Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Requirements for collecting, monitoring, and analyzing audit logs

Written by
Updated at October 29, 2025

5. Collecting, monitoring, and analyzing audit logs

An audit log is a record of all events in the system, including access to it and operations performed. By collecting and verifying audit logs, you can monitor compliance with the established security procedures and standards and identify vulnerabilities in your security mechanisms.

There are different levels of audit log events:

Note

For more information about Kubernetes events, see Collecting, monitoring, and analyzing audit logs in Yandex Managed Service for Kubernetes.

Overview

5.1 Yandex Audit Trails is enabled at the organization level

The main tool for collecting Yandex Cloud level logs is Yandex Audit Trails. This service allows you to collect audit logs about events happening to Yandex Cloud resources and upload these logs to Yandex Object Storage buckets or Cloud Logging log groups for further analysis or export. For information on how to start collecting logs, see this guide.

Audit Trails audit logs may contain two types of events: management events and data events.

Management events are actions you take to configure Yandex Cloud resources, such as creating, updating, or deleting infrastructure components, users, or policies. Data events are updates and actions performed on data and resources within Yandex Cloud services. By default, Audit Trails does not log data events. You need to enable collection of data event audit logs individually for each supported service.

For more information, see Comparing management and data event logs.

To collect metrics, analyze Yandex Cloud-level events, and set up notifications, we recommend using Yandex Monitoring. For example, it can help you track spikes in Compute Cloud workload, Application Load Balancer RPS, or significant changes in Identity and Access Management event statistics.

You can also use Monitoring to monitor the health of the Audit Trails service itself and track security events. You can export metrics to a SIEM system via the API, see this guide.

Solution: Monitoring Audit Trails and security events using Monitoring

You can export audit logs to a Cloud Logging or Data Streams log group and to a customer's SIEM system to analyze information about events and incidents.

List of important Yandex Cloud-level events to search for in audit logs:

Solution: Searching for important security events in audit logs

You can enable Yandex Audit Trails at the folder, cloud, and organization level. We recommend enabling Yandex Audit Trails at the level of the entire organization. Thus you will be able to collect audit logs in a centralized manner, e.g., to a separate security cloud.

Requirement ID Severity
AUDIT1 High
  1. In the management console, select the cloud or folder to check the functions in.
  2. In the list of services, select Yandex Audit Trails.
  3. Make sure the Filter parameter is set to Organization.
  4. In addition, check that the destination of logs is Yandex Object Storage bucket, Cloud Logging log group, and Data Streams, that they are up and running, and that the logs are available for further analysis.

5.2 Yandex Audit Trails events are exported to SIEM systems

Solutions for exporting Yandex Cloud audit logs are available for the following SIEM systems:

For more information about MaxPatrol, see this section.

You can set up export to any SIEM using GeeseFS or s3fs. These utilities allow mounting a Yandex Object Storage bucket as a VM local disk. Next, you need to install a SIEM connector on the VM and configure reading JSON files from the bucket. You can also use utilities compatible with AWS Kinesis datastreams if sending audit logs to Yandex Data Streams.

If you have no SIEM, you can also analyze audit logs manually using Yandex Cloud event search in Yandex Query, Cloud Logging, or Object Storage.

Requirement ID Severity
AUDIT2 Informational

Make sure that audit logs from Yandex Audit Trails are exported for analysis to a SIEM system or analyzed in the cloud using one of the available methods.

5.3 Responding to Yandex Audit Trails events is set up

You can respond to Yandex Audit Trails events using your SIEM tools or manually. You can also use automatic responses.

Using Yandex Cloud Functions, you can configure alerts about Audit Trails events, as well as automatic responses to malicious actions, including removing dangerous rules or revoking access rights.

Solution: Notifications and responses to Audit Trails information security events using IAM / Cloud Functions + Telegram

Requirement ID Severity
AUDIT3 Medium

5.4 The Object Storage bucket that stores the Yandex Audit Trails audit logs has been hardened

If you write Yandex Audit Trails audit logs to a Yandex Object Storage bucket, make sure the bucket is set up using security best practices, such as:

You can use a solution for secure Yandex Object Storage bucket setup with Terraform.

Requirement ID Severity
AUDIT4 Medium

Run a manual check.

5.5 Audit logs are collected at the OS level

When using IaaS cloud services and Kubernetes node groups, the customer is responsible for ensuring OS security and collecting OS-level events on their own. Free tools for collecting standard OS-generated events and exporting them to the customer's SIEM system include:

Additional event generation options can be implemented using Auditd for Linux or Sysmon for Windows.

You can collect Linux system metrics (CPU, RAM, and disk space usage) with Unified Agent in Monitoring.

You can also export OS events to Cloud Logging using a Fluent Bit plugin or to Data Streams.

To describe events to be searched for in audit logs, we recommend using Sigma format, which is supported by popular SIEM systems. The Sigma repository contains a library of events described in this format.

To get the exact time of OS- and application-level events, configure clock synchronization by following this guide.

We additionally recommend to increase the logging level inside virtual machines to at least VERBOSE.

Requirement ID Severity
AUDIT5 High

Run a manual check.

5.6 Audit logs are collected at the application level

Customers may collect events that occur at the level of applications deployed on Compute Cloud resources on their own. For example, save application logs to files and transfer them to a SIEM system using the tools listed in the subsection above.

Enable audit log collection in your unmanaged DBMS:

  • Enable logging of all authentication actions (successful and failed).
  • Activate logging of data modification operations (INSERT, UPDATE, DELETE).
  • Configure logging of schema modification operations (ALTER, CREATE, DROP).
  • Record permission and privilege changes.
  • Configure events to track queries.
Requirement ID Severity
AUDIT6 Medium

Run a manual check.

5.7 Logs are collected at the network level

Currently, VPC network traffic event logs (Flow Logs) can only be collected by customers. You can use Yandex Cloud Marketplace solutions (such as NGFW, IDS/IPS, or network products) or free software for collecting and transmitting events. You can also collect network-level logs using different agents, e.g., HIDS.

Requirement ID Severity
AUDIT7 Medium

Run a manual check.

5.8 Data events are monitored

A data event audit log is a JSON object with a record of events related to Yandex Cloud resources. Data event monitoring makes it easier for you to collect additional events from cloud services and, as a result, effectively respond to security incidents in clouds. This also helps you ensure your cloud infrastructure meets regulatory requirements and industry standards. For example, you can keep track of your employees' access permissions to sensitive data stored in buckets.

You need to enable collection of data event audit logs individually for each supported service.

We recommend to enable all events for Yandex Identity and Access Management and Yandex Cloud DNS, as well as all all events for the following services, if used:

Requirement ID Severity
AUDIT8 Medium

  1. In the management console, select the folder where your trail is located.

  2. In the list of services, select Audit Trails.

  3. Select the trail you need.

  4. Make sure the trail info page in Collecting data events lists all the services you want to collect data event logs for, specifying the correct audit log scope for each service.

    For the list of supported services, see Data event reference.

5.9 Access Transparency Security Deck is on for inspection of Yandex Cloud employees' actions with the infrastructure

All Yandex Cloud employees' actions are logged and monitored with the help of bastion hosts – recorders of operations with the user data processing resources.

With Access Transparency, you can check why your infrastructure was accessed by the provider's employees. For example, the reasons may include additional IT system diagnostics by support engineers or software updates. ML models analyze these actions. Integrated into Access Transparency, YandexGPT generates access event summaries to improve visibility. Suspicious sessions are automatically sent to the Yandex Cloud security teams for review.

Requirement ID Severity
AUDIT9 Low
  1. Go to Yandex Security Deck.
  2. In the left-hand panel, select Access Transparency.
  3. If you are prompted to enable Access Transparency, it means the module is not active yet; proceed to Guides and solutions to use.

Guides and solutions to use:

Click Connect to activate the Access Transparency module.

ClickHouse® is a registered trademark of ClickHouse, Inc.

Previous
Data encryption and key management
Next
Application security