Log type | __topic__ | Description | Collection cycle |
Logon logs | aegis-log-login | Logs of user logons to servers, including the logon time, logon user, logon method, and logon IP address. Logon logs can help you monitor user activities, and identify and respond to abnormal behavior at the earliest opportunity. This helps ensure system security. Note Security Center does not collect the logs of logons to servers that run Windows Server 2008. | Logs are collected in real time. |
Network connection logs | aegis-log-network | Logs of network connections, including the 5-tuples of connections to servers, connection time, and connection status. Network connection logs can help you detect suspicious connections, identify potential network attacks, and optimize network performance. | Logs are collected in real time. |
Process startup logs | aegis-log-process | Logs of server process startups, including the startup time, startup command, and parameters. You can obtain the startup status and configurations of server processes, and identify issues such as abnormal processes, malware intrusion, and threats based on process startup logs. | Logs are collected in real time. When a process starts, the logs are immediately collected. |
Brute-force attack logs | aegis-log-crack | Logs of brute-force attacks, including information about logon attempts, and attempts to crack systems, applications, or accounts. You can obtain the information about brute-force attacks on systems or applications, and identify unusual logon attempts, weak passwords, and credential leaks based on brute-force attack logs. You can also use brute-force attack logs to trace malicious users and collect evidence to assist the security team in incident response and investigation. | Logs are collected in real time. |
Account snapshot logs | aegis-snapshot-host | Logs of accounts in systems or applications, including the basic information about accounts. The basic information includes the username, password policy, and logon history of an account. You can obtain the changes of accounts and identify potential risks at the earliest opportunity by comparing the account snapshot logs at different points in time. The risks include access from unauthorized accounts and abnormal account status. | If you configure an automatic collection task for asset fingerprints, asset fingerprints are automatically collected based on the specified frequency. For more information about how to configure an automatic collection task for asset fingerprints, see Use the asset fingerprints feature. If you do not configure an automatic collection task, fingerprints of each server are collected once a day at random time.
|
Network snapshot logs | aegis-snapshot-port | Logs of network connections, including the 5-tuples of connections, connection status, and associated processes. You can obtain the information about network sockets in the system, identify abnormal connections and potential network attacks, and optimize network performance based on network snapshot logs. |
Process snapshot logs | aegis-snapshot-process | Logs of processes in the system, including the process ID, process name, and process start time. You can obtain the information about processes in the system and resource usage of the processes, and identify issues such as abnormal processes, excessive CPU utilization, and memory leaks based on process snapshot logs. |
DNS request logs | aegis-log-dns-query | Logs of DNS requests sent by servers, including the requested domain name, query type, and query source. You can obtain the information about DNS queries in the network, and identify issues such as abnormal queries, domain hijacking, and DNS poisoning based on DNS request logs. | Logs are collected in real time. |
Agent event logs | aegis-log-client | Logs of online and offline events of the Security Center agent. | Logs are collected in real time. |