Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Exporting audit logs to MaxPatrol SIEM

Written by
Updated at August 15, 2025

MaxPatrol SIEM can read Yandex Cloud audit logs from a data stream in Yandex Data Streams. To complete this tutorial, you need access to a MaxPatrol SIEM instance.

To set up audit log export:

  1. Get your cloud ready.
  2. Set up your environment.
  3. Create a trail to send logs to the stream in Data Streams.
  4. In MaxPatrol SIEM, set up a task to collect data from the stream in Data Streams.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The infrastructure support cost includes:

Set up your environment

Create a service account and assign the required roles

The trail will use this service account to collect logs for all your organization's resources and upload them to the specified data stream in Data Streams.

Create a service account in the same folder where you are going to create the trail, e.g., in example-folder:

  1. In the management console, select example-folder.
  2. In the list of services, select Identity and Access Management.
  3. Click Create service account.
  4. Specify the service account name: maxpatrol-sa.
  5. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Create a service account:

    yc iam service-account create --name maxpatrol-sa

    Result:

    id: aje*****ckg
folder_id: b1g*****rnj
created_at: "2022-09-18..."
name: maxpatrol-sa

    For more information about the yc iam service-account create command, see the CLI reference.

Assign the audit-trails.viewer and yds.editor roles to the maxpatrol-sa service account:

  1. The audit-trails.viewer role for your organization:

    yc organization-manager organization add-access-binding \
--role audit-trails.viewer \
--id <organization_ID> \
--service-account-id <service_account_ID>

    Where:

    • --role: Role being assigned.
    • --id: ID of the organization the service account belongs to.
    • --service-account-id: maxpatrol-sa service account ID.

    Result:

    done (1s)

    For more information about the yc organization-manager organization add-access-binding command, see the CLI reference.

  2. The yds.editor role for example-folder:

    yc resource-manager folder add-access-binding example-folder \
  --role yds.editor \
  --subject serviceAccount:<service_account_ID>

    Where:

    • --role: Role being assigned.
    • --subject: maxpatrol-sa service account ID.

    Result:

    done (1s)

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

Create static access keys

MaxPatrol SIEM uses static access keys to authorize Data Streams queries.

  1. In the management console, select example-folder.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts.
  4. In the list that opens, select the maxpatrol-sa service account.
  5. Click Create new key in the top panel.
  6. Select Create static access key.
  7. Enter a description for the key and click Create.

Alert

Save the ID and secret key. After you close this dialog, the key value will no longer be available.

Create a static access key for the maxpatrol-sa service account:

yc iam access-key create --service-account-name maxpatrol-sa

Result:

access_key:
id: YCd*****W7t
service_account_id: aje*****ckg
created_at: "2022-09-18..."
key_id: YCA*****5Ws4
secret: YCM76*******I3fk

Alert

Save the ID (key_id) and secret key (secret). You will not be able to get the key value again.

For more information about the yc iam access-key create command, see the CLI reference.

Create a YDB serverless database

The database is required for the stream in Data Streams.

  1. In the management console, select example-folder.
  2. Click Create resource and select YDB database.
  3. Set Name to maxpatrol-db.
  4. Under Database type, select Serverless.
  5. Leave other parameters at their defaults.
  6. Click Create a database.

Wait for the database status to change to Running.

  1. Create a database:

    yc ydb database create --name maxpatrol-db --serverless --folder-name example-folder

    Where:

    • --name: Database name.
    • --serverless: Serverless type.
    • --folder-name: Folder name.

    Result:

    done (7s)
id: etn*****r5t
folder_id: b1g*****rnj
created_at: "2022-09-18..."
name: maxpatrol-db
status: PROVISIONING
...

    For more information about the yc ydb database create command, see the CLI reference.

  2. Check the status of the created database:

    yc ydb database get maxpatrol-db

    Wait for the database status to change to RUNNING.

Create a data stream

This is the data stream to which the trail will upload organization resource logs.

  1. In the management console, select example-folder.
  2. Click Create resource and select Data stream.
  3. In the Database field, select maxpatrol-db.
  4. Set Name to maxpatrol-stream.
  5. Leave other parameters at their defaults.
  6. Click Create.

Wait for the data stream status to change to Running.

Create a trail

The trail will collect management audit logs for all your organization's resources and upload them to the maxpatrol-stream data stream.

  1. In the management console, select example-folder.
  2. Click Create resource and select Trail.
  3. Name the new trail: maxpatrol-trail.
  4. Under Destination, configure the destination object:
    • Destination: Data Streams.
    • Data stream: Select maxpatrol-stream.
  5. Under Service account, select maxpatrol-sa.
  6. Under Collecting management events, configure the collection of management event audit logs:
    • Collecting events: Select Enabled.
    • Resource: Select Organization.
    • Organization: Automatically populated field (shows the name of the organization that will host the trail).
    • Cloud: Keep the default value, All.
  7. Under Collecting data events, select Disabled in the Collecting events field.
  8. Click Create.

For more information about creating a trail, see this guide.

Configure MaxPatrol SIEM

Create accounts

You can use accounts to store secrets. Create accounts named static-key-id and static-key-private for your ID and secret access key:

  1. Log in to the MaxPatrol SIEM web interface.
  2. Under Data collection, click Accounts.
  3. Click Add accountPassword and specify the following parameters:
    • Name: static-key-id.
    • Password: Static key ID.
    • Confirm password: Reenter static key ID.
  4. Click Save.

Similarly, create an account named static-key-private containing the secret key.

Create a data collection task

Create and run a data collection task with the Yandex Data Streams profile:

  1. Log in to the MaxPatrol SIEM web interface.
  2. Under Data collection, click Tasks.
  3. On the Data collection tasks page:
    1. In the toolbar, click Create task.
    2. Click Data collection.
  4. On the Create data collection task page, specify the following parameters:
    1. Name: YDS-logs-task.
    2. Profile: Yandex Data Streams.
    3. In the hierarchy list, select Run scenario.
    4. Under Connection, specify:
      • Account: static-key-id.
      • Access upgrade account: static-key-private.
    5. Scenario execution parameters:
      • database: <maxpatrol-db_ID>
      • folder: <cloud_ID_for_example-folder>
      • region_name: ru-central1.
      • stream_name: <maxpatrol-stream_name>.
    6. In the Data collection objectives panel:
      1. Select the Enable tab.
      2. In the Network addresses field, enter yandex-cloud.
    7. Click Save and run.

To view the logs, go to the event review page:

  1. Go the to the Data collection tasks page.
  2. Click YDS-logs-task.
  3. Click Events collectedSelect.

How to delete the resources you created

Delete the resources you no longer need to avoid paying for them:

Previous
Processing Audit Trails events
Next
Uploading audit logs to Splunk SIEM