Data event audit log

Written by

Updated at August 29, 2024

Data schema
Audit log format
- Audit log file in a bucket
- Log group entry

Keep track of data events to make sure only authorized users can access and update your data. This will help you ensure your cloud infrastructure's compliance with legal regulations and industry standards. For example, you can keep track of your employees' access permissions to sensitive data stored in buckets.

You can analyze data event logs to optimize the use of resources in your infrastructure. Thus, you can determine what resources are used most often and enhance their performance, or identify rarely used resources that can be grouped or removed to cut costs.

Warning

When setting up collection of data events for an Object Storage bucket, we do not recommend using the same bucket as a destination object for uploading logs. This may cause automatic recursive generation of audit logs and, consequently, an increase in the size of generated logs (by about 16 MB per month for all events per trail saved to the bucket).

A data event audit log is a JSON object with a record of events that occurred to Yandex Cloud resources.

The log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.

An event object is the service resource on which the operation is performed. An event subject is the account under which the operation is performed.

Sample data audit log created when requesting the contents of a secret

If a federated user requests the contents of a secret in Yandex Lockbox, the following entry is written in the audit log:

{
    "event_id": "<event_ID>",
    "event_source": "lockbox",
    "event_type": "yandex.cloud.audit.lockbox.GetPayload",
    "event_time": "<event_date>",
    "authentication": {
        "authenticated": true,
        "subject_type": "FEDERATED_USER_ACCOUNT",
        "subject_id": "<user_ID>",
        "subject_name": "<username>",
        "federation_id": "<federation_ID>",
        "federation_name": "<federation_name>",
        "federation_type": "<federation_type>"
    },
    "authorization": {
        "authorized": true
    },
    "resource_metadata": {
        "path": [
            {
                "resource_type": "organization-manager.organization",
                "resource_id": "<organization_ID>",
                "resource_name": "<organization_name>"
            },
            {
                "resource_type": "resource-manager.cloud",
                "resource_id": "<cloud_ID>",
                "resource_name": "<cloud_name>"
            },
            {
                "resource_type": "resource-manager.folder",
                "resource_id": "<folder_ID>",
                "resource_name": "<folder_name>"
            }
        ]
    },
    "request_metadata": {
        "remote_address": "cloud.yandex",
        "user_agent": "Yandex Cloud",
        "request_id": "<request_ID>"
    },
    "event_status": "DONE",
    "details": {
        "secret_id": "<secret_ID>",
        "secret_name": "<secret_name>",
        "secret_version_id": "<secret_version_ID>",
        "secret_kms_key_id": "<ID_of_secret_encryption_key_in_KMS>",
        "secret_status": "<secret_status>",
        "secret_version_status": "<secret_version_status>",
        "secret_version_payload_entry_keys": [
            "<secret_version_entry_keys>"
        ]
    },
    "request_parameters": {
        "secret_id": "<secret_ID>",
        "version_id": "<secret_version_ID>"
    },
    "response": {
        "version_id": "<version_ID>",
        "entry_keys": [
            "<entry_keys>"
        ]
    }
}

Data schema

{
  "event_id": string,
  "event_source": string,
  "event_type": string,
  "event_time": string,
  "authentication": {
    "authenticated": boolean,
    "subject_type": string,
    "subject_id": string,
    "subject_name": string,
    "federation_id": string,
    "federation_name": string,
    "federation_type": string,
    "token_info": {
      "masked_iam_token": string,
      "iam_token_id": string,
      "impersonator_id": string,
      "impersonator_type": string,
      "impersonator_name": string,
      "impersonator_federation_id": string,
      "impersonator_federation_name": string,
      "impersonator_federation_type": string
    }
  },
  "authorization": {
    "authorized": boolean
  },
  "resource_metadata": {
    "path": [{
      "resource_type": string,
      "resource_id": string,
      "resource_name": string
    }]
  },
  "request_metadata": {
    "remote_address": string,
    "user_agent": string,
    "request_id": string
  },
  "event_status": string,
  "error": {
    "code": number,
    "message": string,
    "details": {
      object
    }
  },
  "details": {
    object
  },
  "request_parameters": {
    object
  },
  "response": {
    object
  }
}

Field	Description
`event_id`	string Event ID
`event_source`	string Name of the event source service
`event_type`	string Event type, which is determined by the event source service. For more information, see Data event reference.
`event_time`	string Time when the event occurred
`authentication` ¹	object Authentication data of the event subject
`authentication.authenticated`	boolean Authentication result. The possible values include: `true`: Authentication is successful. `false`: Authentication failed.
`authentication.subject_type`	string Subject type. The possible values include: `YANDEX_PASSPORT_USER_ACCOUNT`: Yandex account `SERVICE_ACCOUNT`: Service account `FEDERATED_USER_ACCOUNT`: Federated account
`authentication.subject_id`	string Subject ID
`authentication.subject_name`	string Subject name
`authentication.federation_id` ²	string ID of the federation the federated user belongs to
`authentication.federation_name` ²	string Name of the federation the federated user belongs to
`authentication.federation_type` ²	string Federation type. The possible value is: `PRIVATE_FEDERATION`: Federation managed by Yandex Cloud clients.
`authentication.token_info` ¹	object Authentication data of the event subject
`authentication.token_info.masked_iam_token`	string Encrypted value of the IAM token the subject used to execute the request
`authentication.token_info.iam_token_id`	string ID of the encrypted IAM token
`authentication.token_info.impersonator_id`	string Subject ID when using impersonation
`authentication.token_info.impersonator_type`	string Impersonator subject type. The possible values include: `YANDEX_PASSPORT_USER_ACCOUNT`: Yandex account `SERVICE_ACCOUNT`: Service account `FEDERATED_USER_ACCOUNT`: Federated account
`authentication.token_info.impersonator_name`	string Impersonator subject name
`authentication.token_info.impersonator_federation_id` ²	string ID of the federation the impersonated federated user belongs to
`authentication.token_info.impersonator_federation_name` ²	string Name of the federation the impersonated federated user belongs to
`authentication.token_info.impersonator_federation_type` ²	string Federation type. The possible value is: `PRIVATE_FEDERATION`: Federation managed by Yandex Cloud clients.
`authorization` ¹	object Authorization data of the event subject
`authorization.authorized`	boolean Authorization result. The possible values include: `true`: Authorization is successful. `false`: Authorization failed.
`resource_metadata` ¹	object Metadata of the event object
`resource_metadata.path[]`	array Path to the resource where the event occurred
`resource_metadata.path[].resource_type`	string Resource type
`resource_metadata.path[].resource_id`	string Resource ID
`resource_metadata.path[].resource_name`	string Resource name
`request_metadata`	object Details of a query triggering the event
`request_metadata.remote_address`	string IP address of an event subject
`request_metadata.user_agent`	string User-agent of an event subject
`request_metadata.request_id`	string Query ID
`event_status`	string Event status, which is determined by the source service and the event type. The possible values include: `STARTED`: Operation started. `ERROR`: Operation failed. `DONE`: Operation completed successfully. `CANCELLED`: Operation canceled.
`error`	object Status error. google.rpc.Status object: `code`: Error code `message`: Error description `details`: Error details to fill out only in case of an error
`details`	object Event details, which are determined by the source service and the event type
`request_parameters` ¹	object Request parameters
`response` ¹	object Obtained data

¹ The field section is used for certain types of events.
² This field is available when subject_type = FEDERATED_USER_ACCOUNT.

Note

If the action was run by a Yandex Cloud infrastructure service or a support team member, the remote address field will be set to cloud.yandex and the user agent field, to Yandex Cloud.

Audit log format

Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:

If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
If the destination object is a log group, the message includes a single JSON object of the audit log.

Audit log file in a bucket

Below is the template for the full name of an audit log file in a bucket:

<object_prefix>/<trail_ID>/<year>/<month>/<file_name.json>

Log group entry

Log group entries have the following values:

Time: Event_time field value of the event.
JSON: JSON object of the event.
Level: Calculated depending on the event_status value:
- ERROR: For the ERROR value
- WARN: For the CANCELLED value
- INFO: For all other cases
Message: Includes the values of the event_status, event_type, subject_name, cloud_name, and resource_name fields.

When uploading to Cloud Logging, you may get duplicate events in a log group. To find out whether an event in a log group is a duplicate, use the unique ID of the json_payload.event_id record.

Data event audit log

Data schemaData schema

Audit log formatAudit log format

Audit log file in a bucketAudit log file in a bucket

Log group entryLog group entry

Was the article helpful?

Data schema

Audit log format

Audit log file in a bucket

Log group entry