Security Center logs

Alibaba Cloud Simple Log Service and Security Center jointly launch the log analysis feature that allows you to collect, query, analyze, transform, and consume risk data in real time. You can use the log analysis feature to monitor and handle potential risks of servers and implement centralized management of cloud resources. This topic describes the assets, billing, and limits of the log analysis feature.

Limits

You can write only Security Center logs to the dedicated Logstore. You cannot modify the attributes of the Logstore, such as the log retention period.
Security Center logs must be retained for at least 180 days to comply with the Cybersecurity Law of the People's Republic of China. We recommend that you allocate a log storage capacity of 40 GB for each server.
Security Center Basic Edition does not support the log analysis feature. Security Center Ultimate Edition and Enterprise Edition support query for network logs, security logs, and host logs. Security Center Advanced Edition and Anti-virus Edition support query for security logs and host logs. For more information about the billing of these editions, see Billing overview.

Assets

Dedicated project and Logstore
After you enable the log analysis feature, Simple Log Service creates a project named sas-log-Alibaba Cloud account ID-Region ID and a dedicated Logstore named sas-log by default. The following table describes the regions.
Region of Security Center
Region of the Simple Log Service project
Region of Security Center
Region of the Simple Log Service project
China
China (Hangzhou)
Outside China
Singapore
Important
- Do not delete the project or Logstore that is related to Security Center logs. Otherwise, Security Center logs cannot be sent to Simple Log Service.
  If you accidentally delete the dedicated Logstore, you are prompted that the sas-log Logstore does not exist, and all log data in the Logstore is deleted. In this case, submit a ticket to restore the Logstore. If you re-enable the log analysis feature after the Logstore is restored, the lost logs cannot be restored.
- If you have enabled the pay-by-ingested-data billing mode, Simple Log Service creates a dedicated Logstore that uses the pay-by-ingested-data billing mode by default. If you want to switch the billing mode from pay-by-ingested-data to pay-by-feature, you can modify the configuration of the Logstore. For more information, see Modify the configurations of a Logstore.
Dedicated dashboards
Security Center logs are classified into three types. After you enable the log analysis feature of Security Center, Simple Log Service generates nine dashboards by default.
Important
We recommend that you do not make changes to the dedicated dashboards because the dashboards may be upgraded or updated at any time. You can create a custom dashboard to display query results. For more information, see Create a dashboard.

Supported log types

Security Center Enterprise Edition and Ultimate Edition support 16 subtypes of logs that belong to the host, security, and network log types. Security Center Anti-virus Edition and Advanced Edition support 12 subtypes of logs that belong to the host and security log types.

Network log types

Log type	__topic__	Description	Collection cycle

Log type	__topic__	Description	Collection cycle
Web access logs	sas-log-http	Logs of user requests to web servers and responses from the web servers, including the IP address of the user, request time, request method, request URL, HTTP status code, and response size. Web access logs are used to analyze web traffic and user behavior, identify access patterns and exceptions, and optimize website performance.	In most cases, logs are collected 1 to 12 hours after the logs are generated.
Domain Name System (DNS) logs	sas-log-dns	Logs of DNS resolution details, including the requested domain name, query type, IP address of the client, and response value. You can monitor the request and response process of DNS resolution, and identify abnormal resolution behavior, DNS hijacking, and DNS poisoning based on DNS logs.
Internal DNS logs	local-dns	Logs of DNS queries and responses on the local DNS server, including the requested domain name, query type, IP address of the client, and response value. You can obtain the information about DNS queries in your network, and identify issues such as abnormal query behavior, domain hijacking, and DNS poisoning based on internal DNS logs.
Network session logs	sas-log-session	Logs of network connections and data transmission, including the details of network sessions. The details include the session start time, source IP address, destination IP address, protocol, and ports. Network session logs are generally used to monitor network traffic, identify potential threats, and optimize network performance.

Host log types

Log type	__topic__	Description	Collection cycle

Log type	__topic__	Description	Collection cycle
Logon logs	aegis-log-login	Logs of user logons to servers, including the logon time, logon user, logon method, and logon IP address. Logon logs can help you monitor user activities, and identify and respond to abnormal behavior at the earliest opportunity. This helps ensure system security. Note Security Center does not collect the logs of logons to servers that run Windows Server 2008.	Logs are collected in real time.
Network connection logs	aegis-log-network	Logs of network connections, including the 5-tuples of connections to servers, connection time, and connection status. Network connection logs can help you detect suspicious connections, identify potential network attacks, and optimize network performance. Note A server collects only some states of network connections from establishment to termination. Incoming traffic is not logged.	Logs are collected in real time.
Process startup logs	aegis-log-process	Logs of server process startups, including the startup time, startup command, and parameters. You can obtain the startup status and configurations of server processes, and identify issues such as abnormal processes, malware intrusion, and threats based on process startup logs.	Logs are collected in real time. When a process starts, the logs are immediately collected.
Brute-force attack logs	aegis-log-crack	Logs of brute-force attacks, including information about logon attempts, and attempts to crack systems, applications, or accounts. You can obtain the information about brute-force attacks on systems or applications, and identify unusual logon attempts, weak passwords, and credential leaks based on brute-force attack logs. You can also use brute-force attack logs to trace malicious users and collect evidence to assist the security team in incident response and investigation.	Logs are collected in real time.
Account snapshot logs	aegis-snapshot-host	Logs of accounts in systems or applications, including the basic information about accounts. The basic information includes the username, password policy, and logon history of an account. You can obtain the changes of accounts and identify potential risks at the earliest opportunity by comparing the account snapshot logs at different points in time. The risks include access from unauthorized accounts and abnormal account status.	If you configure an automatic collection task for asset fingerprints, asset fingerprints are automatically collected based on the specified frequency. For more information about how to configure an automatic collection task for asset fingerprints, see Use the asset fingerprints feature. If you do not configure an automatic collection task, fingerprints of each server are collected once a day at random time.
Network snapshot logs	aegis-snapshot-port	Logs of network connections, including the 5-tuples of connections, connection status, and associated processes. You can obtain the information about network sockets in the system, identify abnormal connections and potential network attacks, and optimize network performance based on network snapshot logs.
Process snapshot logs	aegis-snapshot-process	Logs of processes in the system, including the process ID, process name, and process start time. You can obtain the information about processes in the system and resource usage of the processes, and identify issues such as abnormal processes, excessive CPU utilization, and memory leaks based on process snapshot logs.
DNS request logs	aegis-log-dns-query	Logs of DNS requests sent by servers, including the requested domain name, query type, and query source. You can obtain the information about DNS queries in the network, and identify issues such as abnormal queries, domain hijacking, and DNS poisoning based on DNS request logs.	Logs are collected in real time.
Agent event logs	aegis-log-client	Logs of online and offline events of the Security Center agent.	Logs are collected in real time.

Security log types

Log type	__topic__	Description	Collection cycle

Log type	__topic__	Description	Collection cycle
Vulnerability logs	sas-vul-log	Logs of vulnerabilities that are detected in the systems or applications, including the vulnerability name, vulnerability status, and handling action. You can obtain the information about the vulnerabilities, security risks, and attack trends in the system, and take proper measures at the earliest opportunity based on vulnerability logs.	Logs are collected in real time.
Baseline logs	sas-hc-log	Logs of baseline check results, including the baseline severity, baseline type, and risk level. You can obtain the baseline security status and potential risks in the system based on baseline logs. Note The logs record only the data of check items that fail the check the first time and the data of the check items that have passed the previous checks but failed a new check.
Alert logs	sas-security-log	Logs of security events and alerts generated in the system and applications, including the alert data source, alert detail, and alert level. You can obtain the security events and threats in the system and take proper measures at the earliest opportunity based on alert logs.
CSPM logs	sas-cspm-log	Logs related to CSPM, including the check results of CSPM and the operations that add risk items to the whitelist. You can obtain the information about the errors and potential risks in the configurations of cloud services based on CSPM logs.
Network defense logs	sas-net-block	Logs of network attack events, including key information such as the attack type, source IP address, and destination IP address. You can obtain network security events and implement proper response and defense measures to improve network security and reliability based on network defense logs.
Application protection logs	sas-rasp-log	Logs of attacks on applications, including key information such as the attack type, attack pattern, and attacker IP address. You can obtain the information about the security events that occur in applications and implement proper response and defense measures to improve application security and reliability based on application protection logs.
Malicious file detection logs	sas-filedetect-log	Logs of malicious file detection, including the file information, detection scenario, and detection result. You can identify common viruses such as ransomware and mining programs in offline files and Object Storage Service (OSS) objects, and handle the viruses at the earliest opportunity to prevent the spread and execution of malicious files based on the logs.

Billing

If the pay-by-feature billing mode is used for the dedicated Logstore, you are not charged for the read and write traffic, index traffic, storage, number of shards, or number of read and write operations in the dedicated Logstore. You are charged for Internet traffic, data transformation, and data shipping. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-feature.
If the dedicated Logstore uses the pay-by-ingested-data billing mode, you are not charged for the read and write traffic, index traffic, storage, number of shards, number of read and write operations, data transformation, or data shipping in the dedicated Logstore. You are charged only for read traffic over the Internet. The fees are included in the bills of Simple Log Service. For more information, see Billable items of pay-by-ingested-data.
The fees that are generated for the log analysis feature are included in the bills of Security Center. For more information, see Billing overview.

References

For more information about how to enable the log analysis feature of Security Center, see Enable the log analysis feature.
For more information about fields in Security Center logs, see Log fields.

Limits

Assets

Supported log types

Network log types

Host log types

Security log types

Billing

References

Sales Support

Technical Support

Connect & Report Abuse

Region of Security Center	Region of the Simple Log Service project
China	China (Hangzhou)
Outside China	Singapore

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)