Handling errors

If a trail is unable to send audit logs to the destination object, its status will change to Error. This guide contains recommendations on how get the trail back to normal.

Destination objects:

• Object Storage bucket.
• Data Streams stream.
• log group Cloud Logging.

Object Storage bucketObject Storage bucket

ACCESS_DENIEDACCESS_DENIED

• Make sure the service account used by the trail to upload audit logs to the bucket has the storage.uploader role or higher.
• If the bucket is encrypted with the Yandex Key Management Service key, make sure the service account used by the trail to upload audit logs to the bucket has the kms.keys.decrypter role for the key.
• If the trail delivers events to the encrypted bucket, check that the Key Management Service key for this bucket exists.
• Check the bucket access control list (ACL) and bucket policy and make sure they contain no rules that disable the service account to write data to the bucket.

BUCKET_QUOTA_EXCEEDEDBUCKET_QUOTA_EXCEEDED

Increase the bucket size and delete the objects you do not need.

BUCKET_CLOUD_QUOTA_EXCEEDEDBUCKET_CLOUD_QUOTA_EXCEEDED

Contact support to have your Object Storage quota for the cloud increased.

BUCKET_NOT_FOUNDBUCKET_NOT_FOUND

Check the bucket specified in the trail settings. If the bucket was deleted:

1. Create a new bucket with the same name as that specified in the trail settings.

   You can also change the trail settings by specifying a different bucket under Destination.

2. If the bucket is encrypted with a Yandex Key Management Service key, assign the kms.keys.decrypter role for the key to the service account used by the trail to upload audit logs to the bucket.

BUCKET_INVALID_ENCRYPTIONBUCKET_INVALID_ENCRYPTION

Make sure the Yandex Key Management Service key used to encrypt the bucket has the Active status.

UNKNOWN or INTERNAL_ERRORUNKNOWN or INTERNAL_ERROR

Contact support for additional information and recommendations.

Data Streams data streamData Streams data stream

ACCESS_DENIEDACCESS_DENIED

Make sure the service account used by the trail to upload audit logs to the stream has the yds.writer role or higher.

STREAM_NOT_FOUNDSTREAM_NOT_FOUND

Check the stream specified in the trail settings. If the stream or its YDB database was deleted:

1. Create a new stream.
2. Change the trail settings by specifying the new stream under Destination.

DATABASE_INACTIVEDATABASE_INACTIVE

Make sure the YDB database has the Running status. Start the database if you need to, e.g., via the management console:

1. From the list of services, select Managed Service for YDB.
2. Click to the right of the database name and select Start.

DATABASE_NOT_FOUNDDATABASE_NOT_FOUND

Make sure the YDB database has the Running status, and the linked stream is Active. If the stream or its YDB database were deleted, create a new stream or database.

UNKNOWN or INTERNAL_ERRORUNKNOWN or INTERNAL_ERROR

Contact support for additional information and recommendations.

Cloud Logging log groupCloud Logging log group

ACCESS_DENIEDACCESS_DENIED

Make sure the service account used by the trail to upload audit logs to the log group has the logging.writer role or higher.

LOG_GROUP_NOT_FOUNDLOG_GROUP_NOT_FOUND

Check the log group specified in the trail settings. If the log group was deleted:

1. Create a new log group.
2. Change the trail settings by specifying the new log group under Destination.

UNKNOWN or INTERNAL_ERRORUNKNOWN or INTERNAL_ERROR

Contact support for additional information and recommendations.

See alsoSee also

• Assigning roles to a service account