Service-level event audit log
You can track service-level (Data Plane) events to make sure only authorized users can access and update your data. This will help you ensure your cloud infrastructure's compliance with legal regulations and industry standards. For example, you can track granting employees access permissions to sensitive data stored in buckets.
You can analyze service-level event logs to optimize the use of resources in your infrastructure. Thus, you can determine what resources are used most often and enhance their performance, or identify rarely used resources that can be grouped or removed to cut costs.
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
Warning
When setting up collection of service-level events for an Object Storage bucket, we do not recommend using the same bucket as a destination object for uploading logs. This may cause automatic recursive generation of audit logs and, consequently, an increase in the size of generated logs (by about 16 MB per month per bucket object).
A service-level (Data Plane) audit log is a JSON object with a record of events that occurred to Yandex Cloud resources.
The log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.
An event object is the service resource that the operation is performed with. An event subject is an account to perform the operation under.
If a federated user requests the contents of a secret in Yandex Lockbox, the following entry is written in the audit log:
{
"event_id": "<event_ID>",
"event_source": "lockbox",
"event_type": "yandex.cloud.audit.lockbox.GetPayload",
"event_time": "<event_date>",
"authentication": {
"authenticated": true,
"subject_type": "FEDERATED_USER_ACCOUNT",
"subject_id": "<user_ID>",
"subject_name": "<username>",
"federation_id": "<federation_ID>",
"federation_name": "<federation_name>",
"federation_type": "<federation_type>"
},
"authorization": {
"authorized": true
},
"resource_metadata": {
"path": [
{
"resource_type": "organization-manager.organization",
"resource_id": "<organization_ID>",
"resource_name": "<organization_name>"
},
{
"resource_type": "resource-manager.cloud",
"resource_id": "<cloud_ID>",
"resource_name": "<cloud_name>"
},
{
"resource_type": "resource-manager.folder",
"resource_id": "<folder_ID>",
"resource_name": "<folder_name>"
}
]
},
"request_metadata": {
"remote_address": "cloud.yandex",
"user_agent": "Yandex Cloud",
"request_id": "<request_ID>"
},
"event_status": "DONE",
"details": {
"secret_id": "<secret_ID>",
"secret_name": "<secret_name>",
"secret_version_id": "<secret_version_ID>",
"secret_kms_key_id": "<ID_of_secret_encryption_key_in_KMS>",
"secret_status": "<secret_status>",
"secret_version_status": "<secret_version_status>",
"secret_version_payload_entry_keys": [
"<secret_version_entry_keys>"
]
},
"request_parameters": {
"secret_id": "<secret_ID>",
"version_id": "<secret_version_ID>"
},
"response": {
"version_id": "<version_ID>",
"entry_keys": [
"<entry_keys>"
]
}
}
Data schema
{
"event_id": string,
"event_source": string,
"event_type": string,
"event_time": string,
"authentication": {
"authenticated": boolean,
"subject_type": string,
"subject_id": string,
"subject_name": string,
"federation_id": string,
"federation_name": string,
"federation_type": string
},
"authorization": {
"authorized": boolean
},
"resource_metadata": {
"path": [{
"resource_type": string,
"resource_id": string,
"resource_name": string
}]
},
"request_metadata": {
"remote_address": string,
"user_agent": string,
"request_id": string
},
"event_status": string,
"error": {
"code": number,
"message": string,
"details": {
object
}
},
"details": {
object
}
"request_parameters": {
object
}
"response": {
object
}
}
|Field
|Description
|
event_id
|string
Event ID
|
event_source
|string
Name of the event source service
|
event_type
|string
Event type, which is determined by the event source service. For more information, see Configuration-level event reference.
|
event_time
|string
Time when the event occurred.
|
authentication
|object
Authentication data of the event subject
|
authentication.authenticated
|boolean
Authentication result. The possible values include:
|
authentication.subject_type
|string
Subject type. The possible values include:
|
authentication.subject_id
|string
Subject ID
|
authentication.subject_name
|string
Subject name
|
authentication.federation_id*
|string
ID of the federation the federated user belongs to
|
authentication.federation_name*
|string
Name of the federation the federated user belongs to
|
authentication.federation_type*
|string
Federation type. The possible value is:
|
authorization
|object
Authorization data of the event subject
|
authorization.authorized
|boolean
Authorization result. The possible values include:
|
resource_metadata
|object
Metadata of the event object
|
resource_metadata.path[]
|array
Path to the resource where the event occurred.
|
resource_metadata.path[].resource_type
|string
Resource type
|
resource_metadata.path[].resource_id
|string
Resource ID
|
resource_metadata.path[].resource_name
|string
Resource name
|
request_metadata
|object
Details of a query triggering the event
|
request_metadata.remote_address
|string
IP address of an event subject
|
request_metadata.user_agent
|string
User-agent of an event subject
|
request_metadata.request_id
|string
Query ID
|
event_status
|string
Event status, which is determined by the source service and the event type. The possible values include:
|
error
|object
Status error. google.rpc.Status object:
|
details
|object
Event details, which are determined by the source service and the event type.
|
request_parameters
|object
Request parameters
|
response
|object
Obtained data
* The field is available when
subject_type =
FEDERATED_USER_ACCOUNT
Note
If the action was run by a Yandex Cloud infrastructure service or a support representative, the
remote address field will include
cloud.yandex and the
user agent field will include
Yandex Cloud.
Audit log format
Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:
- If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
- If the destination object is a log group, the message includes a single JSON object from an audit log.
Audit log file in a bucket
Below is the template for the full name of an audit log file in a bucket:
<object prefix>/<trail ID>/<year>/<month>/<file_name.json>
Log group entry
Log group entries have the following values:
- Time:
Event_timefield value of the event
- JSON: JSON object of the event
- Level: Calculated depending on the
event_statusvalue:
ERROR: For the
ERRORvalue
WARN: For the
CANCELLEDvalue
INFO: For all other cases
-
- Message: Includes the values of the
event_status,
event_type,
subject_name,
cloud_name, and
resource_namefields.