The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
Log Analysis is an essential part of the Cloud Workload Protection Platform (CWPP) solution, providing host-related security event logs, supporting SQL retrieval and query, and offering visual reports and statistics. It helps users quickly identify intrusion, source tracing, and other security operations. This document will introduce how to use the Log Analysis feature.
Explanation
Log data can be collected, subject to the following host protection version limits.
Log Category
Log Type
Log Description
Supported Versions
Host Asset Logs
Managing CVM Instance Information
Includes host instance ID, IP, operating system, region, VPC, instance status, and whether the host security client is installed.
Note:
Only the "synchronization time" of the host changes, other information remains unchanged, and no log entries will be generated.
All Hosts
Asset Fingerprint
Includes Resource Monitoring, Accounts, Ports, Software Applications, Processes, Databases, Web Applications, Web Services, Web Frameworks, Websites, JAR Archive Files, Startup Services, Scheduled Tasks, Environment Variables, Kernel Modules, and System Installation Packages.
Note:
Only the "data update time" of the asset fingerprint changes, other information remains unchanged, and no log entries will be generated.
Professional Version, flagship edition
Client reporting logs
Submit from client
Host raw logs (including system authentication and authorization information, system security information, system messages, system audit information, etc.); DNS logs, process snapshot logs, network five-tuple logs, file monitoring logs, login transaction logs.
Basic version and above
Warning logs
Intrusion Detection
File detection and elimination (malicious file), file detection and elimination (exceptional processes), abnormal login, password cracking, malicious request, high-risk command, local privilege escalation, rebound shell.
Professional Version, flagship edition
Vulnerability Management
Emergency vulnerability, Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, application vulnerabilities.
The log shipping feature only supports using a single CKafka account for shipping.
According to the "Cybersecurity Law," the log retention duration must be no less than six months. It is recommended to allocate 20-40GB of storage capacity for each server to collect and retain log data.
2. In the left sidebar, select Log Analysis to set up log storage, query logs, and configure log delivery.
Log Storage
Click Log Storage Settings, the popup window is as follows. In Storage Settings, you can view the current log storage status and configure storage content and duration. In Storage Records, you can view the log storage status at midnight on the last day of each month, displayed in reverse chronological order by default.
View Logs
On the log analysis page, you can filter logs in the following ways.
Filter by time or type: On the log analysis page, you can filter logs by time and log type. Select the time range or log type and click confirm.
Filter by field value: On the log analysis page, you can filter by entering field values in the search box or by selecting field matches.
Filter by entering field values in the search box: Refer to the example below, enter the desired field and field value in the search box, and click
to filter.
Filter by selecting field matches: Click
, select the appropriate field and operator from the drop-down list, then enter the corresponding field value and click confirm to filter.
Note:
For common searches, you can Save the search. Next time, just click quick retrieval and select the previously saved search content to filter.
On the log analysis page, click on the histogram or click and drag to quickly select the time range for drill-down viewing.
On the log analysis page, in the field navigation on the left side of the list, you can customize display fields and hidden fields.
Click Export to export logs that meet the search criteria as a file and download it locally through the browser.
Note:
A maximum of 60,000 logs can be exported at a time, with a maximum of 10,000 data entries for each type.
Log Delivery
Shipping to kafka
On the log analysis page, you can configure different CWPP log types to be shipped to different topics of specified Ckafka instances.
1. Click Log Delivery in the upper left corner to open the log delivery configuration popup. If CKafka service is not authorized for the first time, click Authorize Now and agree to the service authorization before proceeding with more log delivery configurations.
2. After agreeing to the service authorization, select the message queue instance, network access method, enter the username and password of the selected message queue instance, and perform a connectivity test.
3. Select the network access method.
Network Access Method
Description
Optional Route Description
Public Domain Name Access
Logs are shipped through the public network.
It is the access method specified in the message queue instance.
Support Environment Access
Logs are shipped through Tencent Cloud private network, which effectively enhances the performance.
It is the access method specified in the message queue instance, and only SASL_PLAINTEXT is supported.
Private network delivery
Logs are shipped through Tencent Cloud private network, but routing does not require user configuration in CKafka. An invisible internal routing will be automatically created to support access.
-
Note:
If you choose "public network domain access" or "support environment access" for network access, you also need to select access routing. The routing policy corresponds to the access method in the details of the CKafka Instance List.
If you choose "public network domain access" or "support environment access" for network access, you also need to fill in the username and password of the CKafka instance. The username and password are added in ACL Policy Management > User Management in the details of the CKafka Instance List. (When configuring log delivery, only fill in the username after #, without the CKafka instance ID before #.)
4. After completing the above CKafka configuration, you can perform a connectivity test. Once the test is passed, you can configure different topics for the logs to be delivered (for log types not to be delivered, you can skip selecting the Topic ID).
5. After completing the log delivery configuration, click Log Delivery again to view the log delivery details.
Basic info: shows the basic information of CKafka instances.
Note:
You need to pay attention to the "status" field. When an alarm or exception is displayed, please click Viewing Monitoring Information to check if the Ckafka service is abnormal or if there is a quota shortage.
Delivery switch: Toggles the log shipping on/off to control a specified log type. You can control the log shipping task through the switch button in the Delivery switch column.
Delivery status: normal, abnormal (this status will suspend delivery), not enabled.
Edit: Click Edit to edit the log type and Topic ID to be delivered again.
View monitoring: Click View monitoring to go to the monitoring page of the CKafka console, where you can view network traffic, peak bandwidth, message count, disk usage, etc.
Reconfigure: At the top of the log delivery list, click Reconfigure to return to the state after agreeing to the CKafka authorization service, where you can reconfigure the message queue instance, network access method, log type, Topic ID, etc.
Note:
Reconfiguration will interrupt the current delivery process.
Shipping to cls
On the log analysis page, you can configure different CWPP log types to be shipped to different log topics of the specified CLS.
1. Click Log Delivery in the upper left corner to open the log delivery configuration popup. If CLS service is not authorized for the first time, click Authorize Now, agree to the service authorization, and create a service role before proceeding with more log delivery configurations.
Note:
Shipping logs to CLS (Cloud Log Service) for centralized management requires authorization for access to CLS and enabling the log shipping switch.
After the current account is authorized to access CLS and log shipping to CLS is enabled, pay-as-you-go storage space will be automatically created in CLS, along with pay-as-you-go bills. For details, see CLS Billing Overview.
2. After completing the above authorization, you can configure different log topics for the logs to be delivered (for log types not to be delivered, you can skip the configuration).
3. Click Configure Now to select the log types to be delivered, target region, logset, and log topic in the delivery settings popup, then click Yes.
4. After configuration, click to enable the delivery switch. The log type will be delivered to the CLS logset and log topic you configured.
Delivery switch: Toggles the log shipping on/off to control a specified log type. You can control the log shipping task through the switch button in the Delivery switch column.
Delivery status: normal, abnormal (this status will suspend delivery), not configured.
Edit: Click Edit to edit the log set and log topic to be delivered again.
Reset: Click Reset in the action column to clear the configured log delivery content, including log type, delivery log set, and delivery log topic. Please proceed with caution.
