Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Audit Trails
  • Getting started
    • Overview
    • Trail
    • Diagnostic logs
    • Comparing management and data event logs
    • Management event audit log
    • Data event audit log
    • Exporting to SIEM systems
    • Quotas and limits
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Management event reference
  • Data event reference
  • Release notes

In this article:

  • Audit log collection scope
  • Destination object
  • Trail settings
  • Use cases
  • What's next
  1. Concepts
  2. Trail

Trail

Written by
Yandex Cloud
Updated at May 5, 2025
  • Audit log collection scope
  • Destination object
  • Trail settings
  • Use cases
  • What's next

A trail is an Audit Trails resource that collects audit logs of Yandex Cloud resources and writes them to an Object Storage bucket, Cloud Logging log group, or Data Streams data flow.

Audit log collection scopeAudit log collection scope

In the trail settings, you can choose where to collect audit logs from:

  • Organization: Audit logs of resources of the services in selected clouds of the organization.
  • Cloud: Audit logs of resources of the services residing in selected folders of the cloud.
  • Folder: Audit logs of the folder.

The trail will collect logs of all the resources within the specified scope, including those added to the scope after the trail was created.

For resources added to the audit log collection scope after the trail was created, collecting audit logs will start automatically.

For management events, the collection scope includes all supported Yandex Cloud services.

For data events, the collection scope is configured on a per-service basis.

You can disable collecting all management or data events for any single service or multiple services whenever you need to.

Destination objectDestination object

Each trail uploads audit logs only to a single destination object: a bucket, a log group, or a data stream.

Note

Changing a destination object in an existing trail may result in a loss of events. Create a new trail if you need to change the destination object safely.

When uploading audit logs to a bucket, Audit Trails generates audit log files approximately once every 5 minutes. The trail will write all the events that occurred to the cloud resources during that period to one or more files. If no events occurred during the period, no files are generated.

Audit Trails loads audit logs to log groups in near real time.

The type of destination object determines the structure and content of the message used by Audit Trails to transmit audit logs:

  • If the destination object is a bucket, the message is a file containing a JSON object array of the audit log.
  • If the destination object is a log group, the message includes a single JSON object of the audit log.
  • If the destination object is a data stream, the messages containing JSON objects of the audit log are sent to the stream.

Each trail runs independently of one another. Using multiple trails, you can differentiate access to various log groups for users and services according to your information security policy.

Trail settingsTrail settings

The trail contains all the audit log settings:

  • Name: Required parameter.
  • Description: Optional parameter.
  • Destination section:
    • Destination: Object Storage, Cloud Logging, or Data Streams.
    • For the Object Storage value:
      • Bucket: Bucket name.
      • Object prefix: Optional parameter used in the full name of the audit log file.
      • Encryption key: Yandex Key Management Service symmetric encryption key for the bucket.
    • For the Cloud Logging value:
      • Log group: Log group name.
    • For the Data Streams value:
      • Data stream: Stream name.
  • Service account section: Service account to use for uploading audit logs to a bucket, a log group, or a data stream. If the account needs more roles, a warning with a list of roles will show up.
  • Collecting management events section:
    • Status: Toggles the collection of management event audit logs.
    • Resource: Organization, Cloud, or Folder.
    • For the Organization value:
      • Organization: Name of the current organization. The value is populated automatically.
    • For the Cloud value:
      • Cloud: Name of the cloud hosting the current trail. The value is populated automatically.
      • Folder: Folders for whose resources the trail will collect management event audit logs. If you do not specify any folder, the trail will collect audit logs from all resources in the cloud.
    • For the Folder parameter:
      • Folder: Name of the folder hosting the trail. The value is populated automatically.
  • Collecting data events section:
    • Status: Toggles the collection of data event audit logs.
    • List of services, each configured individually for:
      • Data event audit log collection scope.
      • Event filter type:
        • Receive all: To receive all events within the service.
        • Selected: To only receive the selected events.
        • Exclude: To receive all events except for the selected ones.
      • List of events is Selected or Exclude filter type is selected.

Use casesUse cases

  • Event search in audit logs
  • Alert settings in Yandex Monitoring
  • Configuring responses in Yandex Cloud Logging and Yandex Cloud Functions
  • Processing Yandex Audit Trails events
  • Exporting audit logs to MaxPatrol SIEM
  • Exporting audit logs to SIEM Splunk systems
  • Uploading audit logs to ArcSight SIEM
  • Uploading audit logs to KUMA SIEM using the management console, CLI, or API

What's nextWhat's next

  • Learn more about the audit log format.
  • See trail diagnostic logs.
  • Learn about events.

Was the article helpful?

Previous
Overview
Next
Diagnostic logs
© 2025 Direct Cursus Technology L.L.C.