Exporting audit logs to MaxPatrol SIEM using Terraform
MaxPatrol SIEM enables reading Yandex Cloud audit logs from a data stream in Yandex Data Streams. To complete this tutorial, you need access to a MaxPatrol SIEM instance.
To set up audit log export using Terraform:
- Get your cloud ready.
- Deploy the infrastructure for audit log export to MaxPatrol SIEM.
- In MaxPatrol SIEM, set up a task to collect data from the stream in Data Streams.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or create a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page.
Learn more about clouds and folders here.
Required paid resources
The cost of support for the new infrastructure includes:
- Using a data stream (see Data Streams pricing).
- Using Yandex Managed Service for YDB in serverless mode (see Managed Service for YDB pricing).
Deploy the infrastructure for audit log export to MaxPatrol SIEM
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.
To create an infrastructure using Terraform:
-
Install Terraform, get the credentials, and specify the source for installing Yandex Cloud (see Configure your provider, step 1).
-
Set up your infrastructure description files:
Ready-made configurationManually-
Clone the repository with configuration files:
git clone https://github.com/yandex-cloud-examples/yc-export-audit-logs-maxpatrol -
Navigate to the repository directory. It should now contain the following files:
audit-trails-maxpatrol-export.tf: New infrastructure configuration file.audit-trails-maxpatrol-export.auto.tfvars: File with the values of user-defined variables.
-
Create a folder for configuration files. In this folder:
-
Create a configuration file named
audit-trails-maxpatrol-export.tf:audit-trails-maxpatrol-export.tf
# Declaring variables variable "folder_id" { type = string } variable "organization_id" { type = string } locals { sa_name = "maxpatrol-sa" sa_reader_name = "maxpatrol-reader-sa" db_name = "maxpatrol-db" yds_name = "maxpatrol-stream" trail_name = "maxpatrol-trail" } # Configuring the provider terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } required_version = ">= 0.13" } provider "yandex" { folder_id = var.folder_id } # Creating service accounts resource "yandex_iam_service_account" "maxpatrol-sa" { name = local.sa_name } resource "yandex_iam_service_account" "maxpatrol-reader-sa" { name = local.sa_reader_name } # Assigning roles to service accounts resource "yandex_resourcemanager_folder_iam_member" "yds-writer" { folder_id = var.folder_id role = "yds.writer" member = "serviceAccount:${yandex_iam_service_account.maxpatrol-sa.id}" } resource "yandex_resourcemanager_folder_iam_member" "yds-viewer" { folder_id = var.folder_id role = "yds.viewer" member = "serviceAccount:${yandex_iam_service_account.maxpatrol-reader-sa.id}" } resource "yandex_organizationmanager_organization_iam_binding" "audit-trails-viewer" { organization_id = var.organization_id role = "audit-trails.viewer" members = [ "serviceAccount:${yandex_iam_service_account.maxpatrol-sa.id}", ] } # Creating a static access key for the service account resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = yandex_iam_service_account.maxpatrol-reader-sa.id } # Creating a serverless YDB resource "yandex_ydb_database_serverless" "maxpatrol-db" { name = local.db_name folder_id = var.folder_id sleep_after = 90 } # Creating a YDB topic: Data Streams resource "yandex_ydb_topic" "data-streams" { database_endpoint = yandex_ydb_database_serverless.maxpatrol-db.ydb_full_endpoint name = local.yds_name } # Wait until the topic is created before creating the trail. resource "time_sleep" "wait-for-topic" { depends_on = [yandex_ydb_topic.data-streams] create_duration = "20s" } # Creating a trail resource "yandex_audit_trails_trail" "maxpatrol-trail" { depends_on = [time_sleep.wait-for-topic] name = local.trail_name folder_id = var.folder_id service_account_id = yandex_iam_service_account.maxpatrol-sa.id data_stream_destination { database_id = yandex_ydb_database_serverless.maxpatrol-db.id stream_name = local.yds_name } filtering_policy { management_events_filter { resource_scope { resource_id = var.organization_id resource_type = "organization-manager.organization" } } } } output "static-access-key" { sensitive = true value = yandex_iam_service_account_static_access_key.sa-static-key.access_key } output "static-secret-key" { sensitive = true value = yandex_iam_service_account_static_access_key.sa-static-key.secret_key } output "database-id" { sensitive = true value = yandex_ydb_database_serverless.maxpatrol-db.id } -
Create a file with user data named
audit-trails-maxpatrol-export.auto.tfvars:audit-trails-maxpatrol-export.auto.tfvars
folder_id = "<folder_ID>" organization_id = "<organization_ID>"
-
For more information about Terraform resource parameters, see the relevant provider guides:
- Service account: yandex_iam_service_account.
- Role assigned to the service account for the folder: yandex_resourcemanager_folder_iam_member.
- Role assigned to the service account for the organization: yandex_organizationmanager_organization_iam_binding.
- Static access key: yandex_iam_service_account_static_access_key.
- Serverless database (YDB): yandex_ydb_database_serverless.
- Data stream in Yandex Data Streams: yandex_ydb_topic.
- Trail: yandex_audit_trails_trail.
-
-
In the
audit-trails-maxpatrol-export.auto.tfvarsfile, set the values of the user-defined variables:folder_id: Folder ID.organization_id: ID of the organization to create the trail and store audit logs in.
-
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
This will create and configure all the required infrastructure in the folder you selected.
-
-
Get the static access key ID and secret key, as well as the ID of the database you created; you will need them later to configure MaxPatrol SIEM. Do it by running these commands:
echo "Static access key: $(terraform output static-access-key)" echo "Secret key: $(terraform output static-secret-key)" echo "YDB database ID: $(terraform output database-id)"Result:
Static access key: "YCAJEnmnfsV8GpAMk********" Secret key: "YCMVxx-n0t8Y6s48zJDdKw9lWMB1iGU-********" YDB database ID: "etnvs692elpn********"
Configure MaxPatrol SIEM
Create credentials
You can use credentials to store secrets. Create credentials named static-key-id and static-key-private to host the ID and secret access key for the maxpatrol-reader-sa service account:
- Log in to the MaxPatrol SIEM web interface.
- Under Data collection, click Credentials.
- Click Add credential → Password and specify the following:
- Name:
static-key-id. - Password: Static key ID.
- Confirm password: Reenter static key ID.
- Name:
- Click Save.
Similarly, create a credential named static-key-private containing the secret key.
Create a data collection task
Create and run a data collection task with the Yandex Data Streams profile:
- Log in to the MaxPatrol SIEM web interface.
- Under Data collection, click Tasks.
- On the Data collection tasks page:
- In the toolbar, click Create task.
- Click Data collection.
- On the Create data collection task page, specify the following parameters:
- Name:
YDS-logs-task. - Profile:
Yandex Data Streams. - In the hierarchy list, select Run script.
- Under Connection, specify:
- Credentials:
static-key-id. - Credentials for privilege elevation:
static-key-private.
- Credentials:
- Script settings:
- database:
<maxpatrol-db_ID>; - folder:
<cloud_ID_for_example-folder>; - region_name:
ru-central1. - stream_name:
maxpatrol-stream.
- database:
- In the Data collection targets panel:
- Select the Include tab.
- In the Network addresses field, enter
yandex-cloud.
- Click Save and run.
- Name:
To view logs, go to the events page:
- Go the to the Data collection tasks page.
- Click
YDS-logs-task. - Click Collected events → Select.
How to delete the resources you created
To stop paying for the resources you created:
-
Open the
audit-trails-maxpatrol-export.tffile and delete your infrastructure description from it. -
Apply the changes:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-