Exporting audit logs to MaxPatrol SIEM
MaxPatrol SIEM can read Yandex Cloud audit logs from a Yandex Data Streams data stream. To complete the tutorial, you must have access to an instance of MaxPatrol SIEM.
To configure audit log export:
- Prepare your cloud.
- Prepare the environment.
- Create a trail to send logs to a Data Streams data stream.
- In MaxPatrol SIEM, set up a job to collect data from a Data Streams data stream.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Using a data stream (see Data Streams pricing).
- Using Yandex Managed Service for YDB in serverless mode (see Managed Service for YDB pricing).
Prepare the environment
Create a service account and assign roles
On behalf of a service account, the trail will gather logs from all the organization's resources and upload them to a Data Streams data stream.
Create a service account in the same folder where you create the trail, e.g., in example-folder:
- In the management console, select
example-folder. - In the list of services, select Identity and Access Management.
- Click Create service account.
- Enter a name for the service account:
maxpatrol-sa. - Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
Create a service account:
yc iam service-account create --name maxpatrol-saResult:
id: aje*****ckg folder_id: b1g*****rnj created_at: "2022-09-18..." name: maxpatrol-saFor more information about the
yc iam service-account createcommand, see the CLI reference.
Assign the audit-trails.viewer and yds.editor roles to the maxpatrol-sa service account:
-
The
audit-trails.viewerrole for an organization:yc organization-manager organization add-access-binding \ --role audit-trails.viewer \ --id <organization_ID> \ --service-account-id <service_account_ID>Where:
--role: Role you want to assign.--id: ID of the organization the service account belongs to.--service-account-id:maxpatrol-saservice account ID.
Result:
done (1s)For more information about the
yc organization-manager organization add-access-bindingcommand, see the CLI reference. -
The
yds.editorrole for a folder:yc resource-manager folder add-access-binding example-folder \ --role yds.editor \ --subject serviceAccount:<service_account_ID>Where:
--role: Role you want to assign.--subject:maxpatrol-saservice account ID.
Result:
done (1s)For more information about the
yc resource-manager folder add-access-bindingcommand, see the CLI reference.
Create static access keys
MaxPatrol SIEM uses static access keys to authorize Data Streams data stream queries.
- In the management console, select
example-folder. - In the list of services, select Identity and Access Management.
- In the left-hand panel, select Service accounts.
- Select the
maxpatrol-saservice account from the list that opens. - Click Create new key on the top panel.
- Select Create static access key.
- Enter a description for the key and click Create.
Alert
Save the ID and private key. After you close the dialog, the private key value will become unavailable.
Create a static access key for the maxpatrol-sa service account:
yc iam access-key create --service-account-name maxpatrol-sa
Result:
access_key:
id: YCd*****W7t
service_account_id: aje*****ckg
created_at: "2022-09-18..."
key_id: YCA*****5Ws4
secret: YCM76*******I3fk
Alert
Save the ID (key_id) and secret key (secret). You cannot retrieve the key value a second time.
For more information about the yc iam access-key create command, see the CLI reference.
Create a serverless database YDB
The database is required for the Data Streams data stream.
- In the management console, select
example-folder. - Click Create resource and select YDB database.
- Specify Name:
maxpatrol-db. - Under Database type, select
Serverless. - Leave the other parameters at their default settings.
- Click Create a database.
Wait for the database status to change to Running.
-
Create a database:
yc ydb database create --name maxpatrol-db --serverless --folder-name example-folderWhere:
--name: Database name.--serverless: Serverless type.--folder-name: Folder name.
Result:
done (7s) id: etn*****r5t folder_id: b1g*****rnj created_at: "2022-09-18..." name: maxpatrol-db status: PROVISIONING ...For more information about the
yc ydb database createcommand, see the CLI reference. -
Check the status of the created database:
yc ydb database get maxpatrol-dbWait for the database status to change to
RUNNING.
Create a data stream
This is the data stream the trail will upload organization resource logs to.
- In the management console, select
example-folder. - Click Create resource and select Data Streams.
- In the Database field, select
maxpatrol-db. - Specify Name
maxpatrol-stream. - Leave the other parameters at their default settings.
- Click Create.
Wait for the data stream status to change to Running.
Create a trail
The trail will collect management audit logs for all your organization's resources and upload them to the maxpatrol-stream data stream.
- In the management console, select
example-folder. - Click Create resource and select the Audit trail option.
- Specify the Name of the
maxpatrol-trailyou are creating. - Under Destination, configure the destination object:
- Destination:
Data Streams. - Data stream: Select the
maxpatrol-streamdata stream.
- Destination:
- Under Service account, select the
maxpatrol-saservice account. - Under Collecting management events, configure the collection of management event audit logs:
- Collecting events: Select
Enabled. - Resource: Select
Organization. - Organization: Automatically populated field (shows the name of the organization with the trail).
- Cloud: Keep the default value,
All.
- Collecting events: Select
- Under Collecting data events, select
Disabledin the Collecting events field. - Click Create.
Configure MaxPatrol SIEM
Create accounts
You can use accounts to store secrets. Create accounts named static-key-id and static-key-private to store your ID and private access key:
- Log in to the MaxPatrol SIEM web interface.
- Under Data collection, click Accounts.
- Click Add account → Password and specify the following parameters:
- Name:
static-key-id. - Password: Static key ID.
- Confirm password: Reenter static key ID.
- Name:
- Click Save.
Similarly, create an account named static-key-private containing the private key.
Create a data collection job
Create and run a data collection job with the Yandex Data Streams profile:
- Log in to the MaxPatrol SIEM web interface.
- Under Data collection, click Tasks.
- On the Data collection tasks page:
- On the toolbar, click Create task.
- Click Data collection.
- On the Create data collection task page, specify the parameters below:
- Name:
YDS-logs-task. - Profile:
Yandex Data Streams. - In the hierarchy list, select Run script.
- Under Connection, specify:
- Account:
static-key-id. - Access upgrade account:
static-key-private.
- Account:
- Script runtime parameters:
- database:
<maxpatrol-db_ID> - folder:
<cloud_ID_for_example-folder> - region_name:
ru-central1. - stream_name:
<maxpatrol-stream_name>.
- database:
- On the Data collection objectives panel:
- Select the Enable tab.
- In the Network addresses field, enter
yandex-cloud.
- Click Save and run.
- Name:
To view the logs, go to the event review page:
- Go the to the Data collection tasks page.
- Click
YDS-logs-task. - Click Events collected → Select.
How to delete the resources you created
Delete the resources you no longer need to avoid paying for them: