Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Exporting audit logs to MaxPatrol SIEM using the management console or Yandex Cloud CLI

Written by
Updated at April 14, 2026

MaxPatrol SIEM allows reading Yandex Cloud audit logs from a data stream in Yandex Data Streams. To complete this tutorial, you need access to a MaxPatrol SIEM instance.

To set up audit log export using the management console or Yandex Cloud CLI:

  1. Get your cloud ready.
  2. Set up your environment.
  3. Create a trail to send logs to the stream in Data Streams.
  4. In MaxPatrol SIEM, set up a task to collect data from the stream in Data Streams.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page.

Learn more about clouds and folders here.

The cost of support for the new infrastructure includes:

Set up your environment

Create service accounts

The trail will use the maxpatrol-sa service account to collect logs for all your organization's resources and upload them to the specified data stream in Data Streams. MaxPatrol SIEM will use the maxpatrol-reader-sa service account to load audit logs from the data stream.

Create a service account in the same folder where you will be creating the trail, e.g., in example-folder:

  1. In the management console, select example-folder.
  2. Go to Identity and Access Management.
  3. Click Create service account.
  4. In the Name field, specify maxpatrol-sa.
  5. In the Roles in the folder field, click Add role and select the yds.writer role for the folder.
  6. Click Create.

Repeat these steps to create the maxpatrol-reader-sa service account and assign it the yds.viewer role for the folder.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Create a service account named maxpatrol-sa:

    yc iam service-account create \
  --name maxpatrol-sa

    Result:

    done (2s)
id: ajecq2artiv5********
folder_id: b1g5bhjofg7o********
created_at: "2026-03-18T18:29:53Z"
name: maxpatrol-sa

  2. Repeat these steps to create the maxpatrol-reader-sa service account.

For more information about the yc iam service-account create command, see the CLI reference.

Assign roles to the service accounts

Assign the missing roles to the service accounts:

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.
  2. In the left-hand panel, select Access bindings.
  3. Click Assign roles in the top-right corner of the page. In the window that opens, select the maxpatrol-sa service account. If required, use the search bar.
  4. Click Add role and select audit-trails.viewer.
  5. Click Save.

  1. Assign the yds.writer role for example-folder to the maxpatrol-sa service account:

    yc resource-manager folder add-access-binding example-folder \
  --role yds.writer \
  --subject serviceAccount:<service_account_ID>

    Where:

    • --role: Role to assign.
    • --subject: maxpatrol-sa service account ID.

  2. Repeat these steps to assign the yds.viewer role to the maxpatrol-reader-sa service account for example-folder.

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

  3. Assign the maxpatrol-sa service account the audit-trails.viewer role for the organization:

    yc organization-manager organization add-access-binding \
  --role audit-trails.viewer \
  --id <organization_ID> \
  --service-account-id <service_account_ID>

    Where:

    • --role: Role being assigned.
    • --id: ID of the organization the service account belongs to.
    • --service-account-id: maxpatrol-sa service account ID.

    For more information about the yc organization-manager organization add-access-binding command, see the CLI reference.

Create a static access key for MaxPatrol SIEM

MaxPatrol SIEM uses static access keys to authorize Data Streams queries.

Create a static access key for the maxpatrol-reader-sa service account:

  1. In the management console, select example-folder.
  2. Go to Identity and Access Management.
  3. In the left-hand panel, select Service accounts and select the maxpatrol-reader-sa service account from the list that opens.
  4. In the top panel, click Create new key and select Create static access key.
  5. Enter a description for the key and click Create.

Alert

Save the ID and secret key. After you close this dialog, the key value will no longer be available.

Run this command:

yc iam access-key create \
  --service-account-name maxpatrol-reader-sa

Result:

access_key:
id: aje38c5mjq11********
service_account_id: ajegtlf2q28a********
created_at: "2026-03-18T17:39:41.851532824Z"
key_id: YCAJEnmnfsV8GpAMk********
secret: YCMVxx-n0t8Y6s48zJDdKw9lWMB1iGU-********

Alert

Save the ID (key_id) and secret key (secret). You cannot get the secret key again.

For more information about the yc iam access-key create command, see the CLI reference.

Create a YDB serverless database

The database is required for the stream in Data Streams.

  1. In the management console, select example-folder.
  2. Click Create resource and select YDB database.
  3. Specify Name: maxpatrol-db.
  4. Under Database type, select Serverless.
  5. Keep the default values for all other parameters.
  6. Click Create a database.

Wait for the database status to change to Running.

  1. Create a database:

    yc ydb database create \
  --name maxpatrol-db \
  --serverless \
  --folder-name example-folder

    Where:

    • --name: Database name.
    • --serverless: serverless database type.
    • --folder-name: Folder name.

    Result:

    done (36s)
id: etnubo9ude8e********
folder_id: b1g5bhjofg7o********
created_at: "2026-03-18T18:34:31Z"
name: maxpatrol-db
status: PROVISIONING
...

    For more information about the yc ydb database create command, see the CLI reference.

  2. Check the status of the new database:

    yc ydb database get maxpatrol-db

    Wait for the database status to change to RUNNING.

Create a data stream

The trail will upload organization resource logs to this data stream.

  1. In the management console, select example-folder.
  2. Click Create resource and select Data stream.
  3. In the Database field, select maxpatrol-db.
  4. Specify the Name: maxpatrol-stream.
  5. Leave the other settings at their defaults.
  6. Click Create.

Wait for the data stream status to change to Running.

Create a trail

The trail will collect management event audit logs for all your organization's resources and upload them to the maxpatrol-stream data stream.

  1. In the management console, select example-folder.
  2. Click Create resource and select Trail.
  3. Specify the Name for the new trail: maxpatrol-trail.
  4. Under Destination, configure the destination object:
    • Destination: Data Streams.
    • Data stream: Select maxpatrol-stream.
  5. Under Service account, select maxpatrol-sa.
  6. Under Collecting management events, configure the collection of management event audit logs:
    • Collecting events: Select Enabled.
    • Resource: Select Organization.
    • Organization: Automatically populated field displaying the name of the organization to host the trail.
    • Cloud: Keep the default value, All.
  7. Under Collecting data events, select Disabled in the Collecting events field.
  8. Click Create.

Create the maxpatrol-trail trail:

yc audit-trails trail create \
  --name maxpatrol-trail \
  --service-account-id <service_account_ID> \
  --destination-yds-stream maxpatrol-stream \
  --destination-yds-database-id <YDS_database_ID> \
  --filter-all-organisation-id <organization_ID>

Where:

  • --name: Name of the new trail.
  • --service-account-id: maxpatrol-sa service account ID.
  • --destination-yds-stream: Stream name.
  • --destination-yds-database-id: maxpatrol-db database ID.
  • --filter-all-organisation-id: ID of the organization to create the trail and store audit logs in.

Result:

done (1s)
id: cnpvbmk64136********
folder_id: b1g5bhjofg7o********
created_at: "2026-03-18T10:57:33.322Z"
updated_at: "2026-03-18T10:57:33.322Z"
name: maxpatrol-trail
destination:
  data_stream:
    database_id: etn5bfdglcn8********
    stream_name: maxpatrol-stream
    codec: RAW
service_account_id: aje1jot7q7eh********
status: ACTIVE
cloud_id: b1gj9ja2h4ct********
filtering_policy:
  management_events_filter:
    resource_scopes:
      - id: bpfaidqca8vd********
        type: organization-manager.organization

For more information about the yc audit-trails trail create command, see the CLI reference.

For more information about creating a trail, see Creating a trail to upload audit logs.

Configure MaxPatrol SIEM

Create credentials

You can use credentials to store secrets. Create credentials named static-key-id and static-key-private to host the ID and secret access key for the maxpatrol-reader-sa service account:

  1. Log in to the MaxPatrol SIEM web interface.
  2. Under Data collection, click Credentials.
  3. Click Add credentialPassword and specify the following:
    • Name: static-key-id.
    • Password: Static key ID.
    • Confirm password: Reenter static key ID.
  4. Click Save.

Similarly, create a credential named static-key-private containing the secret key.

Create a data collection task

Create and run a data collection task with the Yandex Data Streams profile:

  1. Log in to the MaxPatrol SIEM web interface.
  2. Under Data collection, click Tasks.
  3. On the Data collection tasks page:
    1. In the toolbar, click Create task.
    2. Click Data collection.
  4. On the Create data collection task page, specify the following parameters:
    1. Name: YDS-logs-task.
    2. Profile: Yandex Data Streams.
    3. In the hierarchy list, select Run script.
    4. Under Connection, specify:
      • Credentials: static-key-id.
      • Credentials for privilege elevation: static-key-private.
    5. Script settings:
      • database: <maxpatrol-db_ID>;
      • folder: <cloud_ID_for_example-folder>;
      • region_name: ru-central1.
      • stream_name: maxpatrol-stream.
    6. In the Data collection targets panel:
      1. Select the Include tab.
      2. In the Network addresses field, enter yandex-cloud.
    7. Click Save and run.

To view logs, go to the events page:

  1. Go the to the Data collection tasks page.
  2. Click YDS-logs-task.
  3. Click Collected eventsSelect.

How to delete the resources you created

Delete the resources you no longer need to avoid paying for them:

Exporting audit logs to MaxPatrol SIEM using the management console or Yandex Cloud CLI

MaxPatrol SIEM allows reading Yandex Cloud audit logs from a data stream in Yandex Data Streams. To complete this tutorial, you need access to a MaxPatrol SIEM instance.

To set up audit log export using the management console or Yandex Cloud CLI:

  1. Get your cloud ready.
  2. Set up your environment.
  3. Create a trail to send logs to the stream in Data Streams.
  4. In MaxPatrol SIEM, set up a task to collect data from the stream in Data Streams.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page.

Learn more about clouds and folders here.

The cost of support for the new infrastructure includes:

Set up your environment

Create service accounts

The trail will use the maxpatrol-sa service account to collect logs for all your organization's resources and upload them to the specified data stream in Data Streams. MaxPatrol SIEM will use the maxpatrol-reader-sa service account to load audit logs from the data stream.

Create a service account in the same folder where you will be creating the trail, e.g., in example-folder:

  1. In the management console, select example-folder.
  2. Go to Identity and Access Management.
  3. Click Create service account.
  4. In the Name field, specify maxpatrol-sa.
  5. In the Roles in the folder field, click Add role and select the yds.writer role for the folder.
  6. Click Create.

Repeat these steps to create the maxpatrol-reader-sa service account and assign it the yds.viewer role for the folder.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. Create a service account named maxpatrol-sa:

    yc iam service-account create \
  --name maxpatrol-sa

    Result:

    done (2s)
id: ajecq2artiv5********
folder_id: b1g5bhjofg7o********
created_at: "2026-03-18T18:29:53Z"
name: maxpatrol-sa

  2. Repeat these steps to create the maxpatrol-reader-sa service account.

For more information about the yc iam service-account create command, see the CLI reference.

Assign roles to the service accounts

Assign the missing roles to the service accounts:

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. Click Assign roles in the top-right corner of the page. In the window that opens, select the maxpatrol-sa service account. If required, use the search bar.

  4. Click Add role and select audit-trails.viewer.

  5. Click Save.

  1. Assign the yds.writer role for example-folder to the maxpatrol-sa service account:

    yc resource-manager folder add-access-binding example-folder \
  --role yds.writer \
  --subject serviceAccount:<service_account_ID>

    Where:

    • --role: Role to assign.
    • --subject: maxpatrol-sa service account ID.

  2. Repeat these steps to assign the yds.viewer role to the maxpatrol-reader-sa service account for example-folder.

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

  3. Assign the maxpatrol-sa service account the audit-trails.viewer role for the organization:

    yc organization-manager organization add-access-binding \
  --role audit-trails.viewer \
  --id <organization_ID> \
  --service-account-id <service_account_ID>

    Where:

    • --role: Role being assigned.
    • --id: ID of the organization the service account belongs to.
    • --service-account-id: maxpatrol-sa service account ID.

    For more information about the yc organization-manager organization add-access-binding command, see the CLI reference.

Create a static access key for MaxPatrol SIEM

MaxPatrol SIEM uses static access keys to authorize Data Streams queries.

Create a static access key for the maxpatrol-reader-sa service account:

  1. In the management console, select example-folder.
  2. Go to Identity and Access Management.
  3. In the left-hand panel, select Service accounts and select the maxpatrol-reader-sa service account from the list that opens.
  4. In the top panel, click Create new key and select Create static access key.
  5. Enter a description for the key and click Create.

Alert

Save the ID and secret key. After you close this dialog, the key value will no longer be available.

Run this command:

yc iam access-key create \
  --service-account-name maxpatrol-reader-sa

Result:

access_key:
id: aje38c5mjq11********
service_account_id: ajegtlf2q28a********
created_at: "2026-03-18T17:39:41.851532824Z"
key_id: YCAJEnmnfsV8GpAMk********
secret: YCMVxx-n0t8Y6s48zJDdKw9lWMB1iGU-********

Alert

Save the ID (key_id) and secret key (secret). You cannot get the secret key again.

For more information about the yc iam access-key create command, see the CLI reference.

Create a YDB serverless database

The database is required for the stream in Data Streams.

  1. In the management console, select example-folder.
  2. Click Create resource and select YDB database.
  3. Specify Name: maxpatrol-db.
  4. Under Database type, select Serverless.
  5. Keep the default values for all other parameters.
  6. Click Create a database.

Wait for the database status to change to Running.

  1. Create a database:

    yc ydb database create \
  --name maxpatrol-db \
  --serverless \
  --folder-name example-folder

    Where:

    • --name: Database name.
    • --serverless: serverless database type.
    • --folder-name: Folder name.

    Result:

    done (36s)
id: etnubo9ude8e********
folder_id: b1g5bhjofg7o********
created_at: "2026-03-18T18:34:31Z"
name: maxpatrol-db
status: PROVISIONING
...

    For more information about the yc ydb database create command, see the CLI reference.

  2. Check the status of the new database:

    yc ydb database get maxpatrol-db

    Wait for the database status to change to RUNNING.

Create a data stream

The trail will upload organization resource logs to this data stream.

  1. In the management console, select example-folder.
  2. Click Create resource and select Data stream.
  3. In the Database field, select maxpatrol-db.
  4. Specify the Name: maxpatrol-stream.
  5. Leave the other settings at their defaults.
  6. Click Create.

Wait for the data stream status to change to Running.

Create a trail

The trail will collect management event audit logs for all your organization's resources and upload them to the maxpatrol-stream data stream.

  1. In the management console, select example-folder.
  2. Click Create resource and select Trail.
  3. Specify the Name for the new trail: maxpatrol-trail.
  4. Under Destination, configure the destination object:
    • Destination: Data Streams.
    • Data stream: Select maxpatrol-stream.
  5. Under Service account, select maxpatrol-sa.
  6. Under Collecting management events, configure the collection of management event audit logs:
    • Collecting events: Select Enabled.
    • Resource: Select Organization.
    • Organization: Automatically populated field displaying the name of the organization to host the trail.
    • Cloud: Keep the default value, All.
  7. Under Collecting data events, select Disabled in the Collecting events field.
  8. Click Create.

Create the maxpatrol-trail trail:

yc audit-trails trail create \
  --name maxpatrol-trail \
  --service-account-id <service_account_ID> \
  --destination-yds-stream maxpatrol-stream \
  --destination-yds-database-id <YDS_database_ID> \
  --filter-all-organisation-id <organization_ID>

Where:

  • --name: Name of the new trail.
  • --service-account-id: maxpatrol-sa service account ID.
  • --destination-yds-stream: Stream name.
  • --destination-yds-database-id: maxpatrol-db database ID.
  • --filter-all-organisation-id: ID of the organization to create the trail and store audit logs in.

Result:

done (1s)
id: cnpvbmk64136********
folder_id: b1g5bhjofg7o********
created_at: "2026-03-18T10:57:33.322Z"
updated_at: "2026-03-18T10:57:33.322Z"
name: maxpatrol-trail
destination:
  data_stream:
    database_id: etn5bfdglcn8********
    stream_name: maxpatrol-stream
    codec: RAW
service_account_id: aje1jot7q7eh********
status: ACTIVE
cloud_id: b1gj9ja2h4ct********
filtering_policy:
  management_events_filter:
    resource_scopes:
      - id: bpfaidqca8vd********
        type: organization-manager.organization

For more information about the yc audit-trails trail create command, see the CLI reference.

For more information about creating a trail, see Creating a trail to upload audit logs.

Configure MaxPatrol SIEM

Create credentials

You can use credentials to store secrets. Create credentials named static-key-id and static-key-private to host the ID and secret access key for the maxpatrol-reader-sa service account:

  1. Log in to the MaxPatrol SIEM web interface.
  2. Under Data collection, click Credentials.
  3. Click Add credentialPassword and specify the following:
    • Name: static-key-id.
    • Password: Static key ID.
    • Confirm password: Reenter static key ID.
  4. Click Save.

Similarly, create a credential named static-key-private containing the secret key.

Create a data collection task

Create and run a data collection task with the Yandex Data Streams profile:

  1. Log in to the MaxPatrol SIEM web interface.
  2. Under Data collection, click Tasks.
  3. On the Data collection tasks page:
    1. In the toolbar, click Create task.
    2. Click Data collection.
  4. On the Create data collection task page, specify the following parameters:
    1. Name: YDS-logs-task.
    2. Profile: Yandex Data Streams.
    3. In the hierarchy list, select Run script.
    4. Under Connection, specify:
      • Credentials: static-key-id.
      • Credentials for privilege elevation: static-key-private.
    5. Script settings:
      • database: <maxpatrol-db_ID>;
      • folder: <cloud_ID_for_example-folder>;
      • region_name: ru-central1.
      • stream_name: maxpatrol-stream.
    6. In the Data collection targets panel:
      1. Select the Include tab.
      2. In the Network addresses field, enter yandex-cloud.
    7. Click Save and run.

To view logs, go to the events page:

  1. Go the to the Data collection tasks page.
  2. Click YDS-logs-task.
  3. Click Collected eventsSelect.

How to delete the resources you created

Delete the resources you no longer need to avoid paying for them:

See also

Previous
Overview
Next
Terraform