Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Exporting audit logs to SIEM Splunk systems

Written by
Updated at October 29, 2024

Create a trail to upload management event audit logs of resources in an individual folder to an Yandex Object Storage bucket with encryption enabled. Then configure continuous log delivery to SIEM Splunk.

The solution described in the tutorial follows the steps below:

  1. A trail uploads logs to an Object Storage bucket.
  2. The bucket is mounted as part of an intermediate VM's filesystem.
  3. The intermediate VM runs a script that pulls logs from the bucket on a schedule and pushes them to Splunk.

To configure delivery of audit log files from a bucket to Splunk:

  1. Prepare your cloud.
  2. Prepare the environment.
  3. Assign roles to the service account.
  4. Create a trail.
  5. Set up Splunk for import.
  6. Enable egress NAT for the subnet with the intermediate VM.
  7. Create an intermediate VM.
  8. Visualize data in Splunk.

Some steps are completed in Terraform.

If you no longer need the resources you created, delete them.

Getting started

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

To complete the tutorial, a Splunk instance must be available to the intermediate VM on port 8080.

The infrastructure support cost includes:

Prepare the environment

Create a new bucket to use for uploading audit logs

  1. In the management console, select the folder where you want to create a bucket.
  2. Select Object Storage.
  3. Click Create bucket.
  4. On the bucket creation page:

    1. Enter a name for the bucket according to the naming requirements.

      By default, a bucket with a dot in the name is only available over HTTP. To provide HTTPS support for your bucket, upload your own security certificate to Object Storage.

    2. Limit the maximum bucket size, if required.

      If the value is 0, the maximum size is not limited and is similar to the enabled No limit option.

    3. In the Object read access, Object listing access, and Read access to settings fields, select Restricted.

    4. Select the default storage class.

    5. Click Create bucket to complete the operation.

Create an encryption key in Key Management Service

  1. In the management console, select the folder containing your bucket.

  2. Select Key Management Service.

  3. Click Create key and set the key attributes:

    • Any name and optional description.
    • Encryption algorithm, e.g., AES-256.
    • Rotation period (how often to change key versions).
    • Click Create.

The key is created together with its first version: click the key in the list to open a page with its attributes.

Enable bucket encryption

  1. In the management console, select the bucket you want to configure encryption for.

  2. In the left-hand panel, select Security.

  3. Open the Encryption tab.

  4. In the KMS Key field, select an existing key or create a new one:

    1. If the folder does not contain any keys yet, click Create key. If there are keys but they are not suitable, click Create new key.
    2. Enter a name for the key.
    3. Select an encryption algorithm and a rotation period.
    4. Click Create.

  5. Click Save.

Create a service account

  1. In the management console, select the folder where you want to create a service account.

  2. At the top of the screen, go to the Service accounts tab.

  3. Click Create service account.

  4. Enter a name for the service account. The naming requirements are as follows:

    • The name must be from 3 to 63 characters long.
    • It may contain lowercase Latin letters, numbers, and hyphens.
    • The first character must be a letter and the last character cannot be a hyphen.

  5. Click Create.

Assign roles to the service account

  1. Assign the audit-trails.viewer role to the folder whose resources will be polled for audit logs:

    yc resource-manager folder add-access-binding \
--role audit-trails.viewer \
--id <folder_ID> \
--service-account-id <service_account_ID>

    Where:

    • --role: Role you want to assign.
    • --id: ID of the folder from which audit logs will be collected.
    • --service-account-id: Service account ID.

  2. Assign the storage.uploader role to the folder to host the trail:

    yc resource-manager folder add-access-binding \
--role storage.uploader \
--id <folder_ID> \
--service-account-id <service_account_ID>

    Where:

    • --role: Role you want to assign.
    • --id: ID of the folder to host the trail.
    • --service-account-id: Service account ID.

  3. Assign the kms.keys.encrypterDecrypter role to the encryption key:

    yc kms symmetric-key add-access-binding \
--role kms.keys.encrypterDecrypter \
--id <KMS_key_ID> \
--service-account-id <service_account_ID>

    Where:

    • --role: Role you want to assign.
    • --id: KMS key ID.
    • --service-account-id: Service account ID.

Create a trail

To create the trail, make sure you have the following roles:

  • iam.serviceAccounts.user for the service account.
  • audit-trails.editor for the folder to host the trail.
  • audit-trails.viewer for the folder to collect audit logs from.
  • storage.viewer for the bucket or folder.

  1. In the management console, select the folder where you want to create the trail.

  2. Select Audit Trails.

  3. Click Create trail and specify:

    • Name: Name of the new trail.
    • Description: Trail description (optional).

  4. Under Destination, configure the destination object:

    • Destination: Object Storage.
    • Bucket: Name of the bucket to which you want to upload audit logs.
    • Object prefix: Optional parameter used in the full name of the audit log file.

    Note

    Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.

    • Encryption key: Specify the encryption key the bucket is encrypted with.

  5. Under Service account, select the service account that the trail will use to upload audit log files to the bucket.

  6. Under Collecting management events, configure the collection of management event audit logs:

    • Collecting events: Select Enabled.
    • Resource: Select Folder.
    • Folder: Automatically populated field containing the name of the current folder.

  7. Under Collecting data events, select Disabled in the Collecting events field.

  8. Click Create.

Warning

The solution will delete the logs from the bucket after they are exported to Splunk. If you need to keep the logs in the bucket, create a separate bucket and trail.

Set up Splunk for import

Enable HTTPEventCollector and follow this guide to get the Event Collector token.

Set up a NAT gateway for the subnet with the intermediate VM

  1. Create a NAT gateway:

    1. In the management console, select the folder containing the subnet for the intermediate VM.

    2. In the list of services, select Virtual Private Cloud.

    3. In the left-hand panel, select Gateways.

    4. Click Create.

    5. Enter a name for the gateway. The naming requirements are as follows:

      • The name must be from 3 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • The first character must be a letter and the last character cannot be a hyphen.

    6. The default gateway type is Egress NAT.

    7. Click Save.

  2. Create a route table:
    1. In the left-hand panel, select Routing tables.
    2. Click Create to add a new table, or select an existing one.
    3. Click Add a route.
    4. In the window that opens, select Gateway in the Next hop field.
    5. In the Gateway field, select the NAT gateway you created. The destination prefix will be propagated automatically.
    6. Click Add.
    7. Click Save.
  3. Link the route table to the subnet where you want to deploy the intermediate VM, to forward its traffic via the NAT gateway:
    1. In the left-hand panel, select Subnets.
    2. In the row with the subnet you need, click .
    3. In the menu that opens, select Link routing table.
    4. In the window that opens, select the created table from the list.
    5. Click Link.

Create a VM for continuous log delivery to Splunk

  1. If you don't have Terraform, install it and configure the Yandex Cloud provider.

  2. Clone a repository from Yandex Cloud Security Solution Library:

    git clone https://github.com/yandex-cloud-examples/yc-export-auditlogs-to-splunk.git

  3. Create a subfolder in /yc-export-auditlogs-to-splunk/terraform/ and go there.

  4. Create a configuration file to invoke the yc-splunk-trail module:

    module "yc-splunk-trail" {
   source = "../modules/yc-splunk-trail/"
   folder_id = <folder_ID>
   splunk_token = <Event_Collector_token>
   splunk_server = <your_Splunk_server_address>:8088
   bucket_name = <bucket_name>
   bucket_folder = <name_of_root_folder_in_bucket>
   sa_id = <service_account_ID>
   coi_subnet_id = <subnet_ID>
}

    Where:

    • folder_id: Folder ID.
    • splunk_token: Event Collector token retrieved from Splunk.
    • splunk_server: Address of your Splunk server as https://<host_name_or_address>.
    • bucket_name: Bucket name.
    • bucket_folder: Name of the root folder in the bucket.
    • sa_id: Service account ID.
    • coi_subnet_id: ID of the subnet where you set up the NAT gateway.

  5. Make sure that the configuration files are correct:

    terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  6. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm resource creation: enter yes in the terminal and press Enter.

Visualize data in Splunk

  1. Go to Splunk and search for the events created by the service account:

    index="main" authentication.subject_type="SERVICE_ACCOUNT" | stats count by event_type

  2. To visualize the results, go to the Visualization tab and select a suitable format (LineChart, PieChart, etc.):

    Data visualization example:

    image

How to delete the resources you created

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. To delete the resources created with Terraform:

    1. Run this command:

      terraform destroy

      Warning

      Terraform will delete all the resources that you created in the current configuration, such as networks, subnets, virtual machines, and so on.

      After the command is executed, the terminal will display a list of resources to be deleted.

    2. To confirm deletion, type yes and press Enter.

  2. Delete the Object Storage bucket.

  3. Delete the Key Management Service key.

  4. Delete the route table.

  5. Delete the NAT gateway.

Previous
Exporting audit logs to MaxPatrol SIEM
Next
Uploading audit logs to ArcSight SIEM