Handling errors
If a trail cannot send audit logs to the destination object, the trail status will change to Error
. This guide contains recommendations on how to recover the trail.
Note
A few minutes after the error cause is removed, the trail status will change to Active
. All audit logs will be uploaded to the destination object.
Destination objects:
Object Storage bucket
ACCESS_DENIED
- Make sure the service account used by the trail to upload audit logs to the bucket has the
storage.uploader
role or higher. - If the bucket is encrypted with the Yandex Key Management Service key, make sure the service account used by the trail to upload audit logs to the bucket has the
kms.keys.decrypter
role for the key. - If the trail delivers events to the encrypted bucket, check that the Key Management Service key for this bucket exists.
- Check the bucket access control list (ACL) and bucket policy and make sure they contain no rules that disable the service account to write data to the bucket.
BUCKET_QUOTA_EXCEEDED
Increase the bucket size and delete the objects you do not need.
BUCKET_CLOUD_QUOTA_EXCEEDED
Contact support
BUCKET_NOT_FOUND
Check the bucket specified in the trail settings. If the bucket was deleted:
-
Create a new bucket with the same name as that specified in the trail settings.
You can also change the trail settings by specifying a different bucket under Destination.
-
If the bucket is encrypted with the Yandex Key Management Service key, grant the
kms.keys.decrypter
role for the key to the service account used by the trail to upload audit logs to the bucket.
BUCKET_INVALID_ENCRYPTION
Check whether the Yandex Key Management Service key used to encrypt the bucket has the Active
status.
UNKNOWN or INTERNAL_ERROR
Contact support
Data Streams stream
ACCESS_DENIED
Make sure the service account used by the trail to upload audit logs to the stream is assigned the yds.writer
or a higher role.
STREAM_NOT_FOUND
Check the stream specified in the trail settings. If the stream or its YDB database was deleted:
- Create a new stream.
- Change the trail settings by specifying the new stream under Destination.
DATABASE_INACTIVE
Make sure the YDB database status is Running
. Start the database, if required. You can do this via the management console
- In the list of services, select Managed Service for YDB.
- Click
to the right of the database name and select Start.
DATABASE_NOT_FOUND
Make sure the YDB database status is Running
and the linked stream status is Active
. If the stream or its YDB database were deleted, create a new stream or database.
UNKNOWN or INTERNAL_ERROR
Contact support
Cloud Logging log group
ACCESS_DENIED
Make sure the service account used by the trail to upload audit logs to the log group has the logging.writer
role or higher.
LOG_GROUP_NOT_FOUND
Check the log group specified in the trail settings. If the log group was deleted:
- Create a new log group.
- Change the trail settings by specifying the new log group under Destination.
UNKNOWN or INTERNAL_ERROR
Contact support