Uploading logs from Yandex Audit Trails to OpenSearch
Audit Trails is a service for collecting and exporting audit logs that allows you to use analytical tools and rapidly respond to events occurring to Yandex Cloud resources. OpenSearch is used as a SIEM system for analyzing logs and responding to security events.
You will learn how to set up the export of logs from Audit Trails with just a few steps, while using Yandex Data Streams and Yandex Data Transfer and selecting Yandex Managed Service for OpenSearch as a SIEM system to analyze logs and respond to security events.
Create a trail to upload audit logs for Yandex Cloud resources to a Yandex Data Streams data stream. Once done, configure continuous log delivery to a Yandex Managed Service for OpenSearch cluster using Yandex Data Transfer.
You can export organization, cloud, or folder logs.
To export audit logs:
- Prepare your cloud.
- Create a trail to send logs to a Data Streams data stream.
- Create a Managed Service for OpenSearch cluster.
- Set up a transfer to deliver logs to the Managed Service for OpenSearch cluster.
- Check the result.
- Upload additional content.
If you no longer need the resources you created, delete them.
Getting started
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for the OpenSearch cluster computing resources and storage (see Yandex Managed Service for OpenSearch pricing).
- Using a data stream (see Data Streams pricing).
- Using Yandex Managed Service for YDB in serverless mode (see Managed Service for YDB pricing).
Create a trail to send logs to a Data Streams data stream
Prepare the environment and create a trail depending on the Yandex Cloud resources:
Make sure to give your stream the audit‑trails
name to make it easier to upload the Security Content library objects.
Create a Managed Service for OpenSearch cluster
Create a Managed Service for OpenSearch cluster with any suitable configuration.
-
If you do not have Terraform yet, install it.
-
Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.
-
Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it
. -
Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.
-
Download the trails-to-opensearch.tf
configuration file to the same working directory.This file describes:
- Network.
- Subnet.
- Security group and rules required to connect to a Managed Service for OpenSearch cluster.
- Managed Service for OpenSearch target cluster.
- Transfer.
-
In the
trails-to-opensearch.tf
file, specify the following variables:os_version
: OpenSearch version in the target cluster.os_admin_password
:admin
user password.transfer_enabled
: Set to0
to ensure that no transfer is created until you create endpoints manually.
-
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console
. -
Set up a transfer to deliver logs to the Managed Service for OpenSearch cluster
-
-
Database type:
Yandex Data Streams
. -
Endpoint parameters:
-
Connection settings:
- Database: Select the Managed Service for YDB database from the list.
- Stream: Specify the name of the Data Streams data stream.
- Service account: Select or create a service account with the
yds.editor
role.
-
Advanced settings:
- Conversion rules:
AuditTrails.v1 parser
.
- Conversion rules:
-
-
-
-
Database type:
OpenSearch
. -
Endpoint parameters:
-
Connection:
-
Connection type:
Managed Service for OpenSearch cluster
.- Managed Service for OpenSearch cluster: Select the source cluster from the list.
-
User and Password: Enter the name and password of the user who has access to the database, e.g.,
admin
.
-
-
-
-
Create and activate the transfer:
ManuallyUsing Terraform- Create a transfer of the Replication type that will use the created endpoints.
- Activate the transfer and wait for its status to change to Replicating.
-
In the
trails-to-opensearch.tf
file, specify the following variables:source_endpoint_id
: Source endpoint ID.target_endpoint_id
: Target endpoint ID.transfer_enabled
: Set to1
to enable transfer creation.
-
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Create the required infrastructure:
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
-
-
The transfer will be activated automatically. Wait for its status to change to Replicating.
Check the result
Make sure the data from Audit Trails is successfully uploaded to OpenSearch:
-
Wait for the transfer status to change to Replicating.
-
Connect to the target cluster using OpenSearch Dashboards.
-
Select the
Global
tenant. -
Create a new index template named
audit-trails*
:- Open the control panel by clicking
. - Under Management, select Stack Management.
- Go to Index Patterns and click create an index pattern at the bottom of the page.
- In the Index pattern name field, specify
audit-trails*
and click Next step. - In Time field, select
application_usage_daily.timestamp
and click Create index pattern.
- Open the control panel by clicking
-
Open the control panel by clicking
. -
Under OpenSearch Dashboards, select Discover.
-
The dashboard that opens should contain data from Audit Trails in Elastic Common Schema
format.
Warning
Data delivery to Managed Service for OpenSearch target adheres to the at least once
mode: if the tables being transferred do not have a primary key, duplicate entries can be created in the audit logs.
Upload additional content
For your convenience, the Yandex Cloud security team created Solution Library with examples and recommendations for building a secure infrastructure in Yandex Cloud. The library is available in this public GitHub repository
- Dashboard with use cases and statistics.
- Set of ready-to-use queries to search for security events.
- Sample events with preset alerts (the client should specify the alert destination on their own).
All required event fields are converted to Elastic Common Schema (ECS)
To use Security Content:
-
Clone the Yandex Cloud Security Solution Library repository:
git clone https://github.com/yandex-cloud-examples/yc-export-auditlogs-to-opensearch.git
-
Connect to the target cluster using OpenSearch Dashboards.
-
Open the control panel by clicking
. -
Under Management, select Stack Management.
-
Go to Saved Objects and import files from the
yc-export-auditlogs-to-opensearch/update-opensearch-scheme/content-for-transfer/
folder:dashboard.ndjson
filters.ndjson
search.ndjson
Dashboard
Use the ready-made Audit-trails-dashboard
:
- Open the control panel by clicking
. - Under OpenSearch Dashboards, select Dashboard.
- Select
Audit-trails-dashboard
in the dashboard list.
Security events
Run a ready-to-use query to view security events that can be selected using filters.
- Open the control panel by clicking
. - Under OpenSearch Dashboards, select Discover.
- In the Open tab, select the
Search:Yandexcloud: Yandexcloud: Interesting fields
query.
Alert settings
Use code samples for the monitor
and trigger
entities when setting up alerts
-
Open the control panel by clicking
. -
Under OpenSearch Plugins, select Alerting.
-
Copy the sample file contents and paste them into the creation window:
Delete the resources you created
Note
Before deleting the created resources, deactivate the transfer.
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:
- Delete the transfer.
- Delete endpoints for both the source and target.
- Delete the Managed Service for YDB database.
- Delete the created service accounts.
- Delete the Audit Trails trail.
Delete the other resources depending on how they were created:
-
In the terminal window, go to the directory containing the infrastructure plan.
-
Delete the
trails-to-opensearch.tf
configuration file. -
Make sure the Terraform configuration files are correct using this command:
terraform validate
If there are any errors in the configuration files, Terraform will point them out.
-
Confirm updating the resources.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
All the resources described in the
trails-to-opensearch.tf
configuration file will be deleted. -