Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Exporting audit logs to Yandex Managed Service for OpenSearch

Written by
Updated at August 14, 2025

Create a trail to upload audit logs for Yandex Cloud resources to a Yandex Data Streams data stream. Once done, configure continuous log delivery to a Yandex Managed Service for OpenSearch cluster using Yandex Data Transfer.

You can export organization, cloud, or folder logs.

To export audit logs:

  1. Get your cloud ready.
  2. Create a trail to send logs to a Data Streams data stream.
  3. Create a Managed Service for OpenSearch cluster.
  4. Set up a transfer to deliver logs to the Managed Service for OpenSearch cluster.
  5. Check the result.
  6. Upload additional content.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The infrastructure support cost includes:

Create a trail to send logs to a Data Streams data stream

Create a trail to send logs to a data stream named audit‑trails. Using a stream with this name makes it easier to upload the Security Content library objects.

When creating a trail, select the log collection scope.

Create a Managed Service for OpenSearch cluster

Create a Managed Service for OpenSearch cluster with any suitable configuration.

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the trails-to-opensearch.tf configuration file to the same working directory.

    This file describes:

    • Network.
    • Subnet.
    • Security group and rules required to connect to a Managed Service for OpenSearch cluster.
    • Managed Service for OpenSearch target cluster.
    • Transfer.

  6. In the trails-to-opensearch.tf file, specify these variables:

    • os_version: OpenSearch version in the target cluster.
    • os_admin_password: admin user password.
    • transfer_enabled: Set to 0 to ensure that no transfer is created until you create endpoints manually.

  7. Make sure the Terraform configuration files are correct using this command:

    terraform validate

    If there are any errors in the configuration files, Terraform will point them out.

  8. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

Set up a transfer to deliver logs to the Managed Service for OpenSearch cluster

  1. Create a source endpoint:

    • Database type: Yandex Data Streams.

    • Endpoint settings:

      • Connection settings:

        • Database: Select the Managed Service for YDB database from the list.
        • Stream: Specify the name of the Data Streams-enabled stream.
        • Service account: Select or create a service account with the yds.editor role.

      • Advanced settings:

        • Conversion rules: AuditTrails.v1 parser.

  2. Create a target endpoint:

    • Database type: OpenSearch.

    • Endpoint parameters:

      • Connection:

        • Connection type: Managed Service for OpenSearch cluster.

          • Managed Service for OpenSearch cluster: Select the source cluster from the list.

        • User and Password: Enter the name and password of the user who has access to the database, e.g., admin user.

  3. Create and activate the transfer:

    1. Create a transfer of the Replication type that will use the created endpoints.
    2. Activate the transfer and wait until its status switches to Replicating.

    1. In the trails-to-opensearch.tf file, specify these variables:

      • source_endpoint_id: Source endpoint ID.
      • target_endpoint_id: Target endpoint ID.
      • transfer_enabled: 1 to create a transfer.

    2. Make sure the Terraform configuration files are correct using this command:

      terraform validate

      If there are any errors in the configuration files, Terraform will point them out.

    3. Create the required infrastructure:

      1. Run this command to view the planned changes:

        terraform plan

        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

      2. If everything looks correct, apply the changes:

        1. Run this command:

          terraform apply

        2. Confirm updating the resources.

        3. Wait for the operation to complete.

    4. The transfer will be activated automatically. Wait for its status to change to Replicating.

Check the result

Make sure the data from Audit Trails is successfully uploaded to OpenSearch:

  1. Wait until the transfer status switches to Replicating.

  2. Connect to the target cluster using OpenSearch Dashboards.

  3. Select the Global tenant.

  4. Create a new index template named audit-trails*:

    1. Open the control panel by clicking .
    2. Under Management, select Stack Management.
    3. Go to Index Patterns and click create an index pattern at the bottom of the page.
    4. In the Index pattern name field, specify audit-trails* and click Next step.
    5. In Time field, select application_usage_daily.timestamp and click Create index pattern.

  5. Open the control panel by clicking .

  6. Under OpenSearch Dashboards, select Discover.

  7. The dashboard that opens should contain data from Audit Trails in Elastic Common Schema format.

opensearch-discover

Warning

Data delivery to Managed Service for OpenSearch target adheres to the at least once mode: if the tables being transferred do not have a primary key, duplicate entries can be created in the audit logs.

Upload additional content

For your convenience, the Yandex Cloud security team created Solution Library with examples and recommendations for building a secure infrastructure in Yandex Cloud. The library is available in this public GitHub repository. It contains the following objects to upload to OpenSearch:

  • Dashboard with use cases and statistics.
  • Set of ready-to-use queries to search for security events.
  • Sample events with preset alerts (the client should specify the alert destination on their own).

All required event fields are converted to Elastic Common Schema (ECS) format; the complete mapping table is provided in the Yandex Cloud Security Solution Library document.

To use Security Content:

  1. Clone the Yandex Cloud Security Solution Library repository:

    git clone https://github.com/yandex-cloud-examples/yc-export-auditlogs-to-opensearch.git

  2. Connect to the target cluster using OpenSearch Dashboards.

  3. Open the control panel by clicking .

  4. Under Management, select Stack Management.

  5. Go to Saved Objects and import files from the yc-export-auditlogs-to-opensearch/update-opensearch-scheme/content-for-transfer/ folder:

    • dashboard.ndjson
    • filters.ndjson
    • search.ndjson

dashboard

Use the ready-made Audit-trails-dashboard:

  1. Open the control panel by clicking .
  2. Under OpenSearch Dashboards, select Dashboard.
  3. Select Audit-trails-dashboard in the dashboard list.

opensearch-audit-trails-dashboard

Security events

Run a ready-to-use query to view security events that can be selected using filters.

  1. Open the control panel by clicking .
  2. Under OpenSearch Dashboards, select Discover.
  3. In the Open tab, select Search:Yandexcloud: Yandexcloud: Interesting fields.

opensearch-search-yandexcloud-interesting-fields

Alert settings

Use code examples for the monitor and trigger entities when setting up alerts:

  1. Open the control panel by clicking .

  2. Under OpenSearch Plugins, select Alerting.

  3. Copy the sample file contents and paste them into the creation window:

Delete the resources you created

Note

Before deleting the resources you created, deactivate the transfer.

Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need:

  1. Delete the transfer.
  2. Delete the endpoints for both the source and target.
  3. Delete the Managed Service for YDB database.
  4. Delete service accounts you created.
  5. Delete the Audit Trails trail.

Delete the other resources depending on how they were created:

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.