This topic describes the fields of the 14 subtypes of Security Center logs.

Network logs

  • DNS logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: sas-log-dns.
    additional The fields in the additional section. Multiple values are separated by vertical bars (|).
    additional_num The number of fields in the additional section.
    answer The DNS responses. Multiple values are separated by vertical bars (|).
    answer_num The number of DNS responses.
    authority The fields in the authority section. Multiple values are separated by vertical bars (|).
    authority_num The number of fields in the authority section.
    client_subnet The subnet where a client resides.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    in_out The direction of data flows. Valid values:
    • in: inbound
    • out: outbound
    qid The ID of a query.
    qname The domain name that is queried.
    qtype The type of a resource that is queried.
    query_datetime The timestamp of a query. Unit: milliseconds.
    rcode The code of a response.
    region The ID of a source region. Valid values:
    • 1: China (Beijing)
    • 2: China (Qingdao)
    • 3: China (Hangzhou)
    • 4: China (Shanghai)
    • 5: China (Shenzhen)
    • 6: Others
    response_datetime The time when a response is returned, for example, 2018-09-25 09:59:16.
    src_ip The IP address of a source server.
    src_port The source port.
  • Local DNS logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: local-dns.
    answer_rda The DNS responses. Multiple values are separated by vertical bars (|).
    answer_ttl The time-to-live (TTL) of resource records in DNS responses. Multiple values are separated by vertical bars (|).
    answer_type The types of resource records in DNS responses. Multiple values are separated by vertical bars (|).
    anwser_name The domain names in DNS responses. Multiple values are separated by vertical bars (|).
    dest_ip The IP address of a destination server.
    dest_port The destination port.
    group_id The ID of the group to which a host belongs.
    hostname The hostname.
    id The IP address of a host.
    instance_id The ID of an instance.
    internet_ip The public IP address of a host.
    ip_ttl The TTL of the data packets that are sent by a host.
    query_name The domain name that is queried.
    query_type The type of a resource that is queried.
    src_ip The IP address of a source server.
    src_port The source port.
    time The timestamp of a query. Unit: seconds.
    time_usecond The response time. Unit: microseconds.
    tunnel_id The ID of a DNS tunnel.
  • Network session logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: sas-log-session.
    asset_type The type of an associated Alibaba Cloud service, for example, ECS.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    proto The type of a transport layer protocol, for example, TCP or UDP.
    session_time The session time, for example, 2018-09-25 09:59:49.
    src_ip The IP address of a source server.
    src_port The source port.
  • Web access logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: sas-log-http.
    content_length The content length of an HTTP request message.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    host The hostname of a web server.
    jump_location The IP address of an HTTP redirect.
    method The HTTP request method, for example, GET.
    referer The Referer HTTP header. This field includes the address of the web page that sends a request.
    request_datetime The time when a request is sent.
    ret_code The HTTP status code.
    rqs_content_type The content type of an HTTP request message.
    rsp_content_type The content type of an HTTP response message.
    src_ip The IP address of a source server.
    src_port The source port.
    uri The URI of a request.
    user_agent The user agent of a client that sends a request.
    x_forward_for The X-Forwarded-For (XFF) HTTP header.

Security logs

  • Vulnerability logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: sas-vul-log.
    name The name of a vulnerability.
    alias_name The alias of a vulnerability.
    op The action that is performed on a vulnerability. Valid values:
    • new: detects a new vulnerability.
    • verify: verifies a vulnerability.
    • fix: fixes a vulnerability.
    status The status of a vulnerability. For more information, see Table 2.
    tag The tag of a vulnerability, for example, oval, system, or cms.
    type The type of a vulnerability. Valid values:
    • sys: Windows vulnerability
    • cve: Linux vulnerability
    • cms: Web CMS vulnerability
    • EMG: emergency vulnerability
    uuid The universally unique identifier (UUID) of a client.
  • Baseline logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: sas-hc-log.
    level The level of a baseline. Valid values: low, medium, and high.
    op The action that is performed on a baseline. Valid values:
    • new: detects a new baseline.
    • verify: verifies a baseline.
    • fix: fixes a baseline.
    risk_name The name of a baseline risk.
    status The status of a baseline. For more information, see Table 2.
    sub_type_alias The subtype alias of a baseline.
    sub_type_name The subtype of a baseline.
    type_name The type of a baseline.
    type_alias The type alias of a baseline.
    uuid The UUID of a client.
    Table 1. Types and subtypes of baselines
    type_name sub_type_name
    system baseline
    weak_password postsql_weak_password
    database redis_check
    account system_account_security
    account system_account_security
    weak_password mysq_weak_password
    weak_password ftp_anonymous
    weak_password rdp_weak_password
    system group_policy
    system register
    account system_account_security
    weak_password sqlserver_weak_password
    system register
    weak_password ssh_weak_password
    weak_password ftp_weak_password
    cis centos7
    cis tomcat7
    cis memcached-check
    cis mongodb-check
    cis ubuntu14
    cis win2008_r2
    system file_integrity_mon
    cis linux-httpd-2.2-cis
    cis linux-docker-1.6-cis
    cis SUSE11
    cis redhat6
    cis bind9.9
    cis centos6
    cis debain8
    cis redhat7
    cis SUSE12
    cis ubuntu16
    Table 2. Status codes of security logs
    Status code Description
    1 Unfixed.
    2 Fix failed.
    3 Rollback failed.
    4 Fixing.
    5 Rolling back.
    6 Verifying.
    7 Fixed.
    8 Fixed. Waiting for a restart.
    9 Rollback succeeded.
    10 Ignored.
    11 Rollback succeeded. Waiting for a restart.
    12 No longer exists.
    20 Expired.
  • Security alert logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: sas-security-log.
    data_source The data source. Valid values:
    • aegis_suspicious_event: server exceptions
    • aegis_suspicious_file_v2: Webshell
    • aegis_login_log: suspicious logons
    • security_event: Security Center exceptions
    level The severity level of an alert, for example, suspicious, serious, or remind.
    name The name of an alert.
    op The action that is performed on an alert. Valid values:
    • new: An alert is triggered.
    • dealing: An alert is being processed.
    status The status of an alert. For more information, see Table 2.
    uuid The UUID of a client.

Host logs

  • Process startup logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: aegis-log-process.
    uuid The UUID of a client.
    ip The IP address of a client.
    cmdline The full command line that starts a process.
    username The username.
    uid The ID of a user.
    pid The ID of a process.
    filename The name of a process file.
    filepath The full path of a process file.
    groupname The name of a user group.
    ppid The ID of a parent process.
    pfilename The name of a parent process file.
    pfilepath The full path of a parent process file.
    containerhostname The hostname of a container.
    containerpid The process ID of a container.
    containerimageid The ID of an image.
    containerimagename The name of an image.
    containername The name of a container.
    containerid The ID of a container.
    cwd The current working directory (CWD) of a running process.
  • Process snapshot logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: aegis-snapshot-process.
    uuid The UUID of a client.
    ip The IP address of a client.
    cmdline The full command line that starts a process.
    pid The ID of a process.
    name The name of a process file.
    path The full path of a process file.
    md5 The MD5 hash of a process file. If the process file exceeds 1 MB, the MD5 hash is not calculated.
    pname The name of a parent process file.
    start_time The time when a process starts.
    user The username.
    uid The ID of a user.
  • Logon logs
    Note The logon attempts within 1 minute are recorded in one log entry. The warn_count field indicates the number of logon attempts.
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: aegis-log-login.
    uuid The UUID of a client.
    ip The IP address of a client.
    warn_ip The IP address of a source server.
    warn_port The logon port.
    warn_type The type of a logon. Valid values:
    • SSHLOGIN: Secure Shell (SSH) logon
    • RDPLOGIN: remote desktop logon
    • IPCLOGIN: IPC logon
    warn_user The logon username.
    warn_count The number of logon attempts. In this example, the value 3 indicates that two logon requests are sent 1 minute before the current logon.
  • Brute-force cracking logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: aegis-log-crack.
    uuid The UUID of a client.
    ip The IP address of a client.
    warn_ip The IP address of a source server.
    warn_port The logon port.
    warn_type The type of a logon. Valid values:
    • SSHLOGIN: SSH logon
    • RDPLOGIN: remote desktop logon
    • IPCLOGIN: IPC logon
    warn_user The logon username.
    warn_count The number of failed logon attempts.
  • Network connection logs
    Note The changes in network connections are collected on the host every 10 seconds to 1 minute. The logs of network connections in some states are collected.
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: aegis-log-network.
    uuid The UUID of a client.
    ip The IP address of a client.
    src_ip The IP address of a source server.
    src_port The source port.
    dst_ip The IP address of a destination server.
    dst_port The destination port.
    proc_name The name of a process.
    proc_path The path of a process file.
    proto The protocol that is used to establish a network connection, for example, UDP or raw (raw socket).
    status The connection status. For more information, see Table 3.
    Table 3. Status codes of network connections
    Status code Description
    1 closed
    2 listen
    3 syn send
    4 syn recv
    5 establisted
    6 close wait
    7 closing
    8 fin_wait1
    9 fin_wait2
    10 time_wait
    11 delete_tcb
  • Port snapshot logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: aegis-snapshot-port.
    uuid The UUID of a client.
    ip The IP address of a client.
    proto The protocol that is used to establish a network connection, for example, TCP, UDP or raw (raw socket).
    src_ip The IP address that is listened on.
    src_port The port that is listened on.
    pid The ID of a process.
    proc_name The name of a process.
  • Account snapshot logs
    Log field Description
    __time__ The log time.
    __topic__ The topic of a log entry. Valid value: aegis-snapshot-host.
    uuid The UUID of a client.
    ip The IP address of a client.
    user The username of an account.
    perm Indicates whether a user has root permissions.
    • 0: The user does not have root permissions.
    • 1: The user has root permissions.
    home_dir The home directory of a user.
    groups The group to which a user belongs.
    last_chg The date when a password is last modified.
    shell The shell commands.
    domain The Windows domain.
    tty The logon terminal.
    warn_time The notification date for password expiration.
    account_expire The date when an account expires.
    passwd_expire The date when a password expires.
    login_ip The IP address of the last remote logon client.
    last_logon The date and time of the last logon.
    status The status of a user.
    • 0: disabled
    • 1: normal