Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Data event audit log

Written by
Updated at October 29, 2025

Keep track of data events to make sure only authorized users can access and update your data. This will help you ensure your cloud infrastructure's compliance with legal regulations and industry standards. For example, you can keep track of your employees' access permissions to sensitive data stored in buckets.

You can analyze data event logs to optimize the use of resources in your infrastructure. Thus, you can determine what resources are used most often and enhance their performance, or identify rarely used resources that can be grouped or removed to cut costs.

Warning

When setting up collection of data events for an Object Storage bucket, we do not recommend using the same bucket as a destination object for uploading logs. This may cause automatic recursive generation of audit logs and, consequently, an increase in the size of generated logs (by about 16 MB per month for all events per trail saved to the bucket).

A data event audit log is a JSON object with a record of events that occurred to Yandex Cloud resources.

The log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.

An event object is the service resource on which the operation is performed. An event subject is the account under which the operation is performed.

Sample data audit log created when requesting the contents of a secret

If a federated user requests the contents of a secret in Yandex Lockbox, the following entry is written in the audit log:

{
    "event_id": "<event_ID>",
    "event_source": "lockbox",
    "event_type": "yandex.cloud.audit.lockbox.GetPayload",
    "event_time": "<event_date>",
    "authentication": {
        "authenticated": true,
        "subject_type": "FEDERATED_USER_ACCOUNT",
        "subject_id": "<user_ID>",
        "subject_name": "<username>",
        "federation_id": "<federation_ID>",
        "federation_name": "<federation_name>",
        "federation_type": "<federation_type>"
    },
    "authorization": {
        "authorized": true
    },
    "resource_metadata": {
        "path": [
            {
                "resource_type": "organization-manager.organization",
                "resource_id": "<organization_ID>",
                "resource_name": "<organization_name>"
            },
            {
                "resource_type": "resource-manager.cloud",
                "resource_id": "<cloud_ID>",
                "resource_name": "<cloud_name>"
            },
            {
                "resource_type": "resource-manager.folder",
                "resource_id": "<folder_ID>",
                "resource_name": "<folder_name>"
            }
        ]
    },
    "request_metadata": {
        "remote_address": "cloud.yandex",
        "user_agent": "Yandex Cloud",
        "request_id": "<request_ID>"
    },
    "event_status": "DONE",
    "details": {
        "secret_id": "<secret_ID>",
        "secret_name": "<secret_name>",
        "secret_version_id": "<secret_version_ID>",
        "secret_kms_key_id": "<ID_of_secret_encryption_key_in_KMS>",
        "secret_status": "<secret_status>",
        "secret_version_status": "<secret_version_status>",
        "secret_version_payload_entry_keys": [
            "<secret_version_entry_keys>"
        ]
    },
    "request_parameters": {
        "secret_id": "<secret_ID>",
        "version_id": "<secret_version_ID>"
    },
    "response": {
        "version_id": "<version_ID>",
        "entry_keys": [
            "<entry_keys>"
        ]
    }
}

Data schema

{
  "event_id": string,
  "event_source": string,
  "event_type": string,
  "event_time": string,
  "authentication": {
    "authenticated": boolean,
    "subject_type": string,
    "subject_id": string,
    "subject_name": string,
    "federation_id": string,
    "federation_name": string,
    "federation_type": string,
    "token_info": {
      "masked_iam_token": string,
      "iam_token_id": string,
      "impersonator_id": string,
      "impersonator_type": string,
      "impersonator_name": string,
      "impersonator_federation_id": string,
      "impersonator_federation_name": string,
      "impersonator_federation_type": string
    }
  },
  "authorization": {
    "authorized": boolean
  },
  "resource_metadata": {
    "path": [{
      "resource_type": string,
      "resource_id": string,
      "resource_name": string
    }]
  },
  "request_metadata": {
    "remote_address": string,
    "user_agent": string,
    "request_id": string
  },
  "event_status": string,
  "error": {
    "code": number,
    "message": string,
    "details": {
      object
    }
  },
  "details": {
    object
  },
  "request_parameters": {
    object
  },
  "response": {
    object
  }
}
Field Description
event_id string
Event ID
event_source string
Name of the event source service.
event_type string
Event types, which is determined by the event source service. For more information, see Data event reference.
event_time string
Event time.
authentication 1 object
Event subject's authentication data.
authentication.authenticated boolean
Authentication result. The possible values are:
  • true: Authentication successful.
  • false: Authentication failed.
authentication.subject_type string
Type of the subject. The possible values are:
  • YANDEX_PASSPORT_USER_ACCOUNT: Yandex account.
  • SERVICE_ACCOUNT: Service account.
  • FEDERATED_USER_ACCOUNT: Federated account.
authentication.subject_id string
ID of the subject.
authentication.subject_name string
Subject name.
authentication.federation_id 2 string
ID of the federation the federated user belongs to.
authentication.federation_name 2 string
Name of the federation the federated user belongs to.
authentication.federation_type 2 string
Federation type. The possible value is:
  • PRIVATE_FEDERATION: Federation managed by Yandex Cloud clients.
authentication.token_info 1 object
Event subject's authentication data.
authentication.token_info.masked_iam_token string
Encrypted value of the IAM token the subject used to execute the request.
authentication.token_info.iam_token_id string
ID of the encrypted IAM token.
authentication.token_info.impersonator_id string
Subject ID when using impersonation.
authentication.token_info.impersonator_type string
Impersonator subject type. The possible values are:
  • YANDEX_PASSPORT_USER_ACCOUNT: Yandex account.
  • SERVICE_ACCOUNT: Service account.
  • FEDERATED_USER_ACCOUNT: Federated account.
authentication.token_info.impersonator_name string
Impersonator subject name.
authentication.token_info.impersonator_federation_id 2 string
ID of the federation the federated impersonator user belongs to.
authentication.token_info.impersonator_federation_name 2 string
Name of the federation the federated impersonator user belongs to.
authentication.token_info.impersonator_federation_type 2 string
Federation type. The possible value is:
  • PRIVATE_FEDERATION: Federation managed by Yandex Cloud clients.
authorization 1 object
Event subject's authorization data.
authorization.authorized boolean
Authorization result. The possible values are:
  • true: Authorization successful.
  • false: Authorization failed.
resource_metadata 1 object
Event object's metadata.
resource_metadata.path[] array
Path to the resource the event occurred in.
resource_metadata.path[].resource_type string
Resource type.
resource_metadata.path[].resource_id string
Resource ID.
resource_metadata.path[].resource_name string
Resource name.
request_metadata object
Details of the request that triggered the event.
request_metadata.remote_address string
IP address of the event subject.
request_metadata.user_agent string
User-agent of the event subject.
request_metadata.request_id string
Request ID.
event_status string
Event status, which is determined by the source service and the event type. The possible values are:
  • STARTED: Operation started.
  • ERROR: Operation completed with an error.
  • DONE: Operation completed successfully.
  • CANCELLED: Operation canceled.
error object
Status error. google.rpc.Status object:to fill out only in case of an error.
details object
Event details, which are determined by the source service and the event type
request_parameters 1 object
Request parameters.
response 1 object
Obtained data.

1 This field section is not for all event types.
2 This field is available when subject_type = FEDERATED_USER_ACCOUNT.

Note

If the action was performed by one of the Yandex Cloud infrastructure services or a support employee, the remote address field will be set to cloud.yandex, and the user agent field to Yandex Cloud.

Audit log format

Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:

  • If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
  • If the destination object is a log group, the message includes a single JSON object of the audit log.

Audit log file in a bucket

Below is the template for the full name of an audit log file in a bucket:

<object_prefix>/<trail_ID>/<year>/<month>/<file_name>.json

Log group entry

Log group entries have the following values:

  • Time: event_time value.
  • JSON: JSON object of the event.
  • Level: Calculated depending on the event_status value:
    • ERROR: For the ERROR value.
    • WARN: For the CANCELLED value.
    • INFO: In all other cases.
  • Message: Contains the values of the event_status, event_type, subject_name, cloud_name, and resource_name fields.

When uploading to Cloud Logging, you may get duplicate events in a log group. To find duplicates, refer to the unique record ID, json_payload.event_id.

Previous
Management event audit log
Next
Exporting to SIEM systems