Contact UsGet started

Uploading Yandex Audit Trails audit logs to KUMA SIEM through the management console, CLI, or API

Written by
Updated at May 13, 2025

To configure delivery of audit log files to KUMA:

  1. Prepare your cloud environment.
  2. Prepare your environment.
  3. Create a bucket.
  4. Create a trail.
  5. Create a server.
  6. Mount the bucket on a server.
  7. Configure the KUMA collector.

If you no longer need the resources you created, delete them.

Prepare your cloud environment

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of support for a new Yandex Cloud infrastructure includes:

In addition, to complete the tutorial, you will need a KUMA user license (not supplied by Yandex Cloud).

Prepare your environment

Create service accounts

For your new infrastructure to run properly, create two service accounts as follows:

  • kuma-bucket-sa: For the Object Storage bucket.
  • kuma-trail-sa: For the Audit Trails trail.
  1. In the management console, go to the folder you want to create an infrastructure in.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Enter a name of the service account for the bucket: kuma-bucket-sa.
  5. Click Create.
  6. Repeat steps 3-5 to create the kuma-trail-sa service account for the trail.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Run the following commands:

    yc iam service-account create --name kuma-bucket-sa
yc iam service-account create --name kuma-trail-sa

    Where --name represents the names of the service accounts.

    Result:

    id: ajecikmc374i********
folder_id: b1g681qpemb4********
created_at: "2024-11-28T14:11:42.593107676Z"
name: kuma-bucket-sa

id: ajedc6uq5o7m********
folder_id: b1g681qpemb4********
created_at: "2024-11-28T14:11:45.856807266Z"
name: kuma-trail-sa

  2. Save the new service accounts' IDs (id): you will need them in the next steps.

For more information about the yc iam service-account create command, see the CLI reference.

To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.

Create a static access key

To mount a bucket on a server with a KUMA collector installed, create a static access key for the kuma-bucket-sa service account.

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. In the list of services, select Identity and Access Management.

  3. In the left-hand panel, select Service accounts.

  4. Select the kuma-bucket-sa service account.

  5. In the top panel, click Create new key and select Create static access key.

  6. Enter a description for the key and click Create.

  7. Save the ID and secret key: you will need them later when mounting the bucket on the server.

    Alert

    After you close this dialog, the key value will not be shown again.

  1. Run this command:

    yc iam access-key create --service-account-name kuma-bucket-sa

    Where --service-account-name is the name of the service account you are creating the key for.

    Result:

    access_key:
  id: aje726ab18go********
  service_account_id: ajecikmc374i********
  created_at: "2024-11-28T14:16:44.936656476Z"
  key_id: YCAJEOmgIxyYa54LY********
secret: YCMiEYFqczmjJQ2XCHMOenrp1s1-yva1********

  2. Save the ID (key_id) and secret key (secret): you will need them later when mounting the bucket on the server.

For more information about the yc iam access-key create command, see the CLI reference.

To create a static access key, use the create REST API method for the AccessKey resource or the AccessKeyService/Create gRPC API call.

Create an encryption key

Create a symmetric encryption key for encryption of audit logs in the bucket.

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. In the list of services, select Key Management Service.

  3. In the left-hand panel, select Symmetric keys.

  4. Click Create key and specify the key attributes:

    • Name: kuma-key.
    • Encryption algorithm: AES-256.

  5. Click Create.

  1. Run this command:

    yc kms symmetric-key create \
  --name kuma-key \
  --default-algorithm aes-256

    Where:

    Result:

    id: abje8mf3ala0********
folder_id: b1g681qpemb4********
created_at: "2024-11-28T14:22:06Z"
name: kuma-key
status: ACTIVE
primary_version:
  id: abjuqbth02kf********
  key_id: abje8mf3ala0********
  status: ACTIVE
  algorithm: AES_256
  created_at: "2024-11-28T14:22:06Z"
  primary: true
default_algorithm: AES_256

  2. Save the symmetric key ID (id): you will need it later when creating the bucket.

For more information about the yc kms symmetric-key create command, see the CLI reference.

To create a symmetric encryption key, use the create REST API method for the SymmetricKey resource or the SymmetricKeyService/Create gRPC API call.

Assign roles to the service accounts

Assign to the service accounts the following roles for the folder and the encryption key created earlier:

  • To kuma-trail-sa:

    • audit-trails.viewer for the folder.
    • storage.uploader for the folder.
    • kms.keys.encrypterDecrypter for the encryption key.

  • To kuma-bucket-sa:

    • storage.viewer for the folder.
    • kms.keys.encrypterDecrypter for the encryption key.

  1. Assign roles for the folder:

    1. In the management console, go to the folder you want to create an infrastructure in.

    2. Go to the Access bindings tab.

    3. Click Configure access.

    4. In the window that opens, select Service accounts.

    5. Select the kuma-trail-sa service account from the list, use the search if required.

    6. Click Add role; in the window that opens, select the audit-trails.viewer role.

      Repeat this step and add the storage.uploader role.

    7. Click Save.

    In the same way, assign the storage.viewer role for the folder to the kuma-bucket-sa service account.

  2. Assign roles for the encryption key:

    1. In the list of services, select Key Management Service.
    2. In the left-hand panel, select Symmetric keys and click on the line with kuma-key.
    3. Go to Access bindings and click Assign roles.
    4. Select the kuma-trail-sa service account.
    5. Click Add role and select the kms.keys.encrypterDecrypter role.
    6. Click Save.

    In the same way, assign the kms.keys.encrypterDecrypter role for the encryption key to the kuma-bucket-sa service account.

  1. Assign the storage.viewer role for the folder to kuma-bucket-sa:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role storage.viewer \
  --subject serviceAccount:<kuma-bucket-sa_ID>

    Where:

    • <folder_name_or_ID>: Name or ID of the folder the role is assigned for.
    • --role: Role ID.
    • --subject: Subject type and ID of the service account you are assigning the role to.

    Result:

    effective_deltas:
  - action: ADD
    access_binding:
      role_id: storage.viewer
      subject:
        id: ajecikmc374i********
        type: serviceAccount

    In the same way, assign the audit-trails.viewer and storage.uploader roles for the folder to kuma-trail-sa.

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

  2. Assign the kms.keys.encrypterDecrypter role for the encryption key to kuma-bucket-sa.

    yc kms symmetric-key add-access-binding kuma-key \
  --role kms.keys.encrypterDecrypter \
  --subject serviceAccount:<kuma-bucket-sa_ID>

    Where:

    • --role: Role ID.
    • --subject: Subject type and ID of the service account you are assigning the role to.

    Result:

    ...1s...done (4s)

    In the same way, assign the kms.keys.encrypterDecrypter role for the encryption key to kuma-trail-sa.

    For more information about the yc kms symmetric-key add-access-binding command, see the CLI reference.

To assign a service account a role, use the setAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Create a bucket

Create a bucket for the trail to save audit logs to and enable encryption.

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. In the list of services, select Object Storage.

  3. At the top right, click Create bucket.

  4. In the ** Name** field, enter a name for the bucket, e.g., my-audit-logs-for-kuma.

    Note

    The bucket name must be unique across Object Storage. You cannot create two buckets with the same name – even in different folders of different clouds.

  5. In the Max size field, set the size of the bucket you are creating or enable No limit.

  6. Leave all other parameters as they are and click Create bucket.

  7. On the page with a list of buckets that opens, select the new bucket.

  8. In the left-hand menu, select Securityand go to the Encryption tab.

  9. In the KMS Key field, select the previously created kuma-key.

  10. Click Save.

  1. Create a bucket:

    yc storage bucket create --name <bucket_name>

    Where --name is the bucket name, e.g., my-audit-logs-for-kuma.

    Note

    The bucket name must be unique across Object Storage. You cannot create two buckets with the same name – even in different folders of different clouds.

    Result:

    name: my-audit-logs-for-kuma
folder_id: b1g681qpemb4********
anonymous_access_flags:
  read: false
  list: false
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
acl: {}
created_at: "2024-11-28T15:01:20.816656Z"

    For more information about the yc storage bucket create command, see the CLI reference.

  2. Enable encryption for the new bucket:

    yc storage bucket update \
  --name <bucket_name> \
  --encryption key-id=<symmetric_key_ID>

    Where:

    • --name: Bucket name.
    • --encryption: Symmetric key ID you got when creating the key.

    Result:

    name: my-audit-logs-for-kuma
folder_id: b1g681qpemb4********
default_storage_class: STANDARD
versioning: VERSIONING_DISABLED
acl: {}
created_at: "2024-11-28T15:01:20.816656Z"

    For more information about the yc storage bucket update command, see the CLI reference.

To create a bucket, use the create REST API method for the Bucket resource, the BucketService/Create gRPC API call, or the create S3 API method.

Create a trail

Create a trail to collect and deliver audit logs.

  1. In the management console, go to the folder you want to create an infrastructure in.

  2. Select Audit Trails.

  3. Click Create trail and do the following in the window that opens:

    1. In the Name field, enter a name for the trail: kuma-trail.

    2. Under Destination, configure the destination object:

      • Destination: Object Storage.
      • Bucket: Bucket you created earlier, e.g., my-audit-logs-for-kuma.
      • Object prefix: Optional parameter used in the full name of the audit log file.

      Note

      Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

    3. Make sure the Encryption key field contains the encryption key named kuma-key. If the encryption key is not set, click Add and select this key.

    4. Under Collecting management events, configure the collection of management event audit logs:

      • Collecting events: Select Enabled.
      • Resource: Select Folder.
      • Folder: Automatically populated field containing the name of the current folder.

    5. Under Service account above, select the kuma-trail-sa service account.

    6. Under Collecting data events, keep the Disabled value.

    7. Click Create.

Run this command:

yc audit-trails trail create \
  --name kuma-trail \
  --destination-bucket <bucket_name> \
  --destination-bucket-object-prefix <prefix> \
  --service-account-id <kuma-trail-sa_ID> \
  --filter-from-cloud-id <cloud_ID> \
  --filter-some-folder-ids <folder_ID>

Where:

  • --name: Trail name.
  • --destination-bucket: Name of the bucket you created earlier to upload audit logs to.
  • --destination-bucket-object-prefix: Prefix that will be added to the names of the audit log objects in the bucket. It is an optional parameter used in the full name of the audit log file.
  • --service-account-id: The kuma-trail-sa service account's ID you got earlier. Your trail will use this account to upload audit log files to the bucket.
  • --filter-from-cloud-id: ID of the cloud whose resources the trail will collect audit logs for.
  • --filter-some-folder-ids: ID of the folder whose resources the trail will collect audit logs for.

Result:

id: cnpabi372eer********
folder_id: b1g681qpemb4********
created_at: "2024-11-28T15:33:28.057Z"
updated_at: "2024-11-28T15:33:28.057Z"
name: kuma-trail
destination:
  object_storage:
    bucket_id: my-audit-logs-for-kuma
    object_prefix: kuma
service_account_id: ajedc6uq5o7m********
status: ACTIVE
cloud_id: b1gia87mbaom********
filtering_policy:
  management_events_filter:
    resource_scopes:
      - id: b1g681qpemb4********
        type: resource-manager.folder

For more information about the yc audit-trails trail create command, see the CLI reference.

To create a trail, use the create REST API method for the Trail resource or the TrailService/Create gRPC API call.

Creating a server

As a server to install the KUMA collector on, you can use a Compute Cloud VM or your own hardware. In this tutorial, we are using a Compute Cloud VM residing in a Yandex Virtual Private Cloud cloud network.

Create a network and subnet

  1. In the management console, go to the folder you want to create an infrastructure in.
  2. In the list of services, select Virtual Private Cloud.
  3. Click Create network.
  4. Specify the network name, e.g., kuma-network.
  5. Make sure the Create subnets option is enabled.
  6. Click Create network.

  1. Create a cloud network:

    yc vpc network create --name kuma-network

    Where --name is the network name.

    Result:

    id: enpnmb4jvubr********
folder_id: b1g681qpemb4********
created_at: "2024-11-27T22:55:55Z"
name: kuma-network
default_security_group_id: enpjgspepn8k********

    For more information about the yc vpc network create command, see the CLI reference.

  2. Create a subnet:

    yc vpc subnet create \
  --name kuma-network-ru-central1-b \
  --network-name kuma-network \
  --zone ru-central1-b \
  --range 10.1.0.0/24

    Where:

    • --name: Subnet name.
    • --network-name: Name of the network the subnet is created in.
    • --zone: The subnet's availability zone.
    • --range: Subnet CIDR.

    Result:

    id: e2l7b3gpnhqn********
folder_id: b1g681qpemb4********
created_at: "2024-11-27T22:57:48Z"
name: kuma-network-ru-central1-b
network_id: enpnmb4jvubr********
zone_id: ru-central1-b
v4_cidr_blocks:
  - 10.1.0.0/24

    For more information about the yc vpc subnet create command, see the CLI reference.

  1. To create a cloud network, use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.

  2. To create a subnet, use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create a VM

  1. In the management console, select the folder to create the infrastructure in.

  2. In the list of services, select Compute Cloud.

  3. In the left-hand panel, select Virtual machines.

  4. Click Create virtual machine.

  5. Under Boot disk image, select the Ubuntu 22.04 LTS image.

  6. Under Location, select the ru-central1-b availability zone.

  7. Under Network settings:

    • In the Subnet field, select kuma-network-ru-central1-b.
    • In the Public IP address field, select Auto to give the VM a random external IP address from the Yandex Cloud pool or select a static IP address from the list if you reserved one in advance.

  8. Under Access, select the SSH key option and specify the information required to access the VM:

    • In the Login field, enter a username for the user you are going to create on the VM, e.g., yc-user.

      • The name must be from 3 to 63 characters long.
      • It may contain uppercase and lowercase Latin and Cyrillic letters, numbers, hyphens, underscores, and spaces.
      • The first character must be a letter. The last character cannot be a hyphen, underscore, or space.

      Alert

      Do not use root or other reserved usernames. To perform operations requiring root privileges, use the sudo command.

    • In the SSH key field, select the SSH key saved in your organization user profile.

      If there are no saved SSH keys in your profile, or you want to add a new key:

      • Click Add key.
      • Enter a name for the SSH key.
      • Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
      • Click Add.

      The SSH key will be added to your organization user profile.

      If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.

  9. Under General information, specify the VM name: kuma-server.

  10. Click Create VM.

Run this command:

yc compute instance create \
  --name kuma-server \
  --zone ru-central1-b \
  --network-interface subnet-name=kuma-network-ru-central1-b,nat-ip-version=ipv4 \
  --create-boot-disk image-folder-id=standard-images,image-id=fd8ulbhv5dpakf3io1mf \
  --ssh-key <SSH_key>

Where:

  • --name: VM name.

  • --zone: Availability zone corresponding to the kuma-network-ru-central1-b subnet.

  • --network-interface: Network settings:

  • --create-boot-disk: Boot disk settings, where image-id is the Ubuntu 22.04 LTS public image ID.

  • --ssh-key: Path to the public SSH key file and its name, e.g., ~/.ssh/id_ed25519.pub. You need to create](../../compute/operations/vm-connect/ssh.md#creating-ssh-keys) a key pair for the SSH connection to a VM yourself.

    When the VM is created, a user named yc-user will be created in its operating system; use this username to connect to the VM over SSH.

Result:

id: epd4vr5ra728********
folder_id: b1g681qpemb4********
created_at: "2024-11-27T23:00:38Z"
name: kuma-server
zone_id: ru-central1-b
platform_id: standard-v2
resources:
  memory: "2147483648"
  cores: "2"
  core_fraction: "100"
status: RUNNING
metadata_options:
  gce_http_endpoint: ENABLED
  aws_v1_http_endpoint: ENABLED
  gce_http_token: ENABLED
  aws_v1_http_token: DISABLED
boot_disk:
  mode: READ_WRITE
  device_name: epdk5emph7a4********
  auto_delete: true
  disk_id: epdk5emph7a4********
network_interfaces:
  - index: "0"
    mac_address: d0:0d:4f:ec:bb:51
    subnet_id: e2l7b3gpnhqn********
    primary_v4_address:
      address: 10.1.0.4
      one_to_one_nat:
        address: 84.2**.***.***
        ip_version: IPV4
serial_port_settings:
  ssh_authorization: OS_LOGIN
gpu_settings: {}
fqdn: epd4vr5ra728********.auto.internal
scheduling_policy: {}
network_settings:
  type: STANDARD
placement_policy: {}
hardware_generation:
  legacy_features:
    pci_topology: PCI_TOPOLOGY_V1

For more information about the yc compute instance create command, see the CLI reference.

To create a VM, use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

Mount the bucket on a server

  1. Connect to the server over SSH.

  2. Create a new user named kuma:

    sudo useradd kuma

  3. Create the kuma user's home directory:

    sudo mkdir /home/kuma

  4. Create a file with a static access key and grant permissions for it to the kuma user:

    sudo bash -c 'echo <access_key_ID>:<secret_access_key> > /home/kuma/.passwd-s3fs'
sudo chmod 600 /home/kuma/.passwd-s3fs
sudo chown -R kuma:kuma /home/kuma

    Where <access_key_ID> and <secret_access_key> are the previously saved values ​​of the static access key of the kuma-bucket-sa service account.

  5. Install the s3fs package:

    sudo apt install s3fs

  6. Create a directory that will serve as a mount point for the bucket and grant permissions for it to the kuma user:

    sudo mkdir /var/log/yandex-cloud/
sudo chown kuma:kuma /var/log/yandex-cloud/

  7. Mount the bucket you created earlier by specifying its name:

    sudo s3fs <bucket_name> /var/log/yandex-cloud \
  -o passwd_file=/home/kuma/.passwd-s3fs \
  -o url=https://storage.yandexcloud.net \
  -o use_path_request_style \
  -o uid=$(id -u kuma) \
  -o gid=$(id -g kuma)

    You can configure automatic mounting of the bucket at operating system start-up by opening the /etc/fstab file (sudo nano /etc/fstab command) and adding the following line to it:

    s3fs#<bucket_name> /var/log/yandex-cloud fuse _netdev,uid=<kuma_uid>,gid=<kuma_gid>,use_path_request_style,url=https://storage.yandexcloud.net,passwd_file=/home/kuma/.passwd-s3fs 0 0

    Where:

    • <bucket_name>: Name of the bucket you created earlier, e.g., my-audit-logs-for-kuma.

    • <kuma_uid>: kuma user ID in the VM operating system.

    • <kuma_gid>: kuma user group ID in the VM operating system.

      To learn <kuma_uid> and <kuma_gid>, run the id kuma command in the terminal.

  8. Make certain that the bucket is mounted:

    sudo ls /var/log/yandex-cloud/

    If everything is configured correctly, the command will return the current contents of the audit event bucket.

The Yandex Cloud event transfer setup is complete. The events will reside in JSON files located at:

/var/log/yandex-cloud/{audit_trail_id}/{year}/{month}/{day}/*.json

Configure the KUMA collector

For this step, you will need the distribution and license files included with KUMA. Use them to install and configure the collector in the KUMA network infrastructure. For more information, see this guide.

Once the setup is successfully completed, audit events will start being delivered to KUMA. The KUMA web interface allows you to search for related events.

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the VM.
  2. Delete the static public IP if you reserved one.
  3. Delete the subnet.
  4. Delete the network.
  5. Delete the trail.
  6. Delete all objects in the bucket, then delete the bucket itself.
  7. Delete the KMS encryption key.

See also

Previous
Overview
Next
Terraform