Yandex Cloud
Search
Contact UsGet started
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • AI Studio
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
© 2025 Direct Cursus Technology L.L.C.
Yandex Data Streams
    • All tutorials
    • Entering data into storage systems
    • Smart log processing
    • Transferring data within microservice architectures
    • Saving data to ClickHouse®
    • Replicating logs to Object Storage using Fluent Bit
    • Replicating logs to Object Storage using Data Streams
    • Migrating data to Yandex Object Storage using Yandex Data Transfer
    • Delivering data from Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • Delivering data from an Data Streams queue to Managed Service for YDB
    • Delivering data to Yandex Managed Service for Apache Kafka® using Yandex Data Transfer
    • YDB change data capture and delivery to YDS
    • PostgreSQL change data capture and delivery to YDS
    • MySQL® change data capture and delivery to YDS
    • Streaming Yandex Cloud Postbox events to Yandex Data Streams and analyzing them using Yandex DataLens
    • Creating an interactive serverless application using WebSocket
    • Processing Audit Trails events
    • Processing CDC Debezium streams
    • Exporting audit logs to MaxPatrol SIEM
    • Searching for Yandex Cloud events in Yandex Query
  • Access management
  • Pricing policy
  • FAQ

In this article:

  • Getting started
  • Required paid resources
  • Set up your environment
  • Create a bucket for audit logs
  • Create service accounts
  • Assign permissions to service accounts
  • Create a trail
  • Create a connection between the trail and YQ
  • Run a query to logs in Object Storage
  • How to delete the resources you created
  1. Tutorials
  2. Searching for Yandex Cloud events in Yandex Query

Searching for Yandex Cloud events in Yandex Query

Written by
Yandex Cloud
Updated at July 7, 2025
  • Getting started
  • Required paid resources
  • Set up your environment
    • Create a bucket for audit logs
    • Create service accounts
    • Assign permissions to service accounts
  • Create a trail
  • Create a connection between the trail and YQ
  • Run a query to logs in Object Storage
  • How to delete the resources you created

Yandex Query supports Audit Trails. You can analyze events of Yandex Cloud resources by running analytical and streaming YQL queries.

You can run analytical queries for logs stored in a bucket, and streaming queries for logs stored in a Yandex Data Streams data stream.

To connect a bucket with audit logs to Yandex Query and run YQL queries:

  1. Set up your environment.
  2. Create a connection between a trail and YQ.
  3. Run a query to logs in Object Storage.

If you no longer need the resources you created, delete them.

Getting startedGetting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

Required paid resourcesRequired paid resources

The cost of infrastructure support includes a fee for a bucket (see Object Storage pricing).

Set up your environmentSet up your environment

Create a bucket for audit logsCreate a bucket for audit logs

Management console
  1. In the management console, select the folder where you want to create a bucket, e.g., example-folder.
  2. Select Object Storage.
  3. Click Create bucket.
  4. On the bucket creation page:
    • Enter a name for the bucket according to the naming requirements.
    • In the Object read access, Object listing access, and Read access to settings fields, select Restricted.
    • Leave other parameters at their defaults.
  5. Click Create bucket.

Create service accountsCreate service accounts

Create a service account named trail-sa:

Management console
  1. In the management console, navigate to example-folder.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Specify Name: trail-sa.
  5. Click Create.

Similarly, create a service account named bucket-yq-sa.

Assign permissions to service accountsAssign permissions to service accounts

Assign the audit-trails.viewer and storage.uploader roles to the trail-sa service account:

CLI
  1. The audit-trails.viewer role for your organization:

    yc organization-manager organization add-access-binding \
    --role audit-trails.viewer \
    --id <organization_ID> \
    --service-account-id <service_account_ID>
    

    Where --service-account-id is the trail-sa service account ID.

    Result:

    done (1s)
    

    For more information about the yc organization-manager organization add-access-binding command, see the CLI reference.

  2. The storage.uploader role for the folder:

    yc resource-manager folder add-access-binding example-folder \
      --role storage.uploader \
      --subject serviceAccount:<service_account_ID>
    

    Where --subject is the trail-sa service account ID.

    Result:

    done (1s)
    

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

Assign the bucket-yq-sa service account the storage.viewer role for example-folder:

CLI
yc resource-manager folder add-access-binding example-folder \
    --role storage.viewer \
    --subject serviceAccount:<service_account_ID>

Where --subject is the bucket-yq-sa service account ID.

Result:

done (1s)

For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

Create a trailCreate a trail

Management console
  1. In the management console, select example-folder.

  2. Select Audit Trails.

  3. Click Create trail.

  4. In the Name field, specify logsyq.

  5. Under Destination, configure the destination object:

    • Destination: Object Storage.
    • Bucket: Select the bucket you created earlier.
  6. Under Service account, select trail-sa.

  7. Under Collecting management events, configure the collection of management event audit logs:

    • Collecting events: Select Enabled.
    • Resource: Select Organization.
    • Organization: Automatically populated field containing the name of the current organization.
    • Cloud: Keep the default value, All.
  8. Under Collecting data events, select Disabled in the Collecting events field.

  9. Click Create.

Create a connection between the trail and YQCreate a connection between the trail and YQ

You need to create a connection only when connecting the trail to YQ for the first time.

Management console
  1. In the management console, select example-folder.
  2. Select Audit Trails.
  3. Select the logsyq trail.
  4. Click Process in YQ.
  5. Create a connection:
    • Select the bucket-yq-sa Service account.
    • Leave other parameters at their defaults.
  6. Click Create.
  7. In the window with data binding options, click Create.

You will go to the page for creating a query to trail logs.

Run a query to logs in Object StorageRun a query to logs in Object Storage

Open the page to create an analytical query to Audit Trails logs:

Management console
  1. In the management console, select the folder with your trail.
  2. In the list of services, select Audit Trails.
  3. Select the trail for which a connection to YQ is configured.
  4. Click Process in YQ to go to the analytical query page.

Run event queries to bind audit-trails-logsyq-object_storage:

  1. Deleting a folder:

    1. Select this query from the list: 1. Find out who deleted the folder.

    2. Edit the query by specifying the folder ID:

      SELECT * FROM bindings.`audit-trails-logsyq-object_storage`
      WHERE
          JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.resourcemanager.DeleteFolder' 
          and JSON_VALUE(data, "$.details.folder_name") = '<folder_ID>' 
          LIMIT 100;
      
    3. Click Execute.

  2. Enabling access via the serial console:

    1. Select this query from the list: 6. Changing a VM: Adding serial console access.

    2. Edit the query by specifying the number of displayed records:

      SELECT * FROM bindings.`<audit-trails-logsyq-object_storage>`
      WHERE
          JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance' 
          and JSON_VALUE(data, "$.details.metadata_serial_port_enable") = '1' 
          LIMIT <number_of_records>;
      
    3. Click Execute.

  3. Changing access permissions for an Object Storage bucket:

    1. Select this query from the list: 11. Suspicious activity with the Audit Trails log repository (Object Storage bucket).

    2. Edit the query by specifying the number of displayed records:

      SELECT * FROM bindings.`audit-trails-logsyq-object_storage`
      WHERE
          (JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.storage.BucketAclUpdate' 
          or JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.storage.BucketPolicyUpdate') 
          LIMIT <number_of_records>;
      
    3. Click Execute.

  4. Assigning administrator permissions:

    1. Select this query from the list: 20. Assigning admin permissions (for a folder and cloud).

    2. Edit the query by specifying the number of displayed records:

      SELECT * FROM bindings.`audit-trails-logsyq-object_storage`
      WHERE
          JSON_VALUE(data, "$.details.access_binding_deltas.access_binding.role_id") = 'admin' 
          LIMIT <number_of_records>;
      
    3. Click Execute.

How to delete the resources you createdHow to delete the resources you created

If you created a separate bucket to follow these instructions, you can delete it to stop paying for bucket use.

Was the article helpful?

Previous
Exporting audit logs to MaxPatrol SIEM
Next
Access management
© 2025 Direct Cursus Technology L.L.C.