Available in VPC
List of Security Monitoring logs collected in Cloud Log Analytics
Note
- Log collection start time
- Log collection in Cloud Log Analytics begins when you enable the Save security logs feature in the Security Monitoring dashboard.
- Note that you cannot view logs created before enabling the feature.
- Security logs available in CLA
- You can currently view IDS, IPS, WAF, and Anti-Virus security logs provided by Security Monitoring.
- Other security logs will be supported in the future.
- Unsaved logs
- If you disable the Save security logs feature, IDS, IPS, WAF, and Anti-Virus security logs provided by Security Monitoring will not be available.
- Log retention period
- Once saved, logs are retained for up to 30 days, and data older than 30 days is automatically deleted in order from the oldest.
IDS
| Name of CLA column | Type | Meaning |
|---|---|---|
| rule_name | String | Detection event name |
| severity | String | Severity of risk |
| @timestamp | String | Detection time |
| protocol | String | Protocol |
| source_ip | String | Source IP |
| source_port | Integer | Source Port |
| source_ip_country | String | Source country information |
| destination_ip | String | Destination IP |
| destination_port | Integer | Destination Port |
| destination_ip_country | String | Destination country information |
| direction | String | Network traffic direction |
| detect_type | String | Type of attack |
| region_name | String | Region name |
| product | String | Product code |
| platform | String | Platform |
| zone | String | Zone name |
| vpc | String | VPC name |
| subnet | String | Subnet name |
| lb_name | String | Load Balancer name |
| lb_instance_no | Integer | Load Balancer number |
| lb_domain_name | String | Access information of Load Balancer |
| server_name | String | Server name |
| server_instance_no | Integer | Server number |
WAF
| Name of CLA column | Type | Meaning |
|---|---|---|
| @timestamp | String | Detection time |
| action | String | Action status -Detect: Detect -Block: Block -Cloaking: Cloaking |
| destination_ip | String | Destination IP |
| destination_port | Integer | Destination port |
| detect_basis | String | Grounds for detection |
| detect_type | String | Detection type |
| domain | String | Service domain |
| lb_name | String | Load Balancer name |
| lb_instance_no | Integer | Load Balancer number |
| lb_domain_name | String | Access information of Load Balancer |
| platform | String | Platform |
| product | String | Product code |
| protocol | String | Protocol |
| region_name | String | Region name |
| rule_name | String | Detection event |
| severity | String | Severity of risk |
| server_name | String | Server name |
| server_instance_no | Integer | Server number |
| source_ip | String | Source IP |
| source_ip_country | String | Source country information |
| source_port | Integer | Source port |
| subnet | String | Subnet name |
| url | String | Path |
| vpc | String | VPC name |
| xff_ip | String | Source IP (X-Forwarded-For IP) |
| xff_ip_country | String | Source country information (X-Forwarded-For) |
| zone | String | Zone name |
IPS
| Name of CLA column | Type | Meaning |
|---|---|---|
| @timestamp | String | Detection time |
| action | String | Action status Reset: Block, IDS: Reset: Detect |
| agent_version | String | Agent version |
| count | Integer | Number of detections |
| destination_ip | String | Destination IP |
| destination_port | Integer | Destination port |
| host | String | Detection server IP |
| platform | String | Platform |
| product | String | Product code |
| protocol | String | Protocol |
| region_name | String | Region name |
| rule_id | Long | Detection event ID |
| rule_name | String | Detection event |
| server_name | String | Server name |
| server_instance_no | Integer | Server number |
| severity | String | Severity of risk |
| source_ip | String | Source IP |
| source_port | Integer | Source port |
| subnet | String | Subnet name |
| vpc | String | VPC name |
| xff_ip | String | Source IP (X-Forwarded-For IP) |
| zone | String | Zone name |
Anti-DDoS
| Name of CLA column | Type | Meaning |
|---|---|---|
| @timestamp | String | Detection time |
| action | String | Action status - Auto defense start: Automatic defense against DDoS attacks has been started. - Auto defense end: Automatic defense against DDoS attacks has been finished. - Detect: Detect |
| attack_rate | Integer | Attack traffic |
| destination_ip | String | Destination IP |
| destination_port | Integer | Destination Port |
| lb_name | String | Load Balancer name |
| lb_instance_no | Integer | Load Balancer number |
| lb_domain_name | String | Access information of Load Balancer |
| platform | String | Platform |
| product | String | Product code |
| protocol | String | Protocol |
| region_name | String | Region name |
| rule_name | String | Detection event name |
| server_name | String | Server name |
| server_instance_no | Integer | Server number |
| slice_seconds | Integer | Detection standard time |
| source_ip | String | Source IP |
| source_port | String | Source Port |
| subnet | String | Subnet name |
| threshold_packets | Integer | Detection standard packet |
| threshold_bytes | Integer | Detection standard bytes |
| vpc | String | VPC name |
| zone | String | Zone name |
Note
- Currently, Anti-DDoS logs available through Cloud Log Analytics include attack detection logs and auto defense start/end logs. Attack blocking logs will be provided later.
Anti-Virus
| Name of CLA column | Type | Meaning |
|---|---|---|
| @timestamp | String | Detection time |
| action | String | Action status |
| agent_version | String | Agent version |
| file_path | String | Detection path |
| host | String | Detection server IP |
| platform | String | Platform |
| product | String | Product code |
| region_name | String | Region name |
| rule_id | Long | Detection event ID |
| rule_name | String | Detection event |
| scan_type | String | Scan type |
| server_name | String | Server name |
| server_instance_no | Integer | Server number |
| vpc | String | VPC name |
| subnet | String | Subnet name |
| zone | String | Zone name |