Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Audit Trails
  • Getting started
    • Overview
    • Trail
    • Diagnostic logs
    • Comparing management and data event logs
    • Management event audit log
    • Data event audit log
    • Exporting to SIEM systems
    • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Management event reference
  • Data event reference
  • Release notes

In this article:

  • Data schema
  • Audit log format
  • Audit log file in a bucket
  • Log group entry
  1. Concepts
  2. Management event audit log

Management event audit log

Written by
Yandex Cloud
Updated at March 3, 2025
  • Data schema
  • Audit log format
    • Audit log file in a bucket
    • Log group entry

A management event audit log is a JSON object with a record of events that occurred to Yandex Cloud resources.

The log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.

An event object is the service resource on which the operation is performed. An event subject is the account under which the operation is performed.

Sample management audit log generated when creating a VM

If a federated user creates a VM in Yandex Compute Cloud, the following entry is written in the audit log:

{
    "event_id": "<event_ID>",
    "event_source": "compute",
    "event_type": "yandex.cloud.audit.compute.CreateInstance",
    "event_time": "<event_date>",
    "authentication": {
        "authenticated": true,
        "subject_type": "FEDERATED_USER_ACCOUNT",
        "subject_id": "<user_ID>",
        "subject_name": "<username>",
        "federation_id": "<federation_ID>",
        "federation_name": "<federation_name>",
        "federation_type": "<federation_type>"
    },
    "authorization": {
        "authorized": true
    },
    "resource_metadata": {
        "path": [
            {
                "resource_type": "organization-manager.organization",
                "resource_id": "<organization_ID>",
                "resource_name": "<organization_name>"
            },
            {
                "resource_type": "resource-manager.cloud",
                "resource_id": "<cloud_ID>",
                "resource_name": "<cloud_name>"
            },
            {
                "resource_type": "resource-manager.folder",
                "resource_id": "<folder_ID>",
                "resource_name": "<folder_name>"
            }
        ]
    },
    "request_metadata": {
        "remote_address": "cloud.yandex",
        "user_agent": "Yandex Cloud",
        "request_id": "<request_ID>"
    },
    "event_status": "DONE",
    "details": {
        "instance_id": "<VM_ID>",
        "instance_name": "<VM_name>",
        "zone_id": "<VM_availability_zone>",
        "platform_id": "standard-v3",
        "metadata_keys": [
            "ssh-keys",
            "user-data",
            "install-unified-agent"
        ],
        "network_settings": {
            "type": "STANDARD"
        },
        "placement_policy": {
        },
        "os": {
            "type": "LINUX"
        },
        "product_ids": [
            "<image_ID>"
        ],
        "resources": {
            "memory": "2147483648",
            "cores": "2",
            "core_fraction": "100"
        },
        "boot_disk": {
            "mode": "READ_WRITE",
            "device_name": "<disk_name>",
            "auto_delete": true,
            "disk_id": "<disk_ID>"
        },
        "network_interfaces": [
            {
                "index": "0",
                "mac_address": "<VM_MAC_address>",
                "subnet_id": "<subnet_ID>",
                "primary_v4_address": {
                    "address": "<VM_internal_address>",
                    "one_to_one_nat": {
                        "address": "<VM_external_address>",
                        "ip_version": "IPV4"
                    }
                }
            }
        ],
        "fqdn": "VM_internal_FQDN"
    }
}

Data schemaData schema

{
  "event_id": string,
  "event_source": string,
  "event_type": string,
  "event_time": string,
  "authentication": {
    "authenticated": boolean,
    "subject_type": string,
    "subject_id": string,
    "subject_name": string,
    "federation_id": string,
    "federation_name": string,
    "federation_type": string,
    "token_info": {
      "masked_iam_token": string,
      "iam_token_id": string,
      "impersonator_id": string,
      "impersonator_type": string,
      "impersonator_name": string,
      "impersonator_federation_id": string,
      "impersonator_federation_name": string,
      "impersonator_federation_type": string
    }
  },
  "authorization": {
    "authorized": boolean
  },
  "resource_metadata": {
    "path": [{
      "resource_type": string,
      "resource_id": string,
      "resource_name": string
    }]
  },
  "request_metadata": {
    "remote_address": string,
    "user_agent": string,
    "request_id": string
  },
  "event_status": string,
  "error": {
    "code": number,
    "message": string,
    "details": {
      object
    }
  },
  "details": {
    object
  },
  "request_parameters": {
    object
  },
  "response": {
    object
  }
}
Field Description
event_id string
Event ID
event_source string
Name of the event source service
event_type string
Event type, which is determined by the event source service. For more information, see Data event reference.
event_time string
Time when the event occurred
authentication 1 object
Authentication data of the event subject
authentication.authenticated boolean
Authentication result. The possible values include:
  • true: Authentication is successful.
  • false: Authentication failed.
authentication.subject_type string
Subject type. The possible values include:
  • YANDEX_PASSPORT_USER_ACCOUNT: Yandex account
  • SERVICE_ACCOUNT: Service account
  • FEDERATED_USER_ACCOUNT: Federated account
authentication.subject_id string
Subject ID
authentication.subject_name string
Subject name
authentication.federation_id 2 string
ID of the federation the federated user belongs to
authentication.federation_name 2 string
Name of the federation the federated user belongs to
authentication.federation_type 2 string
Federation type. The possible value is:
  • PRIVATE_FEDERATION: Federation managed by Yandex Cloud clients.
authentication.token_info 1 object
Authentication data of the event subject
authentication.token_info.masked_iam_token string
Encrypted value of the IAM token the subject used to execute the request
authentication.token_info.iam_token_id string
ID of the encrypted IAM token
authentication.token_info.impersonator_id string
Subject ID when using impersonation
authentication.token_info.impersonator_type string
Impersonator subject type. The possible values include:
  • YANDEX_PASSPORT_USER_ACCOUNT: Yandex account
  • SERVICE_ACCOUNT: Service account
  • FEDERATED_USER_ACCOUNT: Federated account
authentication.token_info.impersonator_name string
Impersonator subject name
authentication.token_info.impersonator_federation_id 2 string
ID of the federation the impersonated federated user belongs to
authentication.token_info.impersonator_federation_name 2 string
Name of the federation the impersonated federated user belongs to
authentication.token_info.impersonator_federation_type 2 string
Federation type. The possible value is:
  • PRIVATE_FEDERATION: Federation managed by Yandex Cloud clients.
authorization 1 object
Authorization data of the event subject
authorization.authorized boolean
Authorization result. The possible values include:
  • true: Authorization is successful.
  • false: Authorization failed.
resource_metadata 1 object
Metadata of the event object
resource_metadata.path[] array
Path to the resource where the event occurred
resource_metadata.path[].resource_type string
Resource type
resource_metadata.path[].resource_id string
Resource ID
resource_metadata.path[].resource_name string
Resource name
request_metadata object
Details of a query triggering the event
request_metadata.remote_address string
IP address of an event subject
request_metadata.user_agent string
User-agent of an event subject
request_metadata.request_id string
Query ID
event_status string
Event status, which is determined by the source service and the event type. The possible values include:
  • STARTED: Operation started.
  • ERROR: Operation failed.
  • DONE: Operation completed successfully.
  • CANCELLED: Operation canceled.
error object
Status error. google.rpc.Status object:
  • code: Error code
  • message: Error description
  • details: Error details
to fill out only in case of an error
details object
Event details, which are determined by the source service and the event type
request_parameters 1 object
Request parameters
response 1 object
Obtained data

1 The field section is used for certain types of events.
2 This field is available when subject_type = FEDERATED_USER_ACCOUNT.

Note

If the action was run by a Yandex Cloud infrastructure service or a support team member, the remote address field will be set to cloud.yandex and the user agent field, to Yandex Cloud.

Audit log formatAudit log format

Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:

  • If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
  • If the destination object is a log group, the message includes a single JSON object of the audit log.

Audit log file in a bucketAudit log file in a bucket

Below is the template for the full name of an audit log file in a bucket:

<object_prefix>/<trail_ID>/<year>/<month>/<file_name.json>

Log group entryLog group entry

Log group entries have the following values:

  • Time: Event_time field value of the event.
  • JSON: JSON object of the event.
  • Level: Calculated depending on the event_status value:
    • ERROR: For the ERROR value
    • WARN: For the CANCELLED value
    • INFO: For all other cases
  • Message: Includes the values of the event_status, event_type, subject_name, cloud_name, and resource_name fields.

When uploading to Cloud Logging, you may get duplicate events in a log group. To find duplicates, refer to the unique record ID, json_payload.event_id.

Was the article helpful?

Previous
Comparing management and data event logs
Next
Data event audit log
© 2025 Direct Cursus Technology L.L.C.