Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Tools for working with audit logs

Written by
Updated at August 15, 2025

You can upload audit logs to a Yandex Object Storage bucket, Yandex Cloud Logging log group, or data stream in Yandex Data Streams.

Depending on the log location, you need to use different tools to view them and search for events:

Yandex Query

Use Query to work with logs uploaded to a bucket or a data stream:

  • If logs reside in a bucket, you can use analytical YQL queries to analyze Yandex Cloud resource events.
  • If logs reside in a data stream, use streaming YQL queries to analyze Yandex Cloud resource events.

To use Yandex Query, set up a data binding based on the target object:

  1. Create a service account named bucket-yq-sa.

  2. Assign the bucket-yq-sa service account the storage.viewer role for the folder containing the bucket with logs.

  3. Create a connection:

    1. In the management console, select the folder containing the trail that delivers logs to the bucket.
    2. Select Audit Trails.
    3. Select the trail that delivers logs to the bucket.
    4. Click Process in YQ.
    5. Select bucket-yq-sa Service account.
    6. Leave other parameters at their defaults.
    7. Click Create.

  4. In the window with data binding options, click Create.

  5. Run the appropriate query.

  1. Create a service account named bucket-yq-sa.
  2. Assign the yds.editor role to the bucket-yq-sa service account.
  3. Create a connection. Make sure to specify the settings for the Data Streams connection type.
  4. Create a binding.
  5. Run the appropriate query.

Cloud Logging

Use Cloud Logging to work with logs uploaded to a log group.

You can filter logs using the filter expression language to analyze Yandex Cloud resource events.

To use Cloud Logging:

  1. Read logs in the log group.
  2. Filter the logs as needed.

jq

Use jq to work with logs uploaded to a bucket.

Buckets store logs as JSON files. This means you can analyze Yandex Cloud resource events by retrieving the events you need from the files using jq filters.

To use jq:

  1. Install and set up s3fs or goofys to mount Object Storage buckets using FUSE.

  2. Mount a bucket with audit logs to your file system using s3fs or goofys.

  3. Install jq.

  4. Run the command with the relevant jq filter.

Note

Example commands for log operations use jq together with find, where find provides all log files from the bucket for processing.

Previous
Overview
Next
Sample queries for event search