tencent cloud

All product documents
Cloud Workload Protection Platform
DocumentationCloud Workload Protection PlatformCloud Workload Protection DescriptionLog Field Data Parsing
Log Field Data Parsing
Download PDF
Last updated: 2024-08-16 17:34:08
Log Field Data Parsing
Last updated: 2024-08-16 17:34:08
Download PDF

Global Specification

Log contents are in JSON format.
Log character encoding is in UTF-8 format.
Logs contain common fields and type-specific fields. Refer to Fields Description for details.
Currently, logs are divided into three types: event logs, asset logs, and client logs

Log Type

The log type is determined by the common field cls_event_type, and currently, the log type values are defined as follows:

Event Logs

cls_event_type
Log Type Values
malware
risk_process
hostlogin
bruteattack
risk_dns
bash
privilege_escalation
reverse_shell
emergency_vul
linux_app_vul
windows_sys_vul
Web-CMS_vul
application_vul
baseline
Baseline
attack_logs
java_shell
file_tamper
tamper_protect_logs
tamper_protect_exceptions
client_uninstall
client_offline

Asset Logs

cls_event_type
Log Type Values
machines
Host List
asset_system
asset_account
Account
asset_netstat
Port
asset_process
Process
asset_app
asset_database
Database
asset_web_app
asset_web_service
asset_web_frame
asset_web_location
Web Site
asset_jar
asset_init_service
asset_scheduled_task
asset_env
asset_core_module
asset_package

Client Report Logs

cls_event_type
Log Type Values
client_log
dns_log
DNS Logs
process_snapshot
net_log
file_log
login_log

Event Log Fields Description

Common Fields Description

Field
Type
Description
id
string
Database Record id
appid
string
User appid
create_time
string
Event Creation Time
modify_time
string
Event Modification Time
cls_event_type
string
Event Type
event_status
string
Event Status (Create, Modify, and Delete)

Malicious File Scan Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
file_path
string
File Path
md5
string
File md5
filesize
string
File Size
file_create_time
string
File Creation Time
file_modify_time
string
File Modification Time
file_access_time
string
File Access Time
status
string
Status (Pending, Trusted, Isolated, Allowlisted File, File Deleted, In Quarantine, In Restoration, and Event Record Deleted)
virus_name
string
Virus Name
bwtype
string
Sample Attributes (10: Allowlisted; 20~29: Blocklisted)
path_md5
string
File Path md5

Abnormal Process Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
pid
int
Process ID
exe_path
string
Process Path
exe_md5
string
Process md5
exe_desc
string
Process Details
exe_argv
string
Process Parameters
exe_create_time
string
Process Creation Time
exe_modify_time
string
Process Modification Time
exe_access_time
string
Process Access Time
status
string
Status (Pending, Trusted, Cleaned Up, and Exited)
start_time
string
Process Start Time
virus_name
string
Virus Name
latest_scan_time
string
Latest Scan Time
pstree
string
Process Tree Details (json Format)
risk_level
string
Risk Level (Advisory, Low, Medium, High, and Critical)
pay_version
string
Machine Version (Basic Edition, Professional Edition, Ultimate Edition, and Universal Edition)
rss
int
Process Memory
permission
string
Process Permissions

Abnormal Log-in Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
username
string
Log-in Username
count
string
Log-in Attempts (Aggregated Once per Minute)
src_ip
string
Log-in Source IP
dst_port
string
Log-in Port
src_machine_name
string
Log-in Source Machine Name
login_time
string
Log-in Time
status
string
Status (Normal Log-in, Abnormal Log-in, Allowlisted, Deleted, Confirmed Intrusion Log-in, Processed, and Ignored)
location
string
Location

Password Cracking Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
username
string
Username
count
string
Attempt Count
event_type
string
Event Type (Brute Force Failure, Brute Force Success, and Brute Force on Non-existent Account)
src_ip
string
Source IP
dst_port
string
Source Port
src_machine_name
string
Source Machine Name
status
string
Status (Pending, Ignored, False Positive, Deleted, Hit Allowlist, Processed, and Allowlisted)
location
string
Location
banned
string
Blocking Status (Not Blocked, Blocked, Not Blocked (Blocking Not Enabled), Not Blocked (Non-Professional Edition), Not Blocked (Allowlisted), Not Blocked (No Public IP Bound), Blocking Failed (Interface Anomaly), Blocking Failed (Private Network Not Supported), and Blocking Failed (Available Zone Not Supported))

Malicious Request Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
url
string
Domain Name
pid
string
Process ID
process_name
string
Process Name
cmd_line
string
Command Line
status
string
Status (Pending, Deleted, Allowlisted, Trust Revoked by User, Processed, and Ignored)
access_count
string
Request Count
query_time
string
First Request Time
merge_time
string
Recent Request Time

High-risk Command Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
user
string
Executing User
platform
string
Platform
exec_time
string
Command Execution Time
bash_cmd
string
Executed Command
status
string
Status (Pending, Hazardous Command, Normal Command, Ignored, and Deleted)
rule_name
string
Hit Rule Name
rule_level
string
Command Hazard Level (High, Medium, and Low)

Local Privilege Escalation Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
process_name
string
Process Name
full_path
string
File Path
pid
string
Process ID
cmd_line
string
Command Line
user_name
string
Executing User
user_group
string
Group to Which the Executing User Belongs
proc_file_privilege
string
Process File Permission Information
ppid
string
Parent Process ID
parent_proc_name
string
Parent Process Name
parent_proc_user
string
User Executing the Parent Process
parent_proc_group
string
Group to Which the Executing User of Parent Process Belongs
parent_proc_path
string
Parent Process Path
find_time
string
Execution Time
proc_tree
string
Process Tree
sid
string
User sessionid (Currently Default to 0)
uid
string
User ID
gid
string
User Group ID
euid
string
Effective User ID
egid
string
Effective User Group ID
status
string
Status (Pending, Privilege Escalation Event, Allowlisted, Processed, Ignored, and Deleted)

Reverse Shell Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
dst_ip
string
Destination IP
dst_port
string
Destination Port
process_name
string
Executed Process
full_path
string
Process Path
pid
string
Process ID
cmd_line
string
Executed Command
user_name
string
Executing User
user_group
string
Group to Which the Executing User Belongs
ppid
string
Parent Process ID
parent_proc_name
string
Parent Process Name
parent_proc_user
string
User Executing the Parent Process
parent_proc_group
string
Group to Which the Executing User of Parent Process Belongs
parent_proc_path
string
Parent Process Path
find_time
string
Execution Time
proc_tree
string
Process Tree
status
string
Status (Pending, Reverse Shell Event, Allowlisted, Processed, Ignored, and Deleted)

Vulnerability Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
status
string
Vulnerability Status (Pending, Ignored, Fixed, Under Detection, Fix In Progress, Rolling Back, Fix Failed, Expired, and Offline)
vul_category
string
Vulnerability Classification (Web Application Vulnerability, System Component Vulnerability, Linux System Vulnerability, and Windows System Vulnerability)
descript
string
Vulnerability Event Details
path
string
The File Path of the Vulnerability
remark
string
Vulnerability Remarks
name
string
Vulnerability Name
fix
string
Remediation Description
cve_id
string
cve Number
reference
string
Reference Description
level
string
Vulnerability Severity Level (Low, Medium, High, and Advisory)
is_emergency
string
Urgent or Not

Baseline Fields Description

Field
Type
Description
name
string
Baseline Name
uuid
string
Machine uuid
hostip
string
Host IP
status
string
Status (Failed, Ignored, Passed, Deleted, and Under Detection)
level
string
Severity Level (Low, Medium, High, and Critical)
descript
string
Description
remark
string
Remarks
rule_id
string
Baseline Category ID
category_name
string
Baseline Category Name
item_id
string
Baseline Rule ID
fix
string
Suggestions for Fix

Network Attack Fields Description

Field
Type
Description
uuid
string
Machine uuid
dst_port
int
Destination Port
src_ip
string
Source IP
type
string
Type (Attack Attempt/Successful Attack)
status
string
Event Status (Pending, Processed, Allowlisted, Ignored, Deleted, and Defense Enabled)
count
int
Event Merging Count
svc_ps
string
Service Process Details (json Format)
net_payload
string
Attack Packet (Plaintext Format)
merge_time
string
Event Merging Time (Latest Detection Time)
host_op_type
string
Abnormal Behavior Type (No Compromised Behavior/rce (Command Execution)/dnslog/writefile)
host_op_pstree
string
Abnormal Behavior Process Tree (json Format)
host_op
string
Abnormal Behavior Content
hostip
string
Host IP

Java Webshell Fields Description

Field
Type
Description
uuid
string
Machine uuid
type
string
Trojan Type (Filter, Listener, Servlet, Interceptors, Client, etc.)
exe
string
Java Process Path
argv
string
Java Process Command Line
pid
string
Java Process Process ID
class_name
string
Memory Shellcode class_name
loader_class_name
string
Memory Shellcode loader_class_name
super_class_name
string
Memory Shellcode Parent Class super_class_name
interfaces
string
Memory Shellcode interfaces
recent_found_time
string
Last Detection Time
status
string
Status (Pending, Allowlisted, Deleted, Ignored, and Manually Processed)
file_exist
string
File Exists or Not (File Does Not Exist, File Exists)
class_file
string
The File Path of class

Kernel File Monitoring Fields Description

Field
Type
Description
uuid
string
Machine uuid
hostip
string
Host IP
hostname
string
Host name
process_exe
string
Process Path
process_argv
string
Process Command Line Parameters
target
string
The File Path of the Destination
status
string
Status (Pending, Allowlisted, Deleted, Ignored, and Manually Processed)
event_count
string
Event Occurrence Count
rule_name
string
Rule Name
event_detail
string
Event Details (json Format)
pstree
string
Process Tree
rule
string
Rule Group Details (json Format)
level
string
Severity Level (None, High, Medium, and Low)

Web Tamper Protection Event Fields Description

Field
Type
Description
uuid
string
Machine uuid
path
string
File Path
recover_type
string
Recovery Type (Recovery for Content Modification, Recovery for Permission Modification, Recovery for Ownership Modification, Recovery for Deletion, and Deletion for Addition)
has_recovered
string
Deleted or Not (Not Deleted, Deleted)
recover_time
string
Restoration Time
is_manual_recover
string
Whether Manually Restored by User (No, Yes)
is_deleted
string
Deleted or Not (Not Deleted, Deleted)
status
string
Status (Pending, Confirm Malicious, and Confirm False Positive)
file_type
string
File Type (Regular File, Directory, and Symbolic Link)

Web Tamper Protection Anomaly Fields Description

Field
Type
Description
quuid
string
Machine uuid
exception
string
Exception Type (No Exception, Beyond Limit, Client Offline, Timed Out, Insufficient Disk Space, Machine Destroyed, File Changed During Backup, File Not Found During Backup, Beyond Limit (Monitoring Path is not a Directory), Beyond Limit (File Type not Supported), Beyond Limit (Number of Files Exceeded the Limit), Beyond Limit (Path Too Long), Beyond Limit (File Too Large), Beyond Limit (Failed to Read File), Beyond Limit (Too Many Protected Directories/Subdirectories), etc.)
exception_message
string
Exception Prompt

Client Uninstallation Fields Description

Field
Type
Description
uuid
string
Machine uuid
pstree
string
Process Tree
uninstall_time
string
Uninstallation Time

Offline Client Fields Description

Field
Type
Description
uuid
string
Machine uuid
offline_time
string
Machine Offline Time

Asset Log Fields Description

Common Fields Description

Field
Type
Description
id
string
Database Record ID
appid
string
User appid
host_name
string
Host name
host_ip
string
Host Private IP
wan_ip
string
Host Public IP
instance_id
string
Instance ID
os_name
string
Operating System Name
os_type
string
Operating System Type (Unknow, CentOS, Debian, Gentoo, RedHat, Ubuntu, WindowsServer, TencentOS, CoreOS, FreeBSD, and SUSE)
create_time
int
Creation Time (Timestamp Format)
update_time
int
Asset Update Time (Timestamp Format)
cls_event_type
string
Event Type
event_status
string
Event Status (create, modify, and delete)

Host List Fields Description

Field
Type
Description
quuid
string
Machine quuid
machine_type
string
Machine Type (CVM, LH, Other, and ECM)
region
string
Region
project_id
int
Instance Project ID
instance_id
string
Instance ID
instance_state
string
Instance Status (PENDING, LAUNCH_FAILED, RUNNING, STOPPED, STARTING, STOPPING, REBOOTING, SHUTDOWN, TERMINATING, and TERMINATED)
restrict_state
string
Business Status (NORMAL, EXPIRED, PROTECTIVELY_ISOLATED, and TERMINATED_PRO_VERSION)
instance_name
string
Instance Name
private_ip_addresses
string
Instance Private IP Address
public_ip_addresses
string
Instance Public IP Address
ipv6_addresses
string
Instance IPv6 Address
vpc_id
string
vpc id
os_name
string
Operating System Name
os_type
string
Operating System Type (Unknow, CentOS, Debian, Gentoo, RedHat, Ubuntu, WindowsServer, TencentOS, CoreOS, FreeBSD, and SUSE)
installed_cwp
int
Whether or Not Installed CWPP Client (0: Not Installed; 1: Installed)
latest_sync_time
string
Last Synchronization Time

Resource Monitoring Fields Description

Field
Type
Description
core_version
string
Kernel Version
boot_time
int
System Boot Time (unix Timestamp)
cpu_info
string
CPU Information
cpu_size
int
Number of CPUs
cpu_load
float
CPU Utilization
memory_size
int
Memory Size (MB)
memory_load
float
Memory Utilization
disk_size
int
Disk Size (MB)
disk_load
float
Disk Utilization

Account Fields Description

Field
Type
Description
group_name
string
Account GroupName
status
string
Account Status (Disabled, Enabled)
is_root
string
Whether or Not Have Root Privilege
name
string
Account Name
type
string
Account Type (Guest User, Standard User, and Administrator User)
home_path
string
Home Directory
shell
string
Shell Path
password_change_time
string
Password Change Time
password_due_days
int
Password Due Days (-1 means that it never expires.)
password_lock_days
int
Password Lockout Duration in Days (-1 means that it is infinite.)
password_warn_days
int
Password Expiration Reminder in Days
password_change_type
string
Password Change Settings (Not Modifiable, Modifiable)
password_status
string
Password Status (Normal, Expiring Soon, Expired, and Locked)
login_type
string
Log-in Method (No Log-in Allowed, Key-only Log-in, Password-only Log-in, and Key and Password Allowed)
last_login_time
int
Last Log-in Time
last_login_terminal
string
Last Log-in Terminal
last_login_ip
string
Last Log-in IP
disable_time
string
Account Expiration Time

Port Fields Description

Field
Type
Description
name
string
Process Name
version
string
Process Version
path
string
Process Path
parent_process_name
string
Parent Process Name
pid
string
Process ID
user
string
Running User
group_name
string
Belonging User Group
start_time
int
Start Time (unix Timestamp)
param
string
Startup Parameters
tty
string
Process TTY
port
string
Port
ppid
string
Parent Process ID
proto
string
Port Protocol

Software Application Fields Description

Field
Type
Description
name
string
Application Name
type
string
Application Type (Ops Tool, Database, Secure Application, Suspicious Application, System Architecture, System Application, WEB Ops, etc.)
bin_path
string
Binary Path
config_path
string
The File Path of the Configuration
process_count
int
Associated Process Count
version
string
Version Number

Process Fields Description

Field
Type
Description
name
string
Process Name
group_name
string
Process User Group
desc
string
Process Description
path
string
Process Path
pid
string
Process ID
ppid
string
Parent Process ID
parent_process_name
string
Parent Process Name
user
string
Running User
start_time
int
Start Time
param
string
Startup Parameters
tty
string
Process TTY
version
string
Process Version
status
string
Process Status (None, Executable, Interruptible, Not Interruptible, Paused or Traced, Zombie, To Be Destroyed, Idle, and Waiting for Memory Allocation)
package_name
string
Software Package Name

Database Fields Description

Field
Type
Description
name
string
Database Name
version
string
Version
port
string
Port
proto
string
Protocol
user
string
Running User
ip
string
Bound IP
config_path
string
The File Path of the Configuration
log_path
string
The File Path of Logs
data_path
string
Data Path
permission
string
Running Permission
error_log_path
string
Error Log Path
plugin_path
string
Plugin Path
bin_path
string
Binary Path
param
string
Startup Parameters

Web Application Fields Description

Field
Type
Description
name
string
Application Name
desc
string
Application Description
version
string
Version
root_path
string
Root Path
service_type
string
Service Type
domain
string
Site Domain Name
virtual_path
string
Virtual Path
plugin_count
int
Plugin Count

Web Servie Fields Description

Field
Type
Description
name
string
Framework Name
version
string
Version
bin_path
string
Binary Path
service_type
string
Service Type
user
string
Starting User
install_path
string
Installation Path
config_path
string
Configuration Path
process_count
int
Associated Process Count

Web Framework Fields Description

Field
Type
Description
name
string
Framework Name
version
string
Version
lang
string
Language
service_type
string
Service Type
path
string
Application Path

Web Site Fields Description

Field
Type
Description
name
string
Domain Name
port
string
Site Port
proto
string
Site Protocol
service_type
string
Service Type
path_count
int
Site Path Count
user
string
Running User
ip
string
Bound IP
command
string
Startup Command

jar File Fields Description

Field
Type
Description
name
string
Name
type
string
Type (Application, System Class Library, Web Service Built-in Library, and Other)
status
string
Executable or Not
version
string
Version
path
string
Path

Startup Service Fields Description

Field
Type
Description
name
string
Name
type
string
Type
status
string
Default Enablement Status (Enabled, Not Enabled)
user
string
Starting User
path
string
Path

Scheduled Task Fields Description

Field
Type
Description
status
string
Default Enablement Status (Enabled, Not Enabled)
cycle
string
Execution Cycle
command
string
Execute Command or Script
user
string
Starting User
config_path
string
The File Path of the Configuration
os_info
string
Operating System

Environment Variable Fields Description

Field
Type
Description
name
string
Name
type
string
Type (User, System)
user
string
Starting User
value
string
Environment Variable Value

Kernel Module Fields Description

Field
Type
Description
name
string
Name
desc
string
Description
path
string
Path
version
string
Version
size
int
Size

System Installation Package Fields Description

Field
Type
Description
name
string
Installation Package Name
desc
string
Description
version
string
Version
install_time
int
Installation Time (unix Timestamp)
type
string
Type

Client Reporting Log Fields Description

Original Log Fields Description

Field
Type
Description
appid
int
User appid
uuid
string
Machine uuid
path
string
The File Path of Logs
tag
string
Tag (To be Defined by User)
time
string
Log Time
log
string
Log Content

DNS Log Fields Description

Field
Type
Description
appid
int
User appid
quuid
string
Machine quuid
uuid
string
Machine uuid
recv_time
int
Timestamp
domain
string
Domain Name
hostip
string
Host IP
platform
string
Platform: Linux, Windows
pid
int
Process ID
process_path
string
Process Path
cmdline
string
Process Command Line Parameters
count
int
Number of Accesses during Reporting Period

Process Snapshot Fields Description

Field
Type
Filed Description
appid
string
Account appid
quuid
string
Host quuid (Corresponding cvm uuid)
uuid
string
Host uuid
hostip
string
Host ip (ip Connected with the Backend)
instance_id
string
Instance id
event_name
string
Event Type: process - Process Event
pid
int
Process ID
ppid
int
Parent Process ID
sid
int
Process Session ID (Linux Only)
uid
int
Process uid (Linux Only)
gid
int
Process gid (Linux Only)
euid
int
Process euid (Linux Only)
egid
int
Process egid (Linux Only)
report_type
int
Report Type: 0: - Real-time Process; 1: - Process Snapshot
parent_proc_name
string
Parent Process Name
process_name
string
Process Name
process_path
string
Process Path
cmdline
string
Process Command Line
user_name
string
Process Starting User
process_md5
string
Process md5
platform
string
Platform: Linux and Windows
time
int
Event Collection Timestamp
timestamp
string
Event Storage Date and Time
insert_time
int
Event Storage Timestamp

Network Quintuple Log Fields Description

Field
Type
Filed Description
appid
string
Account appid
quuid
string
Host quuid (Corresponding cvm uuid)
uuid
string
Host uuid
hostip
string
Host ip (ip Connected with the Backend)
instance_id
string
Instance id
event_name
string
Event Type: net - Network Quintuple Logs
pid
int
Process pid
proc_path
string
Process Path
argv
string
Process Execution Parameters
username
string
User to Which the Process Belongs: User Group
src_ip
string
Source ip
src_port
int
Source Port
dst_ip
string
Destination ip
dst_port
int
Destination Port
first_time
int
First Trigger Time during Reporting Period
last_time
int
Last Trigger Time during Reporting Period
count
int
Number of Triggers during Reporting Period
time
int
Event Collection Timestamp
timestamp
string
Event Storage Date and Time
insert_time
int
Event Storage Timestamp

File Monitoring Log Fields Description

Field
Type
Filed Description
appid
string
Account appid
quuid
string
Host quuid (Corresponding cvm uuid)
uuid
string
Host uuid
hostip
string
Host ip (ip Connected with the Backend)
instance_id
string
Instance id
event_name
string
Event Type: file - File Operation Event
pid
int
Process ID
ppid
int
Parent Process ID
session_id
int
Process Session ID (Linux Only)
uid
int
Process uid (Linux Only)
gid
int
Process gid (Linux Only)
file_path
string
Operation File Path
cwd
string
Current Execution Path of the Process
proc_path
string
Process Path
argv
string
Process Command Line
username
string
File Operation User
parent_proc_name
string
Parent Process Name
proc_name
string
Process Name
proc_md5
string
Process md5
proc_perm
string
Process File Execution Permissions
proc_mtime
int
Process File modify time
proc_ctime
int
Process File change time
proc_atime
int
Process File access time
operation
string
File Operation Type: write; rename
file_size
int
File Size
file_mtime
int
Operation File modify time
file_ctime
int
Operation File change time
file_atime
int
Operation File access time
file_perm
string
Operation File Permissions
file_owner
string
Operation File Owner
time
int
Event Collection Timestamp
timestamp
string
Event Storage Date and Time
insert_time
int
Event Storage Timestamp

Log-in Activity Log Fields Description

Field
Type
Filed Description
appid
string
Account appid
quuid
string
Host quuid (Corresponding cvm uuid)
uuid
string
Host uuid
hostip
string
Host ip (ip Connected with the Backend)
instance_id
string
Instance id
event_name
string
Event Type: login - Log-in Event
src_ip
string
Log-in Source ip
dst_port
int
Log-in Target Port
protocol
string
Log-in Protocol
count
int
Log-in Count
event_type
string
Event Status: success: Log-in succeeded; fail: Log-in failed.
time
int
Event Collection Timestamp
insert_time
int
Event Storage Timestamp
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 available.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon