Handling errors

If a trail cannot send audit logs to the destination object, the trail status will change to Error. This guide contains recommendations on how to recover the trail.

Destination objects:

• Object Storage bucket
• Data Streams stream
• Cloud Logging log group

Object Storage bucketObject Storage bucket

ACCESS_DENIEDACCESS_DENIED

• Make sure the service account used by the trail to upload audit logs to the bucket has the storage.uploader role or higher.
• If the bucket is encrypted with the Yandex Key Management Service key, make sure the service account used by the trail to upload audit logs to the bucket has the kms.keys.decrypter role for the key.
• If the trail delivers events to the encrypted bucket, check that the Key Management Service key for this bucket exists.
• Check the bucket access control list (ACL) and bucket policy and make sure they contain no rules that disable the service account to write data to the bucket.

BUCKET_QUOTA_EXCEEDEDBUCKET_QUOTA_EXCEEDED

Increase the bucket size and delete the objects you do not need.

BUCKET_CLOUD_QUOTA_EXCEEDEDBUCKET_CLOUD_QUOTA_EXCEEDED

Contact support to have the Object Storage quota for the cloud increased.

BUCKET_NOT_FOUNDBUCKET_NOT_FOUND

Check the bucket specified in the trail settings. If the bucket was deleted:

1. Create a new bucket with the same name as that specified in the trail settings.

   You can also change the trail settings by specifying a different bucket under Destination.

2. If the bucket is encrypted with the Yandex Key Management Service key, grant the kms.keys.decrypter role for the key to the service account used by the trail to upload audit logs to the bucket.

BUCKET_INVALID_ENCRYPTIONBUCKET_INVALID_ENCRYPTION

Check whether the Yandex Key Management Service key used to encrypt the bucket has the Active status.

UNKNOWN or INTERNAL_ERRORUNKNOWN or INTERNAL_ERROR

Contact support for additional information and recommendations.

Data Streams streamData Streams stream

ACCESS_DENIEDACCESS_DENIED

Make sure the service account used by the trail to upload audit logs to the stream is assigned the yds.writer or a higher role.

STREAM_NOT_FOUNDSTREAM_NOT_FOUND

Check the stream specified in the trail settings. If the stream or its YDB database was deleted:

1. Create a new stream.
2. Change the trail settings by specifying the new stream under Destination.

DATABASE_INACTIVEDATABASE_INACTIVE

Make sure the YDB database status is Running. Start the database, if required. You can do this via the management console:

1. In the list of services, select Managed Service for YDB.
2. Click to the right of the database name and select Start.

DATABASE_NOT_FOUNDDATABASE_NOT_FOUND

Make sure the YDB database status is Running and the linked stream status is Active. If the stream or its YDB database were deleted, create a new stream or database.

UNKNOWN or INTERNAL_ERRORUNKNOWN or INTERNAL_ERROR

Contact support for additional information and recommendations.

Cloud Logging log groupCloud Logging log group

ACCESS_DENIEDACCESS_DENIED

Make sure the service account used by the trail to upload audit logs to the log group has the logging.writer role or higher.

LOG_GROUP_NOT_FOUNDLOG_GROUP_NOT_FOUND

Check the log group specified in the trail settings. If the log group was deleted:

1. Create a new log group.
2. Change the trail settings by specifying the new log group under Destination.

UNKNOWN or INTERNAL_ERRORUNKNOWN or INTERNAL_ERROR

Contact support for additional information and recommendations.

See alsoSee also

• Assigning roles to a service account