
http_range	None	Offline
proxy_ip	None	Offline
refer_domain	None	Offline
refer_param	None	Offline
refer_protocol	None	Offline
refer_uri	None	Offline
src_port	None	Offline
request_time	None	Offline
response_size	None	Offline
http_scheme	None	Offline
sent_http_content_range	None	Offline
unix_time	None	Offline
user_info	None	Offline
uuid	None	Offline
via_info	None	Offline

DCDN WAF blocking logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
category_name	category	Activity directory
activity_class_name	schema	Activity classification
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
product_code	product_code	Cloud service code
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the bound account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_time	log_time	Log timestamp, in seconds
real_client_ip	real_client_ip	Custom field in HTTP request header, mainly used to store the real request IP. Generally corresponds to the first x_forword_for. If this field does not exist, the connection IP field can be established
content_type	content_type	HTTP request body format.
http_cookie	http_cookie	Cookie field in the HTTP request header, representing the cookie information of the client source.
host	host	Host field in HTTP request.
final_action	final_action	Final action of the device
final_plugin	final_plugin	Final protected module of the device
final_rule_id	final_rule_id	ID of the rule last hit by the device
final_rule_type	final_rule_type	Type of the rule last hit by the device
request_method	request_method	Method requested by the client.
http_referer	http_referer	Referer field in the HTTP request header, indicating the source URL information of the request.
src_ip	src_ip	Connection IP
status	status	HTTP status code received by the client. For example, 200 (indicates the request was successful).
request_uri	request_uri	Full request path + parameters
querystring	querystring	Query string in the client request, specifically the part after the question mark (?) in the requested URL.
http_user_agent	http_user_agent	User-Agent field in the HTTP request header, including client browser identification, operating system identification, and other information about the request source.
http_x_forwarded_for	http_x_forwarded_for	X-Forwarded-For (XFF) field in the client request header, used to identify the most original IP address of the client connecting to the web server through HTTP proxy or load balancing.
None	start_time	Start timestamp, in seconds, also used to indicate the time of occurrence
None	end_time	End timestamp, in seconds
None	extend_content	Extension field content
None	log_uuid	Log flag
None	response_content_type	Response content_type
None	response_content_length	Response body length, unit: bytes
None	response_set_cookie	Response cookie
None	response_info	Response body
None	dst_ip	Specific network device IP. For example, WAF engine IP, Server Load Balancer is the gateway IP
None	dst_port	Specific network device port number. For example, WAF engine IP, Server Load Balancer is the gateway port
None	duration	Time used to process the client request. Unit: milliseconds.
None	request_body	Access request body
None	request_content_length	Access request body length, unit: bytes
None	request_length	Number of bytes in the client request, including the request line, request header, and request body. Unit: Byte.
None	request_path	Requested relative path, specifically the part after the domain name and before the question mark (?) in the requested URL (excluding the query string).
log_name	None	Offline
client_id	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
final_test	None	Offline
matched_host	None	Offline
request_id	None	Offline
http_scheme	None	Offline
tls_hash	None	Offline
unix_time	None	Offline

DCDN EdgeRoutine logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
category_name	category	Activity directory
activity_class_name	schema	Activity classification
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
product_code	product_code	Cloud service code
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the bound account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_time	log_time	Log timestamp, in seconds
None	start_time	Start timestamp, in seconds, also used to indicate the time of occurrence
None	end_time	End timestamp, in seconds
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
code_ver	None	Offline
console_alert	None	Offline
error_code	None	Offline
error_message	None	Offline
fetch_status	None	Offline
fetch_uuid	None	Offline
http_2xx	None	Offline
http_3xx	None	Offline
http_4xx	None	Offline
http_5xx	None	Offline
http_status_other	None	Offline
in_authority	None	Offline
in_method	None	Offline
in_path	None	Offline
out_size	None	Offline
out_status	None	Offline
routine_spec	None	Offline
total_cpu_time	None	Offline
total_real_time	None	Offline
unique_id	None	Offline
unix_time	None	Offline

API Gateway access logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud log owner account ID
log_code	log_code	Log code, specific data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate when the event occurs
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
request_path	request_path	Request path
domain	host	Domain name
http_status	status	HTTP status code received by the client. For example, 200 (indicates successful request).
response_message	response_info	Response information
src_ip	src_ip	Request IP
request_id	request_id	Request ID
request_paramters	querystring	Request parameters
reqeust_body	request_body	Request body
None	instance_id	Gateway instance ID
None	api_name	API name
None	api_id	API flag
None	app_id	Caller ID
None	app_key	Request AppKey
None	app_name	Caller name
None	error_code	Error code
None	error_message	Error details
None	api_user_id	API provider account ID
None	region_code	Area
None	request_method	Request method
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
reqeust_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
net_connect_dir	None	Offline
raw_data	None	Offline
http_method	None	Offline
request_length	None	Offline
response_body_size	None	Offline
reqeust_headers	None	Offline
response_headers	None	Offline
response_body	None	Offline

K8s audit logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
start_time	start_time	Start timestamp in seconds, also used to indicate the time of event occurrence
end_time	end_time	End timestamp in seconds
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
audit_id	audit_id	Unique audit ID generated for each request.
level	level	Audit level corresponding to the generated event.
kind	kind	Event
reqeust_path	request_uri	Request URI sent from the client to the server.
response_status	response_status	Status of the response, assigned when "responseObject" is not of "Status" type. For successful requests, this field only contains "code" and "statusSuccess." For error responses not of "Status" type, this field is automatically assigned with error information.
api_version	api_version	audit.k8s.io/v1
stage	stage	Processing stage of the request when this event was generated.
log_time	log_time	Log timestamp in seconds
user	username	Information about the authenticated user.
object_ref	object_ref	Object reference that this request points to. This field can be ignored for List type requests or non-resource requests.
user_agent	user_agent	userAgent records the user agent string reported by the client. Note that the userAgent information is provided by the client and should never be trusted.
request_object	request_object	API object from the request, presented in JSON format. "requestObject" is recorded as is in the request (possibly re-encoded in JSON), before it goes through version conversion, default value filling, admission control, and configuration information merging. This object is an externally versioned object type, and may not even be a valid object itself. For non-resource requests, this field is ignored. This is only recorded when the audit level is "Request" or higher.
response_object	response_object	API object included in the response, presented in JSON format. "responseObject" is recorded after being converted to an external type and serialized to JSON format. For non-resource requests, this field is ignored. This is only recorded when the audit level is Response.
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extended field content
None	log_uuid	Log flag
None	impersonated_user	Information about the impersonated user.
None	source_ip_list	Source IP addresses of the request and intermediate proxies. Source IPs are listed from the following (in order): X-Forwarded-For request header IP X-Real-Ip header, if it does not exist in the X-Forwarded-For list Remote address of the connection, if it cannot match with the last IP in the list here (X-Forwarded-For or X-Real-Ip). Note: All IPs except the last one can be arbitrarily set by the client.
None	verb	Kubernetes verb associated with the request. For non-resource requests, this field is the lowercase form of the HTTP method.
ori_topic	None	Offline
trail_detail	None	Offline
log_name	None	Offline
instance_id	None	Offline
verb	None	Offline
stage_time_stamp	None	Offline
src_ip_list	None	Offline
ori_source	None	Offline
ori_path	None	Offline
file_path	None	Offline
project	None	Offline
log_store	None	Offline

PolarDB logs

PolarDB-X1.0 audit logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
start_time	start_time	Start timestamp in seconds, also used to indicate the time of event occurrence
end_time	end_time	End timestamp in seconds
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
cloud_type	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
sql_stmt_type	sql_type	Type of audit behavior
table_name	table_name	Table name list
sql_stmt	sql	Audit behavior
src_ip	src_ip	Operator IP
fetched_rows	check_rows	Number of scanned rows
affect_rows	effect_row	Number of affected rows
db_name	db	Database name
u_name	user	Operator account name
domain	domain	Domain name corresponding to the database
None	log_time	Log timestamp in seconds
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	product_code	Cloud service code
None	schema_name	Metadata name
log_name	None	Offline
sql_stmt_hash	None	Offline
spm_plan_id	None	Offline
phy_affected_rows	None	Offline
spm_baseline_id	None	Offline
total_physical_conn_time	None	Offline
src_port	None	Offline
temp_table_memory	None	Offline
total_physical_exec_time	None	Offline
trace_id	None	Offline
total_physical_read_time	None	Offline
memory_reject	None	Offline
sql_stmt_type_detail	None	Offline
memory_used	None	Offline
logical_opt_cpu_time	None	Offline
is_failed	None	Offline
shared_plan_memory	None	Offline
plan_memory	None	Offline
memory_pct	None	Offline
sql_hint	None	Offline
physical_sql_count	None	Offline
logical_cpu_time	None	Offline
instance_id	None	Offline
logical_exec_cpu_time	None	Offline
parameters	None	Offline
total_physical_time	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
dst_ip	None	Offline
dst_port	None	Offline
dst_intra_ip	None	Offline
occur_time	None	Offline

PolarDB-X2.0 audit logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
cloud_type	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of event occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
src_ip	src_ip	Operator IP
db_name	db	Database name
affect_rows	effect_row	Number of affected rows
fetched_rows	check_rows	Number of scanned rows
sql_stmt	sql	Audit behavior
sql_type	sql_type	Type of audit behavior
db_user_name	user	Operator account name
domain	domain	Domain name corresponding to the database
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	table_name	Table name list
None	schema_name	Metadata name
None	db_type	Database type
log_name	None	Offline
is_auto_commit	None	Offline
ccl_hit_cache	None	Offline
ccl_status	None	Offline
ccl_wait_time	None	Offline
src_port	None	Offline
is_failed	None	Offline
polardb_instance_id	None	Offline
sql_hint	None	Offline
is_prepare_stmt	None	Offline
matched_ccl_rule	None	Offline
parameters	None	Offline
prepare_stmt_id	None	Offline
response_time	None	Offline
sql_stmt_hash	None	Offline
sql_exec_time	None	Offline
trace_id	None	Offline
transaction_id	None	Offline
transaction_policy	None	Offline
workload_type	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
dst_ip	None	Offline
dst_port	None	Offline
dst_intra_ip	None	Offline
occur_time	None	Offline

ApsaraDB for MongoDB logs

MongoDB audit logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_code	log_code	Log code, specific data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
audited_action_type	sql_type	Type of audit behavior
audited_action	sql	Audit behavior
operator_user_ip	user	Operator account name
src_ip	src_ip	Operator IP
database_name	db	Database name
table_name	table_name	Table name list
None	affect_rows	Number of affected data entries
None	schema_name	Metadata name
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
request_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
audited_object	None	Offline
operator_user_name	None	Offline
domain	None	Offline
raw_data	None	Offline

MongoDB slow query log and operation logs

Note

CTDR2.0 no longer accepts MongoDB slow query logs or operation logs

V1.0 field	V2.0 field	Description
main_user_id	None	Offline
sub_user_id	None	Offline
log_code	None	Offline
cloud_code	None	Offline
start_time	None	Offline
end_time	None	Offline
log_time	None	Offline
category_name	None	Offline
activity_name	None	Offline
src_ip	None	Offline
database_name	None	Offline
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
request_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
src_port	None	Offline
dst_ip	None	Offline
dst_port	None	Offline
domain	None	Offline
connection_status_message	None	Offline
connection_status	None	Offline
connection_type	None	Offline
connection_name	None	Offline
mongodb_instance_id	None	Offline
instance_id	None	Offline
level	None	Offline
raw_data	None	Offline

ApsaraDB RDS audit logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud log owner account ID
log_code	log_code	Log code, specific data source
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
product_code	product_code	Cloud service code
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
audited_action_type	sql_type	Type of audit behavior
audited_action	sql	Audit behavior
operator_user_name	user	Operator account name
src_ip	src_ip	Operator IP
database_name	db	Database name
None	extend_content	Extension field content
None	log_uuid	Log flag
None	affect_rows	Number of affected data entries
None	table_name	Table name list
None	schema_name	Metadata name
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
request_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
raw_data	None	Offline
audited_object	None	Offline
audited_action_status	None	Offline
operator_user_ip	None	Offline
domain	None	Offline
asset_list	None	Offline
	None
	None
	None
	None

Virtual private cloud (VPC) logs

V1.0 fields	V2.0 fields	Description
log_code	log_code	Log code, specific data source
src_ip	src_ip	Source IP
src_port	src_port	Source port
dst_ip	dst_ip	Destination IP
dst_port	dst_port	Destination port
proto	l4_protocol	Network protocol (tcp, udp, icmp)
net_connect_dir	net_connect_dir	Direction (in/out)
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
action	action	Alert device action
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud log owner account ID
log_time	log_time	Log timestamp in seconds
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	l3_protocol	ipv4, ipv6
None	l7_protocol	Layer 7 protocol (Https, Http)
None	traffic_type	Collection method 0-Unknown 1-Package collection 2-Stream collection
log_name	None	Offline
version	None	Offline
vswitch_id	None	Offline
vm_id	None	Offline
vpc_id	None	Offline
account_id	None	Offline
eni_id	None	Offline
log_status	None	Offline
occur_time	None	Offline
packet_cnt	None	Offline
bytes	None	Offline
asset_type	None	Offline
asset_name	None	Offline
asset_id	None	Offline

Elastic IP Address logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud account ID that owns the log
cloud_type	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate when the event occurred
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
None	log_code	Log code, specific data source integrated
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
type	None	Offline
tid	None	Offline
time	None	Offline
gw_ip	None	Offline
eip	None	Offline
ip	None	Offline
in_Bps	None	Offline
out_Bps	None	Offline
in_pps	None	Offline
out_pps	None	Offline
in_syn_speed	None	Offline
out_syn_speed	None	Offline
in_syn_ack_speed	None	Offline
out_syn_ack_speed	None	Offline
in_fin_speed	None	Offline
out_fin_speed	None	Offline
in_rst_speed	None	Offline
out_rst_speed	None	Offline
out_ratelimit_drop_speed	None	Offline
in_ratelimit_drop_speed	None	Offline
out_drop_speed	None	Offline
in_drop_speed	None	Offline
timestamp	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline

Server Load Balancer (SLB) logs

ALB access logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the bound account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_code	log_code	Log code, specific data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
src_ip	src_ip	IP that establishes the connection
http_host	host	Host field in HTTP request.
http_referer	http_referer	Referer field in HTTP request header, indicating the source URL information of the request.
http_user_agent	http_user_agent	User-Agent field in HTTP request header, containing client browser identification, operating system identification, and other information about the request source.
http_x_forwarded_for	http_x_forwarded_for	X-Forwarded-For (XFF) field in client request header, used to identify the most original IP address of the client connecting to the web server through HTTP proxy or load balancing.
http_x_real_ip	real_client_ip	Custom field in HTTP request header, mainly used to store the real request IP, generally corresponding to the first x_forword_for. If this field does not exist, the IP field that establishes the connection can be used.
request_length	request_length	Number of bytes in the client request, including request line, request header, and request body. Unit: Byte.
request_method	request_method	Method of the client request.
request_path	request_path	Requested relative path, specifically the part after the domain name and before the question mark (?) in the requested URL (excluding the query string).
dst_ip	dst_ip	Specific network device IP. For example, for WAF it is the WAF engine IP, for SLB it is the gateway IP.
dst_port	dst_port	Port number of the specific network device. For example, for WAF it is the WAF engine IP, for SLB it is the gateway port.
http_status	status	HTTP status code received by the client. For example, 200 (indicating the request was successful).
None	extend_content	Extended field content
None	log_uuid	Log flag
None	content_type	HTTP request body format.
None	http_cookie	Cookie field in HTTP request header, indicating the cookie information of the client source.
None	querystring	Query string in the client request, specifically the part after the question mark (?) in the requested URL.
None	duration	Time taken to process the client request. Unit: milliseconds.
None	request_body	Access request body
None	request_content_length	Access request body length, unit: bytes
None	response_content_type	Response content_type
None	response_content_length	Response body length, unit: bytes
None	response_set_cookie	Response cookie
None	response_info	Response body
None	request_uri	Full request path + parameters
None	final_action	Final action of the device
None	final_plugin	Final protection module of the device
None	final_rule_id	Final rule ID hit by the device
None	final_rule_type	Final rule type hit by the device
log_name	None	Offline
src_port	None	Offline
domain	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
request_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
alb_instance_id	None	Offline
instance_id	None	Offline
response_body_size	None	Offline
http_scheme	None	Offline
http_version	None	Offline
ssl_cipher	None	Offline
ssl_protocol	None	Offline
upstream_ip	None	Offline
upstream_port	None	Offline
upstream_status	None	Offline
net_connect_dir	None	Offline

CLB access logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
src_ip	src_ip	IP that establishes the connection
http_host	host	Host field in HTTP request.
http_referer	http_referer	Referer field in HTTP request header, indicating the source URL information of the request.
http_user_agent	http_user_agent	User-Agent field in HTTP request header, containing client browser identification, operating system identification, and other information about the request source.
http_x_forwarded_for	http_x_forwarded_for	X-Forwarded-For (XFF) field in client request header, used to identify the most original IP address of the client connecting to the web server through HTTP proxy or load balancing.
http_x_real_ip	real_client_ip	Custom field in HTTP request header, mainly used to store the real request IP, generally corresponding to the first x_forword_for. If this field does not exist, the IP field that establishes the connection can be used.
request_length	request_length	Number of bytes in the client request, including request line, request header, and request body. Unit: Byte.
request_method	request_method	Method of the client request.
request_time	duration	Time taken to process the client request. Unit: milliseconds.
request_uri	request_uri	Full request path + parameters
dst_port	dst_port	Port number of the specific network device. For example, WAF engine IP and SLB gateway port.
status	status	HTTP status code received by the client. For example, 200 (indicating the request was successful).
dst_ip	dst_ip	Specific network device IP. For example, WAF engine IP and SLB gateway IP.
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the bound account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
log_time	log_time	Log timestamp in seconds
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extended field content
None	log_uuid	Log flag
None	content_type	HTTP request body format.
None	http_cookie	Cookie field in HTTP request header, indicating the cookie information of the client source.
None	querystring	Query string in the client request, specifically the part after the question mark (?) in the requested URL.
None	request_path	Requested relative path, specifically the part after the domain name and before the question mark (?) in the requested URL (excluding the query string).
None	request_body	Access request body
None	request_content_length	Access request body length, unit: bytes
None	response_content_type	Response content_type
None	response_content_length	Response body length, unit: bytes
None	response_set_cookie	Response cookie
None	response_info	Response body
None	final_action	Final action of the device
None	final_plugin	Final protection module of the device
None	final_rule_id	Final rule ID hit by the device
None	final_rule_type	Final rule type hit by the device
log_name	None	Offline
src_port	None	Offline
body_bytes_sent	None	Offline
read_request_time	None	Offline
domain	None	Offline
scheme	None	Offline
server_proto	None	Offline
slb_port	None	Offline
slb_id	None	Offline
ssl_cipher	None	Offline
ssl_protocol	None	Offline
tcpinfo_rtt	None	Offline
occur_time	None	Offline
upstream_addr	None	Offline
upstream_response_time	None	Offline
upstream_status	None	Offline
vip_addr	None	Offline
write_response_time	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline

Object Storage Service (OSS) logs

OSS hourly metering logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_code	log_code	Log code, specific data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
request_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
audited_action_type	None	Offline
audited_action	None	Offline
audited_object	None	Offline
domain	None	Offline
bucket_name	None	Offline
raw_data	None	Offline

OSS access logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
cloud_type	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
request_id	request_id	Request ID
user_agent	http_user_agent	User agent
error_code	error_code	Failed code
extend_information	extend_content	Extension field content
access_id	access_id	AccessKey pair
bucket	bucket	Object Storage bucket
host	host	Host field in HTTP request.
http_method	request_method	Method requested by the client.
object	object	Object
operation	operation	Operation type
owner_id	owner_id	Object Storage owner
request_uri	request_uri	Request URI
sign_type	sign_type	Logon status
None	product_code	Cloud service code
None	category	Activity directory
None	schema	Activity classification
None	log_uuid	Log flag
None	src_ip	Request IP
None	request_path	The relative path being requested, specifically the part of the requested URL after the domain name and before the question mark (?) (not including the query string).
log_name	None	Offline
acc_access_region	None	Offline
bucket_location	None	Offline
bucket_storage_type	None	Offline
client_ip	None	Offline
content_length_in	None	Offline
content_length_out	None	Offline
delta_data_size	None	Offline
http_status	None	Offline
http_type	None	Offline
logging_flag	None	Offline
object_size	None	Offline
referer	None	Offline
request_length	None	Offline
response_body_length	None	Offline
response_time	None	Offline
restore_priority	None	Offline
server_cost_time	None	Offline
sync_request	None	Offline
time	None	Offline
vpc_addr	None	Offline
vpc_id	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline

OSS batch deletion logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_code	log_code	Log code, specific data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
src_ip	src_ip	Source IP, same as operator IP
http_user_agent	http_user_agent	User agent
request_id	request_id	Request ID
domain	host	Host field in HTTP request.
bucket_name	bucket	Object Storage bucket
object_name	object	Object
request_method	request_method	Method requested by the client.
request_url	request_uri	Request URI
request_path	request_path	The relative path being requested, specifically the part of the requested URL after the domain name and before the question mark (?) (not including the query string).
asset_id	access_id	AccessKey pair
None	extend_content	Extension field content
None	log_uuid	Log flag
None	owner_id	Object Storage owner
None	operation	Operation type
None	sign_type	Logon status
None	error_code	Error code
log_name	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
audited_action_type	None	Offline
audited_action	None	Offline
audited_object	None	Offline
operator_user_id	None	Offline
operator_user_name	None	Offline
operator_user_ip	None	Offline
raw_data	None	Offline
request_time	None	Offline
request_paramters	None	Offline
request_length	None	Offline
response_body_size	None	Offline
http_referer	None	Offline
http_status	None	Offline
net_connect_dir	None	Offline
asset_list	None	Offline

File Storage NAS logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud Alibaba Cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud log owner account ID
log_code	log_code	Log code, specific access data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
occur_time	None	Offline
class_name	None	Offline
inode	None	Offline
auth_code	None	Offline
status_code	None	Offline
application_protocol_name	None	Offline
nfs_protocol_procedures	None	Offline
total_bytes	None	Offline
request_id	None	Offline
remote_inode	None	Offline
src_ip	None	Offline
application_protocol_version	None	Offline
dst_ip	None	Offline
nfs_instance_id	None	Offline
instance_id	None	Offline
time_zone	None	Offline
asset_list	None	Offline
raw_data	None	Offline

Function Compute FC logs

V1.0 field	V2.0 field	Description
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	Alibaba Cloud account ID to which the log belongs
log_code	log_code	Log code, specific data source integrated
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
start_time	start_time	Start timestamp in seconds, also used to indicate the time of occurrence
end_time	end_time	End timestamp in seconds
log_time	log_time	Log timestamp in seconds
category_name	category	Activity directory
activity_name	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
log_name	None	Offline
occur_time	None	Offline
time_zone	None	Offline
class_name	None	Offline
api_name	None	Offline
asset_id	None	Offline
asset_name	None	Offline
asset_type	None	Offline
raw_data	None	Offline

ActionTrail logs

V1.0 field	V2.0 field	Description
log_code	log_code	Log code, specific data source
main_user_id	cloud_user_id	Other cloud account ID. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the attached account ID.
sub_user_id	user_id	ID of the Alibaba Cloud account to which the logs belong
log_time	log_time	Log timestamp in seconds
end_time	end_time	End timestamp in seconds
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
event_id	event_id	Event ID
event_name	event_name	Event name
region_code	region_id	Area ID
request_id	request_id	Request ID
resource_name	account_name	Account name
resource_type	account_type	Audit account type RAM/Main/STS
service_name	service_name	Service name
version	event_version	Event version
error_code	error_code	Failed code
error_message	error_message	Failure details
event_source	event_source	Event source
request_parameters	request_paramters	Request parameters
src_ip	src_ip	Source IP, same as operator IP
user_agent	user_agent	Request proxy
access_key_id	access_id	access_key
principal_id	principal_id	Current requester ID
None	product_code	Cloud service code
None	start_time	Start timestamp in seconds, also used to indicate the time of event occurrence
None	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	service_domain	Service domain name
None	account_id	Audit account ID
None	response_detail	Response result
stamp	None	Offline
time	None	Offline
to	None	Offline
user	None	Offline
trail_detail	None	Offline
rw_parser	None	Offline
source_ip_address	None	Offline
user_name	None	Offline
dm	None	Offline
rw	None	Offline
log_name	None	Offline
api_name	None	Offline
event_type	None	Offline
from	None	Offline
extra_encode	None	Offline
model	None	Offline
r0	None	Offline
r1	None	Offline
r2	None	Offline
r3	None	Offline
ak	None	Offline

CloudConfig logs

V1.0 field	V2.0 field	Description
cloud_user_id	cloud_user_id	The ID of other cloud accounts. If it is an Alibaba Cloud account, it is the same as aliuid. If it is another cloud account, it is the ID of the attached account.
aliuid	user_id	The Alibaba Cloud account ID to which the log belongs
log_code	log_code	Log code, specific data source
product_code	product_code	Cloud service code
cloud_code	cloud_code	Cloud code, enumeration values: alibaba_cloud huawei_cloud tencent_cloud
log_time	log_time	Log timestamp, in seconds
category_name	category	Activity directory
None	schema	Activity classification
None	extend_content	Extension field content
None	log_uuid	Log flag
None	start_time	Start timestamp, in seconds, also used to indicate the time of occurrence
None	end_time	End timestamp, in seconds
log_name	None	Offline
resource_arn	None	Offline
region_code	None	Offline
availability_zone_code	None	Offline
resource_config	None	Offline
data_type	None	Offline
request_id	None	Offline
resource_create_time	None	Offline
resource_group_id	None	Offline
resource_id	None	Offline
resource_name	None	Offline
resource_type	None	Offline
raw_data	None	Offline
occur_time	None	Offline
time_zone	None	Offline