Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Getting started with Audit Trails

Written by
Updated at June 29, 2026
View in Markdown

Audit Trails collects audit logs of Yandex Cloud resources to monitor actions with resources and access events. You can upload logs to a Yandex Object Storage bucket, Yandex Cloud Logging log group, or Yandex Data Streams data stream.

Audit logs are collected and delivered to Audit Trails using trails. You need a separate trail for each storage type.

Follow this guide to create a trail to upload the audit logs of your organization’s resources. Select the destination object, depending on your goal:

  • Object Storage bucket for long-term storage of audit logs and their future analysis.
  • Cloud Logging log group to quickly view and search logs in real time. A good option for your first introduction to the service.

Getting started

This guide assumes that you already have Yandex Cloud resources, so first make sure that:

To create a trail, you will need the following roles:

  • iam.serviceAccounts.user for the service account to collect audit logs. You can create this service account when creating the trail.
  • audit-trails.editor for the folder to host the trail.
  • audit-trails.viewer for the organization whose audit logs will be collected.
  • If using a bucket:
    • kms.editor for the folder the bucket encryption key will be created in.
    • storage.viewer for the bucket or folder.
  • If using a log group: logging.viewer for the log group or folder.

Note

If you cannot manage roles, contact your cloud or organization administrator.

Creating a trail

  1. In the management console, select the folder to host the trail.

  2. Navigate to Audit Trails.

  3. Click Create trail.

  4. In the Name field, enter a name for the trail.

  5. Under Destination, configure the destination object:

    • Destination: Object Storage.
    • Bucket: Select the bucket to upload audit logs to. If you do not have a bucket yet, click Create and create a new bucket with restricted access.
    • Object prefix: Optional parameter used in the full name of the audit log file.

    Note

    Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

    • Encryption key: If the bucket you selected is encrypted, specify the encryption key.

  6. Under Service account, select an existing service account or create a new one. The trail will use this account to upload audit log files to the bucket.
    If you are creating a new account, click Create, name the account, and and assign the following roles to it:

    • storage.uploader for the bucket.
    • audit-trails.viewer for the folder if planning to collect events from the folder.
    • kms.keys.encrypter for the encryption key if the bucket is encrypted.

  7. Under Collecting management events, set up the following:

    • Collecting events: Enabled.
    • Resource: Event collection level: Organization, Cloud, or Folder.
    • Depending on the event collection level you select:
      • Assign relevant roles to the service account. For example, if you select the Folder level, it will need the audit-trails.viewer role for this folder.
      • Specify an organization, cloud, or folder to collect audit logs from.

  8. Check Collecting data events and adjust the settings if required:

    Warning

    In the management console, collection of some data events is on by default. Their delivery is billed as per the pricing policy. If you do not need data events, disable their collection.

    • Collecting events: Enabled.

    • Select the services to collect audit logs for.

    • For each service you select, specify the audit log collection scope and event filter type:

      • Receive all: To receive all events within the service.
      • Selected: To receive only the selected events. Then proceed to select the events.
      • Exclude: To receive all events except for the selected ones. Then proceed to select the events.

  9. Click Create.

  1. In the management console, select the folder to host the trail.

  2. Navigate to Audit Trails.

  3. Click Create trail.

  4. In the Name field, enter a name for the trail.

  5. Under Destination, configure the destination object:

    • Destination: Cloud Logging.
    • Log group: Select a log group to upload audit logs to. If you do not have a log group yet, click Create and create a new log group.

  6. Under Service account, select an existing service account or create a new one. The trail will use this account to upload audit log files to the log group.
    If you are creating a new account, click Create, name the account, and and assign the following roles to it:

    • logging.writer for the log group.
    • audit-trails.viewer for the folder if planning to collect events from the folder.

  7. Under Collecting management events, configure the collection of management event audit logs:

    • Collecting events: Select Enabled.
    • Resource: Select the event collection level: Organization, Cloud, or Folder.
    • Depending on the event collection level you select:
      • Assign relevant roles to the service account. For example, if you select the Folder level, it will need the audit-trails.viewer role for this folder.
      • Specify an organization, cloud, or folder to collect audit logs from.

  8. Check Collecting data events and adjust the settings if required:

    Warning

    In the management console, collection of some data events is on by default. Their delivery is billed as per the pricing policy. If you do not need data events, disable their collection.

    • Collecting events: Enabled.

    • Select the services to collect audit logs for.

    • For each service you select, specify the audit log collection scope and event filter type:

      • Receive all: To receive all events within the service.
      • Selected: To receive only the selected events. Then proceed to select the events.
      • Exclude: To receive all events except for the selected ones. Then proceed to select the events.

  9. Click Create.

You can also create a trail using the CLI, Terraform, or API.

Note

Changing the destination object of an existing trail may result in the loss of some events. To prevent data loss, create a dedicated trail for each destination object.

Viewing audit logs

Audit Trails generates audit log files approximately once every 5 minutes. Audit Trails creates log files in JSON format.

Access to the contents of the audit log file using one of the following methods:

In the Cloud Logging UI, you can view audit logs in real time.

  1. In the management console, select the folder with the log group.
  2. Select Cloud Logging.
  3. Click the row with the log group.
  4. Navigate to the Logs tab.
  5. Configure event search filters.

Exporting audit logs to SIEM

You can export audit log files to your SIEM solution.

What's next

Next
All guides