Details of network, security, and host log fields in Security Center - Simple Log Service

Log field reference for network logs, security logs, and host logs collected by Security Center.

Network logs

DNS logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-log-dns.
owner_id	The Alibaba Cloud account ID.
additional	The additional field. Values are separated by vertical bars (\|).
additional_num	The number of additional fields.
answer	The DNS answer. Values are separated by vertical bars (\|).
answer_num	The number of DNS answers.
authority	The authority field.
authority_num	The number of authority fields.
client_subnet	The client subnet.
dst_ip	The destination IP address.
dst_port	The destination port.
net_connect_dir	Data transmission directions include the following: in: inbound out: outbound
qid	The query ID.
query_name	The queried domain name.
query_type	The query type.
query_datetime	The timestamp of the query. Unit: milliseconds.
rcode	The return code.
region	The ID of the source region. Valid values: 1: Beijing 2: Qingdao 3: Hangzhou 4: Shanghai 5: Shenzhen 6: Other
response_datetime	The return time.
src_ip	The source IP address.
src_port	The source port.
start_time	The start timestamp. Unit: seconds.

Local DNS logs

Field name	Description
__topic__	The topic of the log. The value is fixed to local-dns.
owner_id	The Alibaba Cloud account ID.
answer_rdata	The DNS answer. Values are separated by vertical bars (\|).
answer_ttl	The time-to-live (TTL) of the DNS answer. Values are separated by vertical bars (\|).
answer_type	The type of the DNS answer. Values are separated by vertical bars (\|). The following are common values for DNS response types: 1: A record. 2: NS record. 5: CNAME record. 6: SOA record. 10: NULL record. 12: PTR record. 15: MX record. 16: TXT record. 25: KEY record. 28: AAAA record. 33: SRV record. 41: OPT record. 43: DS record. 44: SSHFP record. 45: IPSECKEY record. 46: RRSIG record. 47: NSEC record.
answer_name	The name in the DNS answer. Values are separated by vertical bars (\|).
dst_ip	The destination IP address.
dst_port	The destination port.
group_id	The group ID.
host	The hostname.
id	The query ID.
instance_id	The instance ID.
internet_ip	The public IP address.
ip_ttl	The TTL of the IP address.
query_name	The queried domain name.
query_type	The query type.
src_ip	The source IP address.
src_port	The source port.
start_time	The timestamp of the query. Unit: seconds.
time_usecond	The response time. Unit: microseconds.
tunnel_id	The channel ID.

Network session logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-log-session.
owner_id	The Alibaba Cloud account ID.
asset_type	The type of the associated asset, such as ECS, SLB, and RDS.
net_connect_dir	The direction of the network connection.
dst_ip	The destination IP address.
dst_port	The destination port.
l4_proto	The protocol type, such as TCP and UDP.
session_time	The session time.
src_ip	The source IP address.
src_port	The source port.
start_time	The start timestamp. Unit: seconds.

Web logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-log-http.
owner_id	The Alibaba Cloud account ID.
response_content_length	The content length.
dst_ip	The destination IP address.
dst_port	The destination port.
host	The hostname.
jump_location	The redirection address.
request_method	The HTTP access method.
request_datetime	The request time.
status	The HTTP status code.
content_type	The content type of the request.
response_content_type	The content type of the response.
src_ip	The source IP address.
src_port	The source port.
request_uri	The request URI.
http_user_agent	The User-Agent header of the client request.
http_x_forward_for	The routing and redirection information.

Security logs

Vulnerability logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-vul-log.
owner_id	The Alibaba Cloud account ID.
vul_name	The name of the vulnerability.
vul_alias_name	The alias of the vulnerability.
risk_level	The risk level.
vul_primary_id	The vulnerability identifier.
instance_name	The name of the machine.
operation	Operation information includes the following: new: Newly created. Validation Bug fix
status	The status. For more information, see Status codes for security logs.
tag	The tag of the vulnerability, such as oval, system, and cms. This parameter is used to identify emergency vulnerabilities.
type	Vulnerability types are as follows: sys: Windows vulnerability cve: Linux vulnerability cms: web CMS vulnerability emg: emergency vulnerability
uuid	The client ID.
extend_content	The extended information about the vulnerability.
instance_id	The instance ID.
internet_ip	The public IP address of the asset.
intranet_ip	The private IP address of the asset.
start_time	The start timestamp. Unit: seconds.

Baseline logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-hc-log.
owner_id	The Alibaba Cloud account ID.
risk_level	The risk level.
operation	The operation information includes the following: Add verify: The risk is verified.
risk_name	The name of the risk.
status	The status. For more information, see Status codes for security logs.
sub_type_alias_name	The alias of the subtype
sub_type_name	The name of the subtype.
type_name	The type name. For more information, see List of baseline type-sub-type pairs.
type_alias_name	The alias of the type
uuid	The client ID.
check_item_name	The name of the check item.
check_item_level	The level of the check item.
check_type	The type of the check item.
instance_id	The instance ID.
start_time	The start timestamp. Unit: seconds.

Table 1. Baseline type-subtype pairs

type_name	sub_type_name
system	baseline
weak_password	postsql_weak_password
database	redis_check
account	system_account_security
account	system_account_security
weak_password	mysq_weak_password
weak_password	ftp_anonymous
weak_password	rdp_weak_password
system	group_policy
system	register
account	system_account_security
weak_password	sqlserver_weak_password
system	register
weak_password	ssh_weak_password
weak_password	ftp_weak_password
cis	centos7
cis	tomcat7
cis	memcached-check
cis	mongodb-check
cis	ubuntu14
cis	win2008_r2
system	file_integrity_mon
cis	linux-httpd-2.2-cis
cis	linux-docker-1.6-cis
cis	SUSE11
cis	redhat6
cis	bind9.9
cis	centos6
cis	debain8
cis	redhat7
cis	SUSE12
cis	ubuntu16

Table 2. Status codes for security logs

Status code	Description
1	Not fixed
2	Fix failed
3	Rollback failed
4	Fixing
5	Rolling back
6	Verifying
7	Fixed
8	Fixed, pending restart
9	Rolled back
10	Ignored
11	Rolled back, pending restart
12	Does not exist
20	Expired

Security alert logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-security-log.
data_source	The data source. For more information, see List of data_source values for security alerts.
level	The alert level.
name	The name.
operation	The operation information. Valid values: Add New Processing
status	The status. For more information, see Status codes for security logs.
uuid	The client ID.
detail	The alert details.
unique_info	The unique identifier of the alert.
instance_id	The instance ID.
internet_ip	The public IP address of the asset.
intranet_ip	The private IP address of the asset.
start_time	The start timestamp. Unit: seconds.

Table 3. data_source values for security alerts

Value	Description
aegis_suspicious_event	Host anomaly.
aegis_suspicious_file_v2	Webshell.
aegis_login_log	Anomalous logon.
security_event	Anomalous event in Security Center.

Cloud platform configuration check logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-cspm-log.
check_id	The ID of the check item. Call the ListCheckResult operation to obtain the ID.
check_item_name	The name of the check item.
instance_id	The instance ID.
instance_name	The instance name.
instance_result	The impact of the risk. The value is a JSON string.
instance_sub_type	The subtype of the instance. Valid values: If the instance type is ECS, the valid values of the subtype are: INSTANCE. DISK. SECURITY_GROUP. If the instance type is ACR, the valid values of the subtype are: REPOSITORY_ENTERPRISE. REPOSITORY_PERSON. If the instance type is RAM, the valid values of the subtype are: ALIAS. USER. POLICY. GROUP. If the instance type is WAF, the valid value of the subtype is DOMAIN. If the instance type is a different value, the valid value of the subtype is INSTANCE.
instance_type	The instance type. Valid values: ECS: Elastic Compute Service. SLB: Server Load Balancer. RDS database MONGODB: MongoDB database. KVSTORE: Redis database. ACR: Container Registry. CSK: CSK. VPC: virtual private cloud. ACTIONTRAIL: ActionTrail. CDN: content delivery network. CAS: Certificate Management Service. RDC: Alibaba Cloud DevOps. RAM: Resource Access Management. DDoS: Anti-DDoS. WAF: Web Application Firewall. OSS: Object Storage Service. PolarDB: PolarDB database. POSTGRESQL: PostgreSQL database. MSE: Microservices Engine. NAS: file storage. SDDP: Sensitive Data Discovery and Protection. EIP: Elastic IP Address.
region_id	The ID of the region where the instance resides.
requirement_id	The ID of the requirement. Call the ListCheckStandard operation to obtain the ID.
risk_level	The risk level. Valid values: LOW. MEDIUM. HIGH.
section_id	The ID of the section. Call the ListCheckResult operation to obtain the ID.
standard_id	The ID of the standard. Call the ListCheckStandard operation to obtain the ID.
status	The status of the check item. Valid values: NOT_CHECK: The item is not checked. CHECKING: The item is being checked. PASS: The check is passed. NOT_PASS: The check is not passed. WHITELIST: The item is added to the whitelist.
vendor	The cloud provider. The value is fixed to ALIYUN.
start_time	The start timestamp. Unit: seconds.

Network protection logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-net-block.
cmd	The command line of the attacked process.
cur_time	The time when the attack event occurred.
decode_payload	The payload in characters that is converted from the hexadecimal format.
dst_ip	The IP address of the attacked asset.
dst_port	The port of the attacked asset.
func	The type of the intercepted event. Valid values: payload: indicates that the attack event is intercepted because malicious data or instructions are detected. tuple: indicates that the attack event is intercepted because a malicious IP address is detected.
rule_type	The specific rule type of the intercepted event. Valid values: alinet_payload: the payload-based protection rule specified by Security Center. alinet_tuple: the tuple-based protection rule specified by Security Center.
instance_id	The ID of the attacked asset.
internet_ip	The public IP address of the attacked asset.
intranet_ip	The private IP address of the attacked asset.
final_action	The protection mode. The value is block (intercepted).
payload	The payload in hexadecimal format.
pid	The ID of the attacked process.
platform	The operating system of the attacked asset. Valid values: win. linux.
proc_path	The path of the attacked process.
sas_group_name	The asset group in Security Center to which the server belongs.
src_ip	The source IP address from which the attack is initiated.
src_port	The source port from which the attack is initiated.
uuid	The UUID of the server.
owner_id	The Alibaba Cloud account ID.
start_time	The start timestamp. Unit: seconds.

Application protection logs

Log field	Description
__topic__	The topic of the log. The value is fixed to sas-rasp-log.
app_dir	The directory where the application resides.
app_id	The application ID.
app_name	The application name.
confidence_level	The confidence level of the detection algorithm. Valid values: high. medium. low.
request_body	The request body.
request_content_length	The length of the request body.
data	The parameters of the hook point.
headers	The request header.
hostname	The name of the host or network device.
host_ip	The private IP address of the host.
is_clipped	Indicates whether the log is truncated because it is too long. Valid values: true: The content is clipped. false: The content is not clipped.
jdk_version	The JDK version.
message	The description of the alert.
request_method	The request method.
platform	The operating system type.
arch	The operating system architecture.
kernel_version	The kernel version of the operating system.
param	The request parameters. Common formats include the following: GET parameters. application/x-www-form-urlencoded.
payload	The attack payload.
payload_length	The length of the attack payload.
rasp_id	The unique ID of the application protection agent.
rasp_version	The version of the application protection agent.
src_ip	The IP address of the requester.
final_action	The handling result of the alert. Valid values: block: The request is blocked. Monitor: Monitoring.
rule_action	The handling method specified by the rule. Valid values: block. monitor.
risk_level	The risk level. Valid values: high. medium. low.
stacktrace	The stack information.
time	The time when the alert was triggered.
timestamp	The timestamp when the alert was triggered. Unit: milliseconds.
type	The vulnerability type. Valid values: attach: Malicious attach. beans: Malicious beans binding. classloader: Malicious class loading. dangerous_protocol: Use of dangerous protocols. dns: Malicious DNS query. engine: Engine injection. expression: Expression injection. file: Malicious file read/write. file_delete: Arbitrary file deletion. file_list: Directory traversal. file_read: Arbitrary file read. file_upload: Malicious file upload. jndi: JNDI injection. jni: JNI injection. jstl: JSTL arbitrary file inclusion. memory_shell: In-memory webshell injection. rce: Command execution. read_object: Deserialization attack. reflect: Malicious reflection call. sql: SQL injection. ssrf: Malicious outbound connection. thread_inject: Thread injection. xxe: XXE attack.
url	The request URL.
rasp_attack_uuid	The UUID of the vulnerability.
uuid	The UUID of the host.
internet_ip	The public IP address of the host.
intranet_ip	The private IP address of the host.
sas_group_name	The name of the server group in Security Center.
instance_id	The ID of the host instance.
owner_id	The Alibaba Cloud account ID.
start_time	The start timestamp. Unit: seconds.

File detection logs

Field name	Description
__topic__	The topic of the log. The value is fixed to sas-filedetect-log.
bucket_name	The name of the bucket.
event_id	The alert ID.
event_name	The alert name.
md5	The MD5 hash of the file.
sha256	The SHA-256 hash of the file.
result	The detection result. 0: The file is secure. 1: A malicious file is detected.
file_path	The file path.
etag	The ETag of the OSS object.
risk_level	The risk level. Serious: Indicates an urgent issue. suspicions: medium Reminder
source	The detection scenario. OSS: Files in an Alibaba Cloud OSS bucket are detected in the Security Center console. API: Malicious files are detected using an SDK. You can use a Java or Python SDK.
parent_md5	The MD5 hash of the parent file or compressed file.
parent_sha256	The SHA-256 hash of the parent file or compressed file.
parent_file_path	The name of the parent file or compressed file.
owner_id	The Alibaba Cloud account ID.
start_time	The timestamp when the detection started. Unit: seconds.

Host logs

Process startup logs

Log field	Description
__topic__	The topic of the log. The value is fixed to aegis-log-process.
uuid	The client ID.
host_ip	The IP address of the client host.
cmdline	The user launches the command line.
username	The username.
uid	The user ID.
pid	The process ID.
proc_name	The filename of the process.
proc_path	The full path of the process file.
proc_start_time	The startup time of the process.
parent_proc_start_time	The startup time of the parent process.
groupname	The user group.
ppid	The parent process ID.
parent_proc_name	The filename of the parent process.
parent_proc_path	The full path of the parent process file.
cmd_chain	The process chain.
container_hostname	The hostname of the container.
container_pid	The container PID.
container_image_id	The image ID.
container_image_name	The image name.
container_name	The container name.
container_id	The container ID.
cwd	The running directory of the process.
owner_id	The Alibaba Cloud account ID.
start_time	The start timestamp. Unit: seconds.
cmd_chain_index	The index of the process chain. Use the index to find the corresponding process chain.
cmd_index	The indexes of each parameter in the command line. Every two indexes form a group that identifies the start and end of a parameter.
comm	The command name associated with the process.
gid	The ID of the process group.
instance_id	The instance ID.
parent_cmd_line	The command line of the parent process.
sas_group_name	The asset group in Security Center to which the server belongs.
srv_cmd	The command line of the ancestor process.
tty	The logon terminal. N/A indicates that the account has never logged on to a terminal.
uid	The user ID.
start_time	The start timestamp. Unit: seconds.

Process snapshot logs

Log field	Description
__topic__	The topic of the log. The value is fixed to aegis-snapshot-process.
owner_id	The Alibaba Cloud account ID.
uuid	The client ID.
host_ip	The IP address of the client host.
cmdline	The user launches the command line.
pid	The process ID.
proc_name	The filename of the process.
proc_path	The full path of the process file.
md5	The MD5 hash of the process file. MD5 hashes are not calculated for process files that are larger than 1 MB.
parent_proc_name	The filename of the parent process.
proc_start_time	The startup time of the process. This is a built-in field.
user	The username.
uid	The user ID.
start_time	The start timestamp. Unit: seconds.
instance_id	The instance ID.
pname	The filename of the parent process.
sas_group_name	The asset group in Security Center to which the server belongs.

Logon logs

Repeated logons that occur within one minute are merged into a single log entry.

Log field	Description
__topic__	The topic of the log. The value is fixed to aegis-log-login.
owner_id	The Alibaba Cloud account ID.
uuid	The client ID.
host_ip	The IP address of the client host.
src_ip	The source IP address of the logon.
dst_port	The logon port.
login_type	The logon type, such as SSHLOGIN, RDPLOGIN, and IPCLOGIN.
username	The logon username.
login_count	The number of logon attempts. For example, a value of 3 indicates that two other logon attempts were made within one minute before this logon.
instance_id	The instance ID.
sas_group_name	The asset group in Security Center to which the server belongs.
start_time	The start timestamp. Unit: seconds.

Brute-force attack logs

Field name	Description
__topic__	The topic of the log. The value is fixed to aegis-log-crack.
owner_id	The Alibaba Cloud account ID.
uuid	The client ID.
host_ip	The IP address of the client host.
src_ip	The source IP address of the logon.
dst_port	The logon port.
login_type	The logon type, such as SSHLOGIN, RDPLOGIN, and IPCLOGIN.
username	The logon username.
login_count	The number of failed logon attempts.
instance_id	The instance ID.
sas_group_name	The asset group in Security Center to which the server belongs.
start_time	The start timestamp. Unit: seconds.

Host network connection logs

Changes in network connections on the host are collected every 10 seconds to 1 minute.

Log field	Description
__topic__	The topic of the log. The value is fixed to aegis-log-network.
owner_id	The Alibaba Cloud account ID.
uuid	The client ID.
host_ip	The IP address of the client host.
src_ip	The source IP address.
src_port	The source port.
dst_ip	The destination IP address.
dst_port	The destination port.
proc_name	The process name.
proc_path	The process path.
connection_type	The connection protocol.
status	The connection status. For more information, see List of network connection status descriptions.
net_connect_dir	The direction of the network connection.
parent_proc_name	The executable filename of the parent process.
cmd_chain	The process chain.
cmd_chain_index	The index of the process chain. Use the index to find the corresponding process chain.
container_hostname	The server name in the container.
container_id	The container ID.
container_image_id	The image ID.
container_image_name	The image name.
container_name	The container name.
container_pid	The process ID in the container.
instance_id	The instance ID.
pid	The process ID.
ppid	The parent process ID.
proc_start_time	The startup time of the process.
src_ip	The source IP address.
src_port	The source port.
srv_comm	The command name associated with the parent process of the parent process.
type	The type of the real-time network connection. Valid values: connect: A TCP connection is initiated. accept: A TCP connection is received. listen: The port is listening.
uid	The ID of the user who runs the process.
username	The username of the user who runs the process.
start_time	The start timestamp. Unit: seconds.

Table 4. Network connection status descriptions

Status value	Description
1	CLOSED
2	LISTEN
3	SYN_SENT
4	SYN_RECV
5	ESTABLISHED
6	CLOSE_WAIT
7	CLOSING
8	FIN_WAIT_1
9	FIN_WAIT_2
10	TIME_WAIT
11	DELETE_TCB

Listening port snapshots

Log field	Description
__topic__	The topic of the log. The value is fixed to aegis-snapshot-port.
owner_id	The Alibaba Cloud account ID.
uuid	The client ID.
host_ip	The client IP address.
connection_type	The listener protocol.
src_ip	The listener IP address.
src_port	The listening port.
pid	The process ID.
proc_name	The process name.
net_connect_dir	The direction of the network connection.
dst_ip	The IP address of the recipient of the network connection. If dir is out, this parameter indicates the peer host. If dir is in, this parameter indicates the local host.
dst_port	The port of the recipient of the network connection.
instance_id	The instance ID.
sas_group_name	The asset group in Security Center to which the server belongs.
status	The network connection status. Valid values: 1: The connection is closed (CLOSED). 2: The port is waiting for a connection request (LISTEN). 3: A SYN request is sent (SYN_SENT). 4: A SYN request is received (SYN_RECV). 5: The connection is established (ESTABLISHED). 6: The port is waiting to close the connection (CLOSE_WAIT). 7: The connection is being closed (CLOSING). 8: The port is waiting for the peer to send a close request (FIN_WAIT_1). 9: The port is waiting for the peer to send a close request and an acknowledgement (FIN_WAIT_2). 10: The port is waiting for a sufficient period of time to ensure that the peer receives the acknowledgement of the close request (TIME_WAIT). 11: The transmission control block (TCB) is deleted (DELETE_TCB).
start_time	The start timestamp. Unit: seconds.

Account snapshots

Log field	Description
__topic__	The topic of the log. The value is fixed to aegis-snapshot-host.
owner_id	The Alibaba Cloud account ID.
name	The vulnerability name.
alias_name	The alias of the vulnerability.
op	Operation information includes the following: Add Verification Bug fix
status	The connection status. For more information, see List of network connection status descriptions.
tag	Vulnerability tags, such as oval, system, and cms, are primarily used to identify EMG emergency vulnerabilities.
type	The vulnerability type. Valid values include the following: sys: Windows vulnerabilities cve: Linux vulnerabilities cms: Web CMS vulnerabilities EMG: Urgent vulnerabilities
uuid	The client ID.
username	The logon username.
host_ip	The IP address of the server.
account_expire	The expiration time of the account. The value never indicates that the account never expires.
domain	The domain or directory service to which the account belongs. N/A indicates that the account does not belong to any domain.
groups	The group to which the account belongs. N/A indicates that the account does not belong to any group.
home_dir	The home directory. This is the default location for storing and managing files in the system.
instance_id	The instance ID.
last_chg	The date when the password was last changed.
last_logon	The date and time of the last logon. N/A indicates that the account has never been used to log on.
login_ip	The remote IP address that was used for the last logon. N/A indicates that the account has never been used to log on.
passwd_expire	The expiration date of the password. The value never indicates that the password never expires.
perm	Indicates whether the account has root permissions. Valid values: 0: Root permissions are not granted. 1: You have been granted root permissions.
sas_group_name	The asset group in Security Center to which the server belongs.
shell	The Linux shell command.
tty	The logon terminal. N/A indicates that the account has never logged on to a terminal.
warn_time	The date when a password expiration reminder is sent. The value never indicates that a reminder is never sent.
start_time	The start timestamp. Unit: seconds.

DNS query logs

Log field	Description
__topic__	The topic of the log. The value is fixed to aegis-log-dns-query.
owner_id	The Alibaba Cloud account ID.
uuid	The client ID.
host_ip	The IP address of the client machine.
pid	The ID of the process that initiated the DNS query.
ppid	The ID of the parent process of the process that initiated the DNS query.
time	The time when the DNS query was initiated.
domain	The domain name in the DNS query.
proc_path	The path of the process that initiated the DNS query.
cmdline	The command line of the process that initiated the DNS query.
cmd_chain	The process chain of the process that initiated the DNS query.
sas_group_name	The name of the group in Security Center.
instance_id	The instance ID.
start_time	The start timestamp. Unit: seconds.

Client event logs

Field name	Description
__topic__	The topic of the log. The value is fixed to aegis-log-client.
uuid	The UUID of the server.
host_ip	The IP address of the server.
agent_version	The version of the client.
last_login	The timestamp of the last logon. Unit: milliseconds.
platform	The operating system type. Valid values: windows linux
region_id	The ID of the region where the server resides.
status	The client status. Valid values: online offline
owner_id	The Alibaba Cloud account ID.
start_time	The start timestamp. Unit: seconds.