Trail

A trail is an Audit Trails resource that collects audit logs of Yandex Cloud resources and writes them to an Object Storage bucket, Cloud Logging log group, or Data Streams data flow.

Audit log collection scopeAudit log collection scope

In the trail settings, you can choose where to collect audit logs from:

• Organization: Audit logs of resources of the services in selected clouds of the organization.
• Cloud: Audit logs of resources of the services residing in selected folders of the cloud.
• Folder: Audit logs of the folder.

The trail will collect logs of all the resources within the specified scope, including those added to the scope after the trail was created.

For resources added to the audit log collection scope after the trail was created, collecting audit logs will start automatically.

For management events, the collection scope includes all supported Yandex Cloud services.

For data events, the collection scope is configured on a per-service basis.

You can disable collecting all management or data events for any single service or multiple services whenever you need to.

Destination objectDestination object

Each trail uploads audit logs only to a single destination object: a bucket, a log group, or a data stream.

When uploading audit logs to a bucket, Audit Trails generates audit log files approximately once every 5 minutes. The trail will write all the events that occurred to the cloud resources during that period to one or more files. If no events occurred during the period, no files are generated.

Audit Trails loads audit logs to log groups in near real time.

The type of destination object determines the structure and content of the message used by Audit Trails to transmit audit logs:

• If the destination object is a bucket, the message is a file containing a JSON object array of the audit log.
• If the destination object is a log group, the message includes a single JSON object of the audit log.
• If the destination object is a data stream, the messages containing JSON objects of the audit log are sent to the stream.

Each trail runs independently of one another. Using multiple trails, you can differentiate access to various log groups for users and services according to your information security policy.

Trail settingsTrail settings

The trail contains all the audit log settings:

• Name: Required parameter.
• Description: Optional parameter.
• Destination section:
  • Destination: Object Storage, Cloud Logging, or Data Streams.
  • For the Object Storage value:
    • Bucket: Bucket name.
    • Object prefix: Optional parameter used in the full name of the audit log file.
    • Encryption key: Yandex Key Management Service symmetric encryption key for the bucket.
  • For the Cloud Logging value:
    • Log group: Log group name.
  • For the Data Streams value:
    • Data stream: Stream name.
• Service account section: Service account to use for uploading audit logs to a bucket, a log group, or a data stream. If the account needs more roles, a warning with a list of roles will show up.
• Collecting management events section:
  • Status: Toggles the collection of management event audit logs.
  • Resource: Organization, Cloud, or Folder.
  • For the Organization value:
    • Organization: Name of the current organization. The value is populated automatically.
  • For the Cloud value:
    • Cloud: Name of the cloud hosting the current trail. The value is populated automatically.
    • Folder: Folders for whose resources the trail will collect management event audit logs. If you do not specify any folder, the trail will collect audit logs from all resources in the cloud.
  • For the Folder parameter:
    • Folder: Name of the folder hosting the trail. The value is populated automatically.
• Collecting data events section:
  • Status: Toggles the collection of data event audit logs.
  • List of services, each configured individually for:
    • Data event audit log collection scope.
    • Event filter type:
      • Receive all: To receive all events within the service.
      • Selected: To only receive the selected events.
      • Exclude: To receive all events except for the selected ones.
    • List of events is Selected or Exclude filter type is selected.

Use casesUse cases

• Event search in audit logs
• Alert settings in Yandex Monitoring
• Configuring responses in Yandex Cloud Logging and Yandex Cloud Functions
• Processing Yandex Audit Trails events
• Exporting audit logs to MaxPatrol SIEM
• Exporting audit logs to SIEM Splunk systems
• Uploading audit logs to ArcSight SIEM
• Uploading audit logs to KUMA SIEM using the management console, CLI, or API

What's nextWhat's next

• Learn more about the audit log format.
• See trail diagnostic logs.
• Learn about events.