Processing Yandex Audit Trails audit logs

Yandex Audit Trails is a service for collecting and exporting Yandex Cloud resource audit logs to a variety of target systems, including Yandex Object Storage and Yandex Data Streams. Audit Trails and Yandex Query are integrated with each other to enable search operations in audit logs.

After audit logs are processed using Query, you can get such information as:

• Who deleted a cloud folder.
• Who added permissions to access the Yandex Compute Cloud VM serial console.
• Who edited permissions to access an Object Storage bucket.
• Who was granted administrator privileges.

You can find the preset queries for these use cases in this GitHub repository. You can also write custom YQL queries.

In this use case, you will create trails that will upload audit logs of all folder resources to an Object Storage bucket and send them to a Data Streams stream. Next, you will run analytical and streaming queries to the log data using Query.

Getting startedGetting started

Sign up for Yandex Cloud and create a billing account:

1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Configure Audit TrailsConfigure Audit Trails

Create trails:

• To upload folder audit logs to an Object Storage bucket.
• To send folder audit logs to a Data Streams stream.

Set up integration between Audit Trails and QuerySet up integration between Audit Trails and Query

To set up integration:

1. Open the list of trails in the Yandex Cloud console.

2. Select the trail that you previously created for uploading cloud audit logs to a bucket and click Process in YQ.

3. When switching from Audit Trails to Query for the first time, set up integration:

   1. In the Query interface, select the service account you want to use to read data from Object Storage in the connection creation dialog and click Create.
   2. In the Query interface, check the preset parameters by clicking Preview in the binding creation dialog. Next, click Create to complete the integration.

This will automatically redirect you to the Audit trails panel of the Query interface.

Perform similar actions for the previously created trail that sends data to a Data Streams stream.

Analytical queries to data in Object StorageAnalytical queries to data in Object Storage

To query Audit Trails analytical data stored in Object Storage:

1. Under Audit trails in the Query interface, select Analytical as the data analysis type. In the list of data bindings, select audit-trails-test-object_storage.
2. Select a query to Object Storage data from the list and click Run.

You can do the following with analytical query results:

• Download them through the Query UI by clicking Export.
• Save them to an Object Storage bucket.
• Get and process them via the Query HTTP API.

Streaming queries to data from Data StreamsStreaming queries to data from Data Streams

To query Audit Trails streaming data transferred through Data Streams:

1. Under Audit trails in the Yandex Query interface, select Streaming as the data analysis type. In the list of data bindings, select the one you need.
2. Select a query to Object Storage data from the list and click Run.

You can do the following with streaming query results:

• Send them to Yandex Monitoring as metrics.
• Send them to an output Data Streams stream as data and then process the data using Yandex Cloud Functions triggers.

See alsoSee also

• Yandex Object Storage.
• Yandex Data Streams.
• Yandex DataLens.