Contact UsGet started

Searching for Yandex Cloud events in Object Storage

Written by
Updated at December 15, 2023

Getting started

  1. Install and set up s3fs or goofys to mount Object Storage buckets using FUSE.
  2. Mount a bucket with audit logs to your file system using s3fs or goofys.
  3. Install the jq utility to search through data in JSON format.

  1. To search through multiple files, use the find command. As a command-line argument, enter the path to the mount directory of the audit log bucket or to its subdirectory with logs for a certain month or day.

    Example command to search events by type:

    find <directory_path> -type f -exec cat {} \; | jq  '.[] | select( .event_type == "yandex.cloud.audit.iam.CreateServiceAccount")'

  2. To find out who deleted a folder from the cloud, search by the eventType (event type) field across all files for the period, filtering by the folder ID:

    find <directory_path> -type f -exec cat {} \; | jq  '.[] | select( .event_type == "yandex.cloud.audit.resourcemanager.DeleteFolder" and .details.folder_id == "<folder_ID>") | .authentication'

  3. To find out who created, stopped, restarted, or deleted a VM instance, search by the eventType field across all files for the period with filtering by VM instance ID:

    find <directory_path> -type f -exec cat {} \; | jq  '.[] | select((.event_type | test("yandex\\.cloud\\.audit\\.compute\\..*Instance")) and .details.instance_id == "<VM_instance_ID>") | .authentication'

  4. To find out what actions a user performed over a period of time, search by the subject ID:

    find <directory_path> -type f -exec cat {} \; | jq  '.[] | select(.authentication.subject_id == "<user_ID>" and .event_time > "2021-03-01" and .event_time < "2021-04-01")'

    You can also search by the subject name:

    find <directory_path> -type f -exec cat {} \; | jq  '.[] | select(.authentication.subject_name == "<username>" and .event_time > "2021-03-01" and .event_time < "2021-04-01")'

  5. To find out which events occurred to objects in a certain folder, search by the folder ID:

    find <directory_path> -type f -exec cat {} \; | jq  '.[] | select(.resource_metadata != null and .resource_metadata.path != null) | select( .resource_metadata.path[] | .resource_type == "resource-manager.folder" and .resource_id == "<folder_ID>")'

    You can also search by the folder name:

    find <directory_path> -type f -exec cat {} \; | jq  '.[] | select(.resource_metadata != null and .resource_metadata.path != null) | select( .resource_metadata.path[] | .resource_type == "resource-manager.folder" and .resource_name == "<folder_name>")'

See also

Previous
Searching for Yandex Cloud events in Yandex Query
Next
Searching for Yandex Cloud events in Cloud Logging