Contact UsGet started

Tools for working with audit logs

Written by
Updated at March 31, 2025

You can upload audit logs to a Yandex Object Storage bucket, Yandex Cloud Logging log group, or Yandex Data Streams data stream.

Depending on the log location, you need to use different tools to view them and search for events:

Yandex Query

Use Query to work with logs uploaded to a bucket or a data stream:

  • If logs reside in a bucket, you can use analytical YQL queries to analyze Yandex Cloud resource events.
  • If logs reside in a data stream, use streaming YQL queries to analyze Yandex Cloud resource events.

To use Yandex Query, set up a data binding based on the target object:

  1. Create a service account named bucket-yq-sa.

  2. Assign the bucket-yq-sa service account the storage.viewer role for the folder containing the bucket with logs.

  3. Create a connection.

    1. In the management console, select the folder housing the trail that delivers logs to the bucket.
    2. Select Audit Trails.
    3. Select the trail that delivers logs to the bucket.
    4. Click Process in YQ.
    5. Select Service account bucket-yq-sa.
    6. Leave other attributes as default.
    7. Click Create.

  4. In the window with data binding options, click Create.

  5. Send the appropriate query.

  1. Create a service account named bucket-yq-sa.
  2. Assign the yds.editor role to the bucket-yq-sa service account.
  3. Create a connection. When creating it, specify the settings for the Data Streams connection type.
  4. Create federated credentials.
  5. Send the appropriate query.

Cloud Logging

Use Cloud Logging to work with logs uploaded to a log group.

You can filter records using the filer expression language to analyze Yandex Cloud resource events.

To use Cloud Logging:

  1. Read logs in the log group.
  2. Filter the logs as you need.

jq

Use jq to work with logs uploaded to a bucket.

Buckets store logs as JSON files. This means you can analyze Yandex Cloud resource events by getting the required events from the files using jq filters.

To use jq:

  1. Install and set up s3fs or goofys to mount Object Storage buckets using FUSE.

  2. Mount a bucket with audit logs to your file system using s3fs or goofys.

  3. Install the jq utility.

  4. Run the command with the relevant jq filter.

Note

Example commands for log operations use jq together with find, where find provides all log files from the bucket for processing.

Previous
Overview
Next
Sample requests for searching events