Dear Alibaba Cloud users,
Starting August 1, 2024, Alibaba Cloud Security Center upgrades V1.0 log dictionaries to V2.0 to ensure consistent data analysis experience when you use Alibaba Cloud security services. The log dictionaries define the structure, meaning, and standards of the fields supported for collection and storage by the log analysis feature. V2.0 log dictionaries allow you to query data for association analysis across multiple Alibaba Cloud security services such as Security Center and Cloud Firewall by using the same fields. This helps improve the efficiency of log query.
Differences between V1.0 and V2.0 log dictionaries
V1.0 log dictionaries that are used to collect log data are supported by the log analysis feature of Security Center until August 1, 2024. For more information, see Log types and log fields of the V1.0 log dictionaries.
On August 1, 2024, Security Center releases V2.0 log dictionaries that are upgraded from V1.0 to collect log data. In V2.0 log dictionaries, the number of log fields is increased, and the names of specific log fields are optimized (the meanings of the fields remain unchanged). V2.0 log dictionaries allow you to collect more log data across multiple Alibaba Cloud security services. For specific fields and descriptions supported in the V2.0 log dictionaries, see Log types and log fields of V2.0 log dictionaries.
The following are the differences between the V1.0 and V2.0 log dictionaries. Fields not listed below are the same in both versions.
Network logs
Differences between V1.0 and V2.0 log dictionaries
Log type | Change type | Field name V1.0 | Field name V2.0 |
Web Access Log | Field name change | content_length | response_content_length |
method | request_method |
referer | http_referer |
ret_code | status |
rqs_content_type | content_type |
rsp_content_type | response_content_type |
uri | request_uri |
user_agent | http_user_agent |
x_forward_for | http_x_forward_for |
DNS Log | Field name change | in_out | net_connect_dir |
qname | query_name |
qtype | query_type |
Network Session Log | Field name change | in_out | net_connect_dir |
proto | l4_proto |
Local DNS Log | Field name change | dest_ip | dst_ip |
dest_port | dst_port |
hostname | host |
time | start_time |
Host logs
Differences between V1.0 and V2.0 log dictionaries
Log type | Change type | Field name V1.0 | Field name V2.0 |
Logon Log | Field name change | ip | host_ip |
warn_ip | src_ip |
warn_port | dst_port |
warn_type | login_type |
warn_user | username |
warn_count | login_count |
New field | None | start_time |
Network Connection Log | Field name change | dir | net_connect_dir |
ip | host_ip |
parent_proc_file_name | parent_proc_name |
proc_stime | proc_start_time |
proto | connection_type |
New field | None | start_time |
Process Startup Log | Field name change | containerhostname | container_hostname |
containerid | container_id |
containerimageid | container_image_id |
containerimagename | container_image_name |
containername | container_name |
containerpid | container_pid |
filename | proc_name |
filepath | proc_path |
ip | host_ip |
pfilename | parent_proc_name |
pfilepath | parent_proc_path |
stime | proc_start_time |
pstime | parent_proc_start_time |
New field | None | start_time |
Brute-force Attack Log | Field name change | ip | host_ip |
warn_count | login_count |
warn_ip | src_ip |
warn_type | login_type |
warn_port | dst_port |
warn_user | username |
New field | None | start_time |
Account Snapshot Log | Field name change | ip | host_ip |
user | username |
New field | None | start_time |
Network Snapshot Log | Field name change | dir | net_connect_dir |
ip | host_ip |
proto | connection_type |
New field | None | start_time |
Process Snapshot Log | Field name change | ip | host_ip |
name | proc_name |
path | proc_path |
start_time | proc_start_time |
New field | None | start_time |
DNS Query Log | Field name change | ip | host_ip |
proc_cmdline | cmdline |
proc_cmd_chain | cmd_chain |
New field | None | start_time |
Client Event Log | Field name change | client_ip | host_ip |
New field | None | start_time |
Security logs
Differences between V1.0 and V2.0 log dictionaries
Log type | Change type | Field name V1.0 | Field name V2.0 |
Vulnerability Log | Field name change | alias_name | vul_alias_name |
necessity | risk_level |
machine_name | instance_name |
name | vul_name |
op | operation |
New field | None | start_time |
Baseline Log | Field name change | check_item | check_item_name |
check_level | check_item_level |
level | risk_level |
op | operation |
sub_type_alias | sub_type_alias_name |
type_alias | type_alias_name |
New field | None | start_time |
Alert Log | Field name change | op | operation |
New field | None | start_time |
Configuration Assessment Log | Field name change | check_show_name | check_item_name |
New field | None | start_time |
Network Defense Log | Field name change | dest_ip | dst_ip |
dest_port | dst_port |
model | final_action |
New field | None | start_time |
Application Protection Log | Field name change | confidence | confidence_level |
content | request_body |
content_length | request_content_length |
ip | host_ip |
jdk | jdk_version |
method | request_method |
os | platform |
os_arch | arch |
os_version | kernel_version |
remote | src_ip |
result | final_action |
rule_result | rule_action |
severity | risk_level |
New field | None | start_time |
Automatic upgrade time
Starting August 1, 2024, V2.0 log dictionaries are automatically applied when you create Logstores by purchasing the Security Center log analysis feature.
For Logstores created before August 1, 2024, Security Center plans to automatically use V2.0 log dictionaries to record the fields of logs that are delivered later than October 30, 2024. Before October 30, 2024, you can continue to use V1.0 log dictionaries or manually upgrade the dictionaries to V2.0. The upgrade does not affect data in storage and ensures the integrity and availability of historical data.
If you encounter issues or require assistance during the upgrade, submit a ticket.
Upgrade impacts
If you did not purchase the log analysis feature of Security Center, you are not affected by the upgrade.
If you have purchased the log analysis feature of Security Center before August 1, 2024, and have consumed logs or customized alerts in the following scenarios, you need to pay attention to this change. You can manually upgrade log dictionaries to V2.0 when you use applications that consume log anaylsis data.
Note If you cannot complete the secondary development before October 30, 2024, go to the Security Center console to request a 3-month extension. This way, the system automatically upgrades log dictionaries on January 30, 2025. In this case, you must complete secondary development before January 30, 2025. Then, you can manually upgrade log dictionaries to V2.0 before the automatic upgrade.
Scenario | Solution |
Query data by using Simple Log Service | After the upgrade, you must query data by using the fields that are recorded in V2.0 log dictionaries. |
Deliver data stored in Simple Log Service to other databases for association analysis | Modify the field mappings between the data stored in Simple Log Service (SLS) and other databases. For more information, see Manage a data shipping job. We recommend you to add the mappings between the modified field name and the newly added field to ensure that logs using dictionaries V2.0 can be delivered and the delivered data stored in V1.0 remains unaffected. Manually upgrade log dictionaries to V2.0. For more information, see Manually upgrade log dictionaries to V2.0. Check whether the log delivery tasks are completed normally and the data delivered to the database meets expectations.
|
Configure custom alert rules based on the log fields of Simple Log Service | You must modify custom alert rules before October 30, 2024 to allow the rules to take effect after V2.0 log dictionaries are applied. For more information about how to modify an alert rule, see Manage an alert monitoring rule. Manually upgrade log dictionaries to V2.0. For more information, see Manually upgrade log dictionaries to V2.0.
|
Deliver data stored in Simple Log Service to other databases to perform secondary development and generate statistical reports | Complete the secondary development before October 30, 2024 based on V2.0 log dictionaries. Manually upgrade log dictionaries to V2.0. For specific operations, see Manually upgrade log dictionaries to V2.0. Check whether the logs are delivered and whether the data delivered to the database meets expectations.
|
Manually upgrade log dictionaries to V2.0
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
In the upper-right corner of the Log Analysis page, move the pointer over Dictionary Version: V1.0 and click Upgrade Now.
In the Upgrade Notes message, click Upgrade Now.