Management event audit log
Written by
Updated at March 3, 2025
A management event audit log is a JSON object with a record of events that occurred to Yandex Cloud resources.
The log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.
An event object is the service resource on which the operation is performed. An event subject is the account under which the operation is performed.
Sample management audit log generated when creating a VM
If a federated user creates a VM in Yandex Compute Cloud, the following entry is written in the audit log:
{
"event_id": "<event_ID>",
"event_source": "compute",
"event_type": "yandex.cloud.audit.compute.CreateInstance",
"event_time": "<event_date>",
"authentication": {
"authenticated": true,
"subject_type": "FEDERATED_USER_ACCOUNT",
"subject_id": "<user_ID>",
"subject_name": "<username>",
"federation_id": "<federation_ID>",
"federation_name": "<federation_name>",
"federation_type": "<federation_type>"
},
"authorization": {
"authorized": true
},
"resource_metadata": {
"path": [
{
"resource_type": "organization-manager.organization",
"resource_id": "<organization_ID>",
"resource_name": "<organization_name>"
},
{
"resource_type": "resource-manager.cloud",
"resource_id": "<cloud_ID>",
"resource_name": "<cloud_name>"
},
{
"resource_type": "resource-manager.folder",
"resource_id": "<folder_ID>",
"resource_name": "<folder_name>"
}
]
},
"request_metadata": {
"remote_address": "cloud.yandex",
"user_agent": "Yandex Cloud",
"request_id": "<request_ID>"
},
"event_status": "DONE",
"details": {
"instance_id": "<VM_ID>",
"instance_name": "<VM_name>",
"zone_id": "<VM_availability_zone>",
"platform_id": "standard-v3",
"metadata_keys": [
"ssh-keys",
"user-data",
"install-unified-agent"
],
"network_settings": {
"type": "STANDARD"
},
"placement_policy": {
},
"os": {
"type": "LINUX"
},
"product_ids": [
"<image_ID>"
],
"resources": {
"memory": "2147483648",
"cores": "2",
"core_fraction": "100"
},
"boot_disk": {
"mode": "READ_WRITE",
"device_name": "<disk_name>",
"auto_delete": true,
"disk_id": "<disk_ID>"
},
"network_interfaces": [
{
"index": "0",
"mac_address": "<VM_MAC_address>",
"subnet_id": "<subnet_ID>",
"primary_v4_address": {
"address": "<VM_internal_address>",
"one_to_one_nat": {
"address": "<VM_external_address>",
"ip_version": "IPV4"
}
}
}
],
"fqdn": "VM_internal_FQDN"
}
}
Data schema
{
"event_id": string,
"event_source": string,
"event_type": string,
"event_time": string,
"authentication": {
"authenticated": boolean,
"subject_type": string,
"subject_id": string,
"subject_name": string,
"federation_id": string,
"federation_name": string,
"federation_type": string,
"token_info": {
"masked_iam_token": string,
"iam_token_id": string,
"impersonator_id": string,
"impersonator_type": string,
"impersonator_name": string,
"impersonator_federation_id": string,
"impersonator_federation_name": string,
"impersonator_federation_type": string
}
},
"authorization": {
"authorized": boolean
},
"resource_metadata": {
"path": [{
"resource_type": string,
"resource_id": string,
"resource_name": string
}]
},
"request_metadata": {
"remote_address": string,
"user_agent": string,
"request_id": string
},
"event_status": string,
"error": {
"code": number,
"message": string,
"details": {
object
}
},
"details": {
object
},
"request_parameters": {
object
},
"response": {
object
}
}
| Field | Description |
|---|---|
event_id |
string Event ID |
event_source |
string Name of the event source service |
event_type |
string Event type, which is determined by the event source service. For more information, see Data event reference. |
event_time |
string Time when the event occurred |
authentication 1 |
object Authentication data of the event subject |
authentication.authenticated |
boolean Authentication result. The possible values include:
|
authentication.subject_type |
string Subject type. The possible values include:
|
authentication.subject_id |
string Subject ID |
authentication.subject_name |
string Subject name |
authentication.federation_id 2 |
string ID of the federation the federated user belongs to |
authentication.federation_name 2 |
string Name of the federation the federated user belongs to |
authentication.federation_type 2 |
string Federation type. The possible value is:
|
authentication.token_info 1 |
object Authentication data of the event subject |
authentication.token_info.masked_iam_token |
string Encrypted value of the IAM token the subject used to execute the request |
authentication.token_info.iam_token_id |
string ID of the encrypted IAM token |
authentication.token_info.impersonator_id |
string Subject ID when using impersonation |
authentication.token_info.impersonator_type |
string Impersonator subject type. The possible values include:
|
authentication.token_info.impersonator_name |
string Impersonator subject name |
authentication.token_info.impersonator_federation_id 2 |
string ID of the federation the impersonated federated user belongs to |
authentication.token_info.impersonator_federation_name 2 |
string Name of the federation the impersonated federated user belongs to |
authentication.token_info.impersonator_federation_type 2 |
string Federation type. The possible value is:
|
authorization 1 |
object Authorization data of the event subject |
authorization.authorized |
boolean Authorization result. The possible values include:
|
resource_metadata 1 |
object Metadata of the event object |
resource_metadata.path[] |
array Path to the resource where the event occurred |
resource_metadata.path[].resource_type |
string Resource type |
resource_metadata.path[].resource_id |
string Resource ID |
resource_metadata.path[].resource_name |
string Resource name |
request_metadata |
object Details of a query triggering the event |
request_metadata.remote_address |
string IP address of an event subject |
request_metadata.user_agent |
string User-agent of an event subject |
request_metadata.request_id |
string Query ID |
event_status |
string Event status, which is determined by the source service and the event type. The possible values include:
|
error |
object Status error. google.rpc.Status object:
|
details |
object Event details, which are determined by the source service and the event type |
request_parameters 1 |
object Request parameters |
response 1 |
object Obtained data |
1 The field section is used for certain types of events.
2 This field is available when subject_type = FEDERATED_USER_ACCOUNT.
Note
If the action was run by a Yandex Cloud infrastructure service or a support team member, the remote address field will be set to cloud.yandex and the user agent field, to Yandex Cloud.
Audit log format
Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:
- If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
- If the destination object is a log group, the message includes a single JSON object of the audit log.
Audit log file in a bucket
Below is the template for the full name of an audit log file in a bucket:
<object_prefix>/<trail_ID>/<year>/<month>/<file_name.json>
Log group entry
Log group entries have the following values:
- Time:
Event_timefield value of the event. - JSON: JSON object of the event.
- Level: Calculated depending on the
event_statusvalue:ERROR: For theERRORvalueWARN: For theCANCELLEDvalueINFO: For all other cases
- Message: Includes the values of the
event_status,event_type,subject_name,cloud_name, andresource_namefields.
When uploading to Cloud Logging, you may get duplicate events in a log group. To find duplicates, refer to the unique record ID, json_payload.event_id.