Management event audit log
Written by
Updated at October 29, 2025
A management event audit log is a JSON object with a record of events that occurred to Yandex Cloud resources.
The log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.
An event object is the service resource on which the operation is performed. An event subject is the account under which the operation is performed.
Sample management audit log generated when creating a VM
If a federated user creates a VM in Yandex Compute Cloud, the following entry is written in the audit log:
{
"event_id": "<event_ID>",
"event_source": "compute",
"event_type": "yandex.cloud.audit.compute.CreateInstance",
"event_time": "<event_date>",
"authentication": {
"authenticated": true,
"subject_type": "FEDERATED_USER_ACCOUNT",
"subject_id": "<user_ID>",
"subject_name": "<username>",
"federation_id": "<federation_ID>",
"federation_name": "<federation_name>",
"federation_type": "<federation_type>"
},
"authorization": {
"authorized": true
},
"resource_metadata": {
"path": [
{
"resource_type": "organization-manager.organization",
"resource_id": "<organization_ID>",
"resource_name": "<organization_name>"
},
{
"resource_type": "resource-manager.cloud",
"resource_id": "<cloud_ID>",
"resource_name": "<cloud_name>"
},
{
"resource_type": "resource-manager.folder",
"resource_id": "<folder_ID>",
"resource_name": "<folder_name>"
}
]
},
"request_metadata": {
"remote_address": "cloud.yandex",
"user_agent": "Yandex Cloud",
"request_id": "<request_ID>"
},
"event_status": "DONE",
"details": {
"instance_id": "<VM_ID>",
"instance_name": "<VM_name>",
"zone_id": "<VM_availability_zone>",
"platform_id": "standard-v3",
"metadata_keys": [
"ssh-keys",
"user-data",
"install-unified-agent"
],
"network_settings": {
"type": "STANDARD"
},
"placement_policy": {
},
"os": {
"type": "LINUX"
},
"product_ids": [
"<image_ID>"
],
"resources": {
"memory": "2147483648",
"cores": "2",
"core_fraction": "100"
},
"boot_disk": {
"mode": "READ_WRITE",
"device_name": "<disk_name>",
"auto_delete": true,
"disk_id": "<disk_ID>"
},
"network_interfaces": [
{
"index": "0",
"mac_address": "<VM_MAC_address>",
"subnet_id": "<subnet_ID>",
"primary_v4_address": {
"address": "<VM_internal_address>",
"one_to_one_nat": {
"address": "<VM_external_address>",
"ip_version": "IPV4"
}
}
}
],
"fqdn": "VM_internal_FQDN"
}
}
Data schema
{
"event_id": string,
"event_source": string,
"event_type": string,
"event_time": string,
"authentication": {
"authenticated": boolean,
"subject_type": string,
"subject_id": string,
"subject_name": string,
"federation_id": string,
"federation_name": string,
"federation_type": string,
"token_info": {
"masked_iam_token": string,
"iam_token_id": string,
"impersonator_id": string,
"impersonator_type": string,
"impersonator_name": string,
"impersonator_federation_id": string,
"impersonator_federation_name": string,
"impersonator_federation_type": string
}
},
"authorization": {
"authorized": boolean
},
"resource_metadata": {
"path": [{
"resource_type": string,
"resource_id": string,
"resource_name": string
}]
},
"request_metadata": {
"remote_address": string,
"user_agent": string,
"request_id": string
},
"event_status": string,
"error": {
"code": number,
"message": string,
"details": {
object
}
},
"details": {
object
},
"request_parameters": {
object
},
"response": {
object
}
}
| Field | Description |
|---|---|
event_id |
string Event ID |
event_source |
string Name of the event source service. |
event_type |
string Event types, which is determined by the event source service. For more information, see Data event reference. |
event_time |
string Event time. |
authentication 1 |
object Event subject's authentication data. |
authentication.authenticated |
boolean Authentication result. The possible values are:
|
authentication.subject_type |
string Type of the subject. The possible values are:
|
authentication.subject_id |
string ID of the subject. |
authentication.subject_name |
string Subject name. |
authentication.federation_id 2 |
string ID of the federation the federated user belongs to. |
authentication.federation_name 2 |
string Name of the federation the federated user belongs to. |
authentication.federation_type 2 |
string Federation type. The possible value is:
|
authentication.token_info 1 |
object Event subject's authentication data. |
authentication.token_info.masked_iam_token |
string Encrypted value of the IAM token the subject used to execute the request. |
authentication.token_info.iam_token_id |
string ID of the encrypted IAM token. |
authentication.token_info.impersonator_id |
string Subject ID when using impersonation. |
authentication.token_info.impersonator_type |
string Impersonator subject type. The possible values are:
|
authentication.token_info.impersonator_name |
string Impersonator subject name. |
authentication.token_info.impersonator_federation_id 2 |
string ID of the federation the federated impersonator user belongs to. |
authentication.token_info.impersonator_federation_name 2 |
string Name of the federation the federated impersonator user belongs to. |
authentication.token_info.impersonator_federation_type 2 |
string Federation type. The possible value is:
|
authorization 1 |
object Event subject's authorization data. |
authorization.authorized |
boolean Authorization result. The possible values are:
|
resource_metadata 1 |
object Event object's metadata. |
resource_metadata.path[] |
array Path to the resource the event occurred in. |
resource_metadata.path[].resource_type |
string Resource type. |
resource_metadata.path[].resource_id |
string Resource ID. |
resource_metadata.path[].resource_name |
string Resource name. |
request_metadata |
object Details of the request that triggered the event. |
request_metadata.remote_address |
string IP address of the event subject. |
request_metadata.user_agent |
string User-agent of the event subject. |
request_metadata.request_id |
string Request ID. |
event_status |
string Event status, which is determined by the source service and the event type. The possible values are:
|
error |
object Status error. google.rpc.Status object:
|
details |
object Event details, which are determined by the source service and the event type |
request_parameters 1 |
object Request parameters. |
response 1 |
object Obtained data. |
1 This field section is not for all event types.
2 This field is available when subject_type = FEDERATED_USER_ACCOUNT.
Note
If the action was performed by one of the Yandex Cloud infrastructure services or a support employee, the remote address field will be set to cloud.yandex, and the user agent field to Yandex Cloud.
Audit log format
Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:
- If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
- If the destination object is a log group, the message includes a single JSON object of the audit log.
Audit log file in a bucket
Below is the template for the full name of an audit log file in a bucket:
<object_prefix>/<trail_ID>/<year>/<month>/<file_name>.json
Log group entry
Log group entries have the following values:
- Time:
event_timevalue. - JSON: JSON object of the event.
- Level: Calculated depending on the
event_statusvalue:ERROR: For theERRORvalue.WARN: For theCANCELLEDvalue.INFO: In all other cases.
- Message: Contains the values of the
event_status,event_type,subject_name,cloud_name, andresource_namefields.
When uploading to Cloud Logging, you may get duplicate events in a log group. To find duplicates, refer to the unique record ID, json_payload.event_id.