Contact UsGet started

Managing a trail

Written by
Improved by
Updated at April 14, 2025

You can update the destination object, event types to collect, audit log collection scopes, and other trail settings, as well as delete the trail.

Updating a trail

To update a trail:

  1. In the management console, select the folder containing the trail.
  2. From the list of services, select Audit Trails.
  3. In the row with the trail you need, click and select Edit.
  4. Edit the trail settings. For a list of trail settings you can edit, see Trail settings.
  5. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameters.

See the description of the CLI trail editing command for details about the arguments you can use:

yc audit-trails trail update --help

You can update a trail by specifying its parameters in one of these two ways:

In the YAML specification

Create a YAML specification containing the updated trail parameters and specify this file in the command for creating the trail.

This method simplifies working with trail parameters and reduces error probability. In addition, you can only customize the registration of data events using the YAML specification.

  1. Create a YAML file with the updated trail configuration:

    name: <trail_name>
folder_id: <folder_ID>
destination:
  # Only one destination must be specified:
  # object_storage, cloud_logging, data_stream
  # Settings for all destinations are provided for illustration purposes.
  object_storage:
    bucket_id: <bucket_name>
    object_prefix: <prefix_for_objects>
  cloud_logging:
    log_group_id: <log_group_ID>
  data_stream:
    stream_name: <YDS_name>
    database_id: <YDS_database_ID>
service_account_id: <service_account_ID>
filtering_policy:
  management_events_filter:
    resource_scopes:
      - id: <cloud_or_folder_organization_ID>
        type: <type>
  data_events_filters:
    - service: <service_name>
      resource_scopes:
        - id: <cloud_or_folder_organization_ID>
          type: <type>
      # You can specify either `included_events` or `excluded_events`, or skip both parameters to collect all service events.
      # 
      # Both parameters are provided for illustration purposes.
      included_events:
        event_types:
          - <these_events_will_be_collected>
      excluded_events:
        event_types:
          - <these_events_will_not_be_collected>

    Where:

    • name: Trail name. It must be unique within the folder.

    • folder_id: ID of the folder the trail will reside in.

    • destination: Settings of the selected destination the audit logs will be uploaded to.

      Warning

      Destination settings are mutually exclusive. Using some settings makes it impossible to use others.

      • object_storage: Uploading logs to a Yandex Object Storage bucket:

        • bucket_id: Bucket name.

          You can request the name of the bucket with the list of buckets in the folder (the default folder is used):

          yc storage bucket list

        • object_prefix: Prefix that will be assigned to the objects with audit logs in the bucket. It is an optional parameter used in the full name of the audit log file.

          Note

          Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

      • cloud_logging: Uploading logs to a Yandex Cloud Logging group.

        Specify the log group ID in the log_group_id parameter. You can request the ID with the list of log groups in the folder.

      • data_stream: Uploading logs to a data stream in Yandex Data Streams:

    • service_account_id: Service account ID.

    • filtering_policy: Settings of the filtering policy that determines which events to collect and include in the audit logs. The policy consists of filters pertaining to different levels of events.

      Warning

      You must configure at least one filter for the policy; otherwise, you will not be able to create a trail.

      Available filters:

      • management_events_filter: Management event filter.

        Specify the log collection scope in the resource_scopes parameter:

        • id: Organization, cloud, or folder ID.

        • type: Scope type according to the specified ID:

        You can combine several scopes belonging to the same organization in one resource_scopes parameter. For example, you can collect logs from one entire cloud and only from particular folders in another cloud:

        resource_scopes:
# Collecting logs from all of cloud 1
- id: <ID_of_cloud_1>
    type: resource-manager.cloud
# Collecting logs from folder 1 of cloud 2
- id: <folder_1_ID>
    type: resource-manager.folder
# Collecting logs from folder 2 of cloud 2
- id: <folder_2_ID>
    type: resource-manager.folder

        Service account permissions must allow collecting logs from the specified scopes.

      • data_events_filters: Data event filters. You can configure several filters of this type, one filter per service.

        A filter for one service has the following structure:

        • service: Service name. You can get it from the data event reference.

        • resource_scopes: Places to collect data events from. You can configure this parameter the same way as the management event filter.

        • *_events: Data event filters.

          • included_events.event_types: Collect only specified events.
          • excluded_events.event_types: Collect all events other than the specified ones.

          You can get a list of events from the data event reference.

          Warning

          The included_events and excluded_events filters are mutually exclusive, so only one of them should be set up. If neither filter is set up, all events will be collected.

  2. To update a trail, run this command:

    yc audit-trails trail update --file <file_path>
In the command arguments:

Use this method if your trail configuration is simple and contains few parameters.

Note

You can only customize the registration of data events using the YAML specification.

To update a trail, run this command:

yc audit-trails trail update \
  --name <trail_name> \
  --new-name <new_trail_name> \
  --description <trail_description> \
  --labels <label_list> \
  --service-account-id <service_account_ID> \
  --destination-bucket <bucket_name> \
  --destination-bucket-object-prefix <prefix_for_objects> \
  --destination-log-group-id <log_group_ID> \
  --destination-yds-stream <YDS_name> \
  --destination-yds-database-id <YDS_database_ID> \
  --filter-all-folder-id <folder_ID> \
  --filter-all-cloud-id <cloud_ID> \
  --filter-all-organisation-id <organization_ID> \
  --filter-some-folder-ids <cloud_folder_list> \
  --filter-from-cloud-id <cloud_ID_with_selected_folders> \
  --filter-some-cloud-ids <list_of_clouds_in_organization> \
  --filter-from-organisation-id <organization_ID_with_selected_clouds>

Where:

  • --name: Name of the trail you need to update. Instead of a name, you can provide the trail ID in the --id parameter.
  • --new-name: New trail name. The name must be unique within the folder. This is an optional parameter.

  • --description: Trail description. This is an optional parameter.

  • --labels: List of labels. This is an optional parameter. You can specify one or more labels separated by commas in <key1>=<value1>,<key2>=<value2> format.

  • --service-account-id: Service account ID.

  • --destination-bucket: Name of the Yandex Object Storage bucket you want to upload audit logs to.

    You cannot use this parameter together with --destination-log-group-id or --destination-yds-stream.

  • --destination-bucket-object-prefix: Prefix that will be assigned to the objects with audit logs in the bucket. It is an optional parameter used in the full name of the audit log file.

    Note

    Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

  • --destination-log-group-id: ID of the Yandex Cloud Logging log group the audit logs will be uploaded to.

    You cannot use this parameter together with --destination-bucket or --destination-yds-stream.

  • --destination-yds-stream: Name of the Yandex Data Streams data stream the audit logs will be uploaded to.

    You cannot use this parameter together with --destination-bucket or --destination-log-group-id.

  • --destination-yds-database-id: ID of the YDB database used by Data Streams.

  • --filter-all-folder-id: Folder ID. The system will be logging management events for all resources in this folder.

  • --filter-all-cloud-id: Cloud ID. The system will be logging management events for all resources in this cloud.

  • --filter-all-organisation-id: Organization ID. The system will be logging management events for all resources in this organization.

  • --filter-some-folder-ids: List of folder IDs. The system will be logging management events for all resources in those folders, in the cloud specified in --filter-from-cloud-id.

    This parameter can only be used together with --filter-from-cloud-id.

  • --filter-from-cloud-id: ID of the cloud housing the folders specified in the --filter-some-folder-ids parameter.

    This parameter can only be used together with --filter-some-folder-ids.

  • --filter-some-cloud-ids: List of cloud IDs. The system will be logging management events for all resources in those clouds, in the organization specified in --filter-from-organisation-id.

    This parameter can only be used together with --filter-from-organisation-id.

  • --filter-from-organisation-id: ID of the organization housing the clouds specified under --filter-some-folder-ids.

    This parameter can only be used together with --filter-some-cloud-ids.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. To update a trail created with Terraform, open the Terraform configuration file and update the trail description fragment:

    resource "yandex_audit_trails_trail" "basic_trail" {
  name        = "<trail_name>"
  folder_id   = "<folder_ID>"
  description = "<trail_description>"
  labels = {
    key = "value"
  }
  service_account_id = "<service_account_ID>"


  # Only one destination must be specified:
  # storage_destination , logging_destination, data_stream_destination
  # Settings for all destinations are provided for illustration purposes.

  logging_destination {
    log_group_id = "<log_group_ID>"
  }
  storage_destination {
    bucket_name   = "<bucket_ID>"
    object_prefix = "<prefix>"
  }
  data_stream_destination {
    database_id = "<YDS_database_ID>"
    stream_name = "<YDS_name>"
  }

  # Filtering policy settings

  filtering_policy {
    management_events_filter {
      resource_scope {
        resource_id   = "<organization_ID>"
        resource_type = "resource-manager.organization"
      }
    }  
    data_events_filter {
      service = "<service>"
      included_events = ["<service_event_type>","<service_2_event_type>"]
      resource_scope {
        resource_id   = "<cloud_ID>"
        resource_type = "resource-manager.cloud"
      }
      resource_scope {
        resource_id   = "<folder_ID>"
        resource_type = "resource-manager.folder"
      }
    }
    data_events_filter {
      service = "<service_2>"
      resource_scope {
        resource_id   = "<ID_of_cloud_2>"
        resource_type = "resource-manager.cloud"
      }
      resource_scope {
        resource_id   = "<cloud_3_ID>"
        resource_type = "resource-manager.cloud"
      }
    }
    data_events_filter {
      service = "<service_3>"
      resource_scope {
        resource_id   = "<folder_2_ID>"
        resource_type = "resource-manager.folder"
      }
      resource_scope {
        resource_id   = "<folder_3_ID>"
        resource_type = "resource-manager.folder"
      }
    }
  }
}

    Where:

    • name: Name of the new trail. The naming requirements are as follows:

      • It must be 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • folder_id: ID of the folder to create the trail in.

    • description: Description of the trail to distinguish it from other trails, e.g., My very first trail. This is an optional parameter.

    • labels: List of labels in key=value format. This is an optional parameter.

    • service_account_id: ID of the service account the trail will use to upload audit log files to the bucket.

      Based on the audit log collection scope, the service account must have the audit-trails.viewer role for the organization, cloud, or folder whose audit logs the trail will collect.

    Warning

    Only one destination must be specified: storage_destination, logging_destination, or data_stream_destination.

    • logging_destination: Uploading logs to a Yandex Cloud Logging group.

    • storage_destination: Uploading logs to a Yandex Object Storage bucket:

      • log_group_id: Name of the bucket for the trail to save audit logs to.

      • object_prefix: Prefix that will be assigned to the objects with audit logs in the bucket. It is an optional parameter used in the full name of the audit log file.

        Note

        Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

    • data_stream_destination: Uploading logs to a data stream in Yandex Data Streams:

      • stream_name: Name of the data stream for the trail to save audit logs to.
      • database_id: ID of the Yandex Managed Service for YDB database used by Data Streams.

    • filtering_policy: Settings of the filtering policy that determines which events to collect and include in the audit logs. The policy consists of filters pertaining to different levels of events. It contains the management_events_filter and data_events_filters objects.

      • management_events_filter: Management event filter.

      • resource_scopes: Log collection scope. You can combine several scopes belonging to the same organization in one resource_scopes parameter. For example, you can collect logs from one entire cloud and only from particular folders in another cloud. Service account permissions must allow collecting logs from the specified scopes.

        • resource_id: ID of the resource for whose resources audit logs will be collected. Based on the audit log collection scope, specify the organization ID or the cloud ID in this parameter.

        • resource_type: Scope type according to the specified ID:

      • data_events_filters: Data event filters. You can configure several filters of this type, one filter per service. A filter for one service has the following structure:

        • service: Name of the service in which the trail will process events. You can get it from the data event reference.
        • resource_scopes: Places to collect data events from. You can configure this parameter the same way as the management event filter.
        • included_events: Collect only specified events. This is an optional parameter. If not specified, all events will be collected. To collect all events except the specified ones, replace included_events with excluded_events. These parameters are mutually exclusive.
          You can get a full list of events from the data event reference.

    For more information about the yandex_audit_trails_trail resource parameters in Terraform, see the provider documentation.

  2. Create the resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all the required resources. You can check the new resources and their settings using the management console or this CLI command:

    yc audit-trails trail get <trail_name>

To update a trail, use the update REST API method for the Trail resource or the TrailService/Update gRPC API call.

Deleting a trail

To delete a trail:

  1. In the management console, select the folder containing the trail.
  2. From the list of services, select Audit Trails.
  3. In the row with the trail you need, click and select Delete.
  4. In the window that opens, confirm the deletion.

To delete a trail, run this command:

yc audit-trails trail delete <trail_name_or_ID>

To find out the names and IDs of available trails, use this tutorial.

To delete a trail created using Terraform:

  1. Open the Terraform configuration file and delete the trail description section.

    Example of a trail description in a Terraform configuration:

    resource "yandex_audit_trails_trail" "basic_trail" {
  name        = "<trail_name>"
  folder_id   = "<folder_ID>"
  description = "<trail_description>"
  labels = {
    key = "value"
  }
  service_account_id = "<service_account_ID>"


  # Only one destination must be specified:
  # storage_destination , logging_destination, data_stream_destination
  # Settings for all destinations are provided for illustration purposes.

  logging_destination {
    log_group_id = "<log_group_ID>"
  }
  storage_destination {
    bucket_name   = "<bucket_ID>"
    object_prefix = "<prefix>"
  }
  data_stream_destination {
    database_id = "<YDS_database_ID>"
    stream_name = "<YDS_name>"
  }

  # Filtering policy settings

  filtering_policy {
    management_events_filter {
      resource_scope {
        resource_id   = "<organization_ID>"
        resource_type = "resource-manager.organization"
      }
    }  
    data_events_filter {
      service = "<service>"
      included_events = ["<service_event_type>","<service_2_event_type>"]
      resource_scope {
        resource_id   = "<cloud_ID>"
        resource_type = "resource-manager.cloud"
      }
      resource_scope {
        resource_id   = "<folder_ID>"
        resource_type = "resource-manager.folder"
      }
    }
    data_events_filter {
      service = "<service_2>"
      resource_scope {
        resource_id   = "<ID_of_cloud_2>"
        resource_type = "resource-manager.cloud"
      }
      resource_scope {
        resource_id   = "<cloud_3_ID>"
        resource_type = "resource-manager.cloud"
      }
    }
    data_events_filter {
      service = "<service_3>"
      resource_scope {
        resource_id   = "<folder_2_ID>"
        resource_type = "resource-manager.folder"
      }
      resource_scope {
        resource_id   = "<folder_3_ID>"
        resource_type = "resource-manager.folder"
      }
    }
  }
}

  2. In the command line, go to the directory with the Terraform configuration file.

  3. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  4. Run this command:

    terraform plan

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes into the terminal and press Enter.

  7. To make sure the trail has been deleted, use this tutorial.

To delete a trail, use the delete REST API method for the Trail resource or the TrailService/Delete gRPC API call.

Previous
Creating a trail
Next
Viewing roles assigned for a trail