Exporting audit logs to MaxPatrol SIEM
MaxPatrol SIEM
To configure audit log export:
- Prepare your cloud.
- Prepare the environment.
- Create a trail to send logs to a Data Streams data stream.
- In MaxPatrol SIEM, set up a job to collect data from a Data Streams data stream.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Using a data stream (see Data Streams pricing).
- Using Yandex Managed Service for YDB in serverless mode (see Managed Service for YDB pricing).
Prepare the environment
Create a service account and assign roles
On behalf of a service account, the trail will gather logs from all the organization's resources and upload them to a Data Streams data stream.
Create a service account in the same folder as the trail, e.g., example-folder
:
- In the management console
, selectexample-folder
. - At the top of the screen, go to the Service accounts tab.
- Click Create service account.
- Enter
maxpatrol-sa
as your service account name. - Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Create a service account:
yc iam service-account create --name maxpatrol-sa
Result:
id: aje*****ckg folder_id: b1g*****rnj created_at: "2022-09-18..." name: maxpatrol-sa
For more information about the
yc iam service-account create
command, see the CLI reference.
Assign your maxpatrol-sa
service account the audit-trails.viewer
and the yds.editor
roles:
-
The
audit-trails.viewer
role to the organization:yc organization-manager organization add-access-binding \ --role audit-trails.viewer \ --id <organization_ID> \ --service-account-id <service_account_ID>
Where:
--role
: Role being assigned.--id
: ID of the organization the service account belongs to.--service-account-id
: ID of themaxpatrol-sa
service account.
Result:
done (1s)
For more information about the
yc resource-manager organization add-access-binding
command, see the CLI reference. -
The
yds.editor
role toexample-folder
:yc resource-manager folder add-access-binding example-folder \ --role yds.editor \ --subject serviceAccount:<service_account_ID>
Where:
--role
: Role being assigned.--subject
: ID of themaxpatrol-sa
service account.
Result:
done (1s)
For more information about the
yc resource-manager folder add-access-binding
command, see the CLI reference.
Create static access keys
MaxPatrol SIEM uses static access keys to authorize Data Streams data stream queries.
- In the management console
, selectexample-folder
. - At the top of the screen, go to the Service accounts tab.
- Select the
maxpatrol-sa
service account and click the row with its name. - Click Create new key on the top panel.
- Select Create static access key.
- Enter a description for the key and click Create.
Alert
Save the ID and private key. After you close the dialog, the private key value will become unavailable.
Create a static access key for the maxpatrol-sa
service account:
yc iam access-key create --service-account-name maxpatrol-sa
Result:
access_key:
id: YCd*****W7t
service_account_id: aje*****ckg
created_at: "2022-09-18..."
key_id: YCA*****5Ws4
secret: YCM76*******I3fk
Alert
Save the ID key_id
and secret key secret
. You cannot retrieve the key value a second time.
For more information about the yc iam access-key create
command, see the CLI reference.
Create a serverless database YDB
The database is required for the Data Streams
data stream.
- In the management console
, selectexample-folder
. - Click Create resource and select YDB database.
- Enter
maxpatrol-db
as the Name. - Under Database type, select
Serverless
. - Leave the other parameters at their default settings.
- Click Create a database.
Wait for the database status to change to Running
.
-
Create a database:
yc ydb database create --name maxpatrol-db --serverless --folder-name example-folder
Where:
--name
: Database name.--serverless
: Serverless type.--folder-name
: Folder name.
Result:
done (7s) id: etn*****r5t folder_id: b1g*****rnj created_at: "2022-09-18..." name: maxpatrol-db status: PROVISIONING ...
For more information about the
yc iam database create
command, see the CLI reference. -
Check the status of the created database:
yc ydb database get maxpatrol-db
Wait for the database status to change to
Running
.
Create a data stream
This is the data stream the trail will upload organization resource logs to.
- In the management console
, selectexample-folder
. - Click Create resource and select Data Streams.
- In the Database field, select
maxpatrol-db
. - Enter
maxpatrol-stream
as the Name. - Leave the other parameters at their default settings.
- Click Create.
Wait for the data stream status to change to Running
.
Create a trail
The trail will collect management event audit logs for all your organization's resources and upload them to the maxpatrol-stream
data stream.
- In the management console
, selectexample-folder
. - Click Create resource and select the Audit trail option.
- Enter the new trail's Name:
maxpatrol-trail
. - Under Destination, configure the destination object:
- Destination:
Data Streams
. - Data stream: Select the
maxpatrol-stream
data stream.
- Destination:
- Under Service account, select the
maxpatrol-sa
service account. - Under Collecting management events, configure the collection of management event audit logs:
- Collecting events: Select
Enabled
. - Resource: Select
Organization
. - Organization: Automatically populated field (shows the name of the organization with the trail).
- Cloud: Keep the default value,
All
.
- Collecting events: Select
- Under Collecting data events, select
Disabled
in the Collecting events field. - Click Create.
Configure MaxPatrol SIEM
Create accounts
You can use accounts to store secrets. Create accounts named static-key-id
and static-key-private
for the ID and the private access key:
- Log in to the MaxPatrol SIEM web interface.
- Under Data collection, click Accounts.
- Click Add account → Password and specify the following parameters:
- Name:
static-key-id
. - Password: Static key ID.
- Confirm password: Reenter static key ID.
- Name:
- Click Save.
Similarly, create an account named static-key-private
containing the private key.
Create a data collection job
Create and run a data collection job with the Yandex Data Streams profile:
- Log in to the MaxPatrol SIEM web interface.
- Under Data collection, click Tasks.
- On the Data collection tasks page:
- On the toolbar, click Create task.
- Click Data collection.
- On the Create data collection task page, specify the parameters below:
- Name:
YDS-logs-task
. - Profile:
Yandex Data Streams
. - In the hierarchy list, select Run script.
- Under Connection, specify:
- Account:
static-key-id
- Access upgrade account:
static-key-private
- Account:
- Script runtime parameters:
- database:
<maxpatrol-db_database_ID>
- folder:
<cloud_ID_for_example-folder>
- region_name:
ru-central1
- stream_name:
<maxpatrol-stream_name>
- database:
- On the Data collection objectives panel:
- Select the Enable tab.
- In the Network addresses field, enter
yandex-cloud
.
- Click Save and run.
- Name:
To view the logs, go to the event review page:
- Go the to the Data collection tasks page.
- Click the
YDS-logs-task
task. - Click Events collected → Select.
How to delete the resources you created
Delete the resources you no longer need to avoid paying for them: