Trail
A trail is an Audit Trails resource for collecting and delivering audit logs of Yandex Cloud resources to an Object Storage bucket, a Cloud Logging log group, or a Data Streams data stream.
Audit log collection scope
In the trail settings, you can choose where to collect audit logs from:
- Organization: Audit logs of service resources in selected clouds of the organization hosting the trail.
- Cloud: Audit logs of service resources that are located in selected folders of the cloud hosting the trail.
- Folder: Audit logs from the folder hosting the trail.
The trail will collect audit logs of all the resources within the specified scope, including resources added to this scope after the trail was created, and upload them to a bucket, a log group, or a data stream.
If resources are added to the audit log collection scope after the trail was created, the trail will automatically start collecting audit logs for them.
Destination object
Each trail uploads audit logs only to a single destination object: a bucket, a log group, or a data stream.
Note
Changing a destination object in an existing trail may result in a loss of events. Create a new trail if you need to change the destination object safely.
When uploading audit logs to a bucket, Audit Trails generates audit log files approximately once every 5 minutes. The trail will write all the events that occurred to the cloud resources during that period to one or more files. If no events occurred during the period, no files are generated.
Audit Trails loads audit logs to log groups in near real time.
The type of destination object determines the structure and content of the message used by Audit Trails to transmit audit logs:
- If the destination object is a bucket, the message is a file containing a JSON object array of the audit log.
- If the destination object is a log group, the message includes a single JSON object of the audit log.
- If the destination object is a data stream, the messages containing JSON objects of the audit log are sent to the stream.
Each trail runs independently of one another. Using multiple trails, you can differentiate access to various log groups for users and services according to your information security policy.
Trail settings
The trail contains all the audit log settings:
- Name: Required parameter.
- Description: Optional parameter.
- Destination section:
- Destination: Values are
Object Storage,Cloud Logging, orData Streams. - For the
Object Storagevalue:- Bucket: Bucket name.
- Object prefix: Optional parameter used in the full name of the audit log file.
- For the
Cloud Loggingvalue:- Log group: Log group name.
- For the
Data Streamsvalue:- Data stream: Stream name.
- Destination: Values are
- Service account section: Service account to use for uploading audit logs to a bucket, a log group, or a data stream. If the account needs more roles, a warning with a list of roles will show up.
- Collecting management events section:
- Status: Toggles the collection of management event audit logs.
- Resource:
Organization,Cloud, orFoldervalues. - For the
Organizationvalue:- Organization: Name of the current organization. The value is populated automatically.
- For the
Cloudvalue:- Cloud: Name of the cloud hosting the current trail. The value is populated automatically.
- Folder: Folders for whose resources the trail will collect management event audit logs. If you do not specify any folder, the trail will collect audit logs from all resources in the cloud.
- For the
Folderparameter:- Folder: Name of the folder hosting the trail. The value is populated automatically.
- Collecting data events section:
- Status: Toggles the collection of data event audit logs.
- List of services, each configured individually for:
What's next
- Learn more about the audit log format.
- See trail diagnostic logs.
- Learn about events.