Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Data Streams
    • All tutorials
    • Entering data into storage systems
    • Smart log processing
    • Transferring data within microservice architectures
    • Saving data to ClickHouse®
    • Replicating logs to Object Storage using Fluent Bit
    • Replicating logs to Object Storage using Data Streams
    • Migrating data to Yandex Object Storage using Yandex Data Transfer
    • Delivering data from Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • Delivering data from an Data Streams queue to Managed Service for YDB
    • Delivering data to Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • YDB change data capture and delivery to YDS
    • PostgreSQL change data capture and delivery to YDS
    • MySQL® change data capture and delivery to YDS
    • Streaming Yandex Cloud Postbox events to Yandex Data Streams and analyzing them using Yandex DataLens
    • Creating an interactive serverless application using WebSocket
    • Processing Audit Trails events
      • Overview
      • Tools for working with audit logs
      • Sample requests for searching events
      • Configuring Yandex Query
    • Processing CDC Debezium streams
    • Exporting audit logs to MaxPatrol SIEM
    • Searching for Yandex Cloud events in Yandex Query
  • Access management
  • Pricing policy
  • FAQ

In this article:

  • Yandex Query
  • Cloud Logging
  • jq
  1. Tutorials
  2. Event search in audit logs
  3. Tools for working with audit logs

Tools for working with audit logs

Written by
Yandex Cloud
Updated at March 31, 2025
  • Yandex Query
  • Cloud Logging
  • jq

You can upload audit logs to a Yandex Object Storage bucket, Yandex Cloud Logging log group, or Yandex Data Streams data stream.

Depending on the log location, you need to use different tools to view them and search for events:

  • Yandex Query
  • Cloud Logging
  • jq

Yandex QueryYandex Query

Use Query to work with logs uploaded to a bucket or a data stream:

  • If logs reside in a bucket, you can use analytical YQL queries to analyze Yandex Cloud resource events.
  • If logs reside in a data stream, use streaming YQL queries to analyze Yandex Cloud resource events.

To use Yandex Query, set up a data binding based on the target object:

Object Storage bucket
Data Streams data stream
  1. Create a service account named bucket-yq-sa.

  2. Assign the bucket-yq-sa service account the storage.viewer role for the folder containing the bucket with logs.

  3. Create a connection.

    1. In the management console, select the folder housing the trail that delivers logs to the bucket.
    2. Select Audit Trails.
    3. Select the trail that delivers logs to the bucket.
    4. Click Process in YQ.
    5. Select Service account bucket-yq-sa.
    6. Leave other attributes as default.
    7. Click Create.
  4. In the window with data binding options, click Create.

  5. Send the appropriate query.

  1. Create a service account named bucket-yq-sa.
  2. Assign the yds.editor role to the bucket-yq-sa service account.
  3. Create a connection. When creating it, specify the settings for the Data Streams connection type.
  4. Create federated credentials.
  5. Send the appropriate query.

Cloud LoggingCloud Logging

Use Cloud Logging to work with logs uploaded to a log group.

You can filter records using the filer expression language to analyze Yandex Cloud resource events.

To use Cloud Logging:

  1. Read logs in the log group.
  2. Filter the logs as you need.

jqjq

Use jq to work with logs uploaded to a bucket.

Buckets store logs as JSON files. This means you can analyze Yandex Cloud resource events by getting the required events from the files using jq filters.

To use jq:

  1. Install and set up s3fs or goofys to mount Object Storage buckets using FUSE.

  2. Mount a bucket with audit logs to your file system using s3fs or goofys.

  3. Install the jq utility.

  4. Run the command with the relevant jq filter.

Note

Example commands for log operations use jq together with find, where find provides all log files from the bucket for processing.

Was the article helpful?

Previous
Overview
Next
Sample requests for searching events
© 2025 Direct Cursus Technology L.L.C.