Processing Yandex Audit Trails events

Written by

Updated at May 7, 2025

Getting started
Configure Audit Trails
Set up integration between Audit Trails and Query
Analytical queries to data in Object Storage
Streaming queries to data from Data Streams
See also

Yandex Audit Trails is a service for collecting and exporting the audit logs of Yandex Cloud resources to various target systems, including Yandex Object Storage and Yandex Data Streams. Audit Trails and Yandex Query are integrated between themselves to enable searching through audit logs.

After audit logs are processed using Query, you can get such information as:

Who deleted a cloud folder.
Who added permissions to access the Yandex Compute Cloud VM serial console.
Who edited permissions to access an Object Storage bucket.
Who was granted administrator privileges.

You can find the preset queries for these use cases in this GitHub repository. You can also write custom YQL queries.

In this use case, you will create trails that will upload audit logs of all folder resources to an Object Storage bucket and send them to a Data Streams stream. Next, you will run analytical and streaming queries to the log data using Query.

Getting started

Navigate to the management console and log in to Yandex Cloud or register a new account.
On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Configure Audit Trails

Create two trails:

To upload folder audit logs to an Object Storage bucket.
To send folder audit logs to a Data Streams stream.

Set up integration between Audit Trails and Query

To set up integration:

Open the list of trails in the Yandex Cloud console.
Select the trail that you previously created for uploading cloud audit logs to a bucket and click Process in YQ.
When switching from Audit Trails to Query for the first time, set up integration:
1. In the Query interface, select the service account you want to use to read data from Object Storage in the connection creation dialog and click Create.
2. In the Query interface, check the preset parameters by clicking Preview in the binding creation dialog. Next, click Create to complete the integration.

This will automatically redirect you to the Audit trails panel of the Query interface.

Perform similar actions for the previously created trail that sends data to a Data Streams stream.

Analytical queries to data in Object Storage

To query Audit Trails analytical data stored in Object Storage:

Under Audit trails in the Query interface, select Analytical as the data analysis type. In the list of data bindings, select audit-trails-test-object_storage.
Select a query to Object Storage data from the list and click Run.

You can do the following with analytical query results:

Download them through the Query UI by clicking Export.
Save them to an Object Storage bucket.
Get and process them via the Query HTTP API.

Streaming queries to data from Data Streams

To query Audit Trails streaming data transferred through Data Streams:

Under Audit trails in the Yandex Query interface, select Streaming as the data analysis type. In the list of data bindings, select the one you need.
Select a query to Object Storage data from the list and click Run.

You can do the following with streaming query results:

Send them to Yandex Monitoring as metrics.
Send them to an output Data Streams stream as data and then process the data using Yandex Cloud Functions triggers.