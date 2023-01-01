Exporting audit logs to Yandex Managed Service for Elasticsearch
Create a trail to upload audit logs for a single cloud's resources to a Yandex Object Storage bucket. Then configure continuous log delivery to a Yandex Managed Service for Elasticsearch cluster.
The solution described in the tutorial follows the procedure below:
- A trail uploads logs to a Object Storage bucket.
- A bucket is mounted to a folder on the intermediate VM.
- The intermediate VM runs a script that pulls logs from the bucket on a schedule and pushes them to the Managed Service for Elasticsearch cluster.
The following data required for log analysis is uploaded to the Managed Service for Elasticsearch cluster:
- A dashboard with use cases and statistics.
- A set of
Saved Queriesto search for security events.
- A set of
Detection Ruleswith correlation rules for which alerts are preset.
All the source files for the solution are stored in the Yandex Cloud Security Solution Library.
Note
Yandex Cloud Security Solution Library is a public repo on GitHub with a set of examples and recommendations on how to build a secure infrastructure in Yandex Cloud.
In addition to using the solution for your cloud logs, you can use it for organization or folder logs. To do this, create a trail by following the instructions for organizations or folders, respectively.
Before you begin
Before working, you need to register in Yandex Cloud and create a billing account:
- Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
- On the billing page, make sure you linked a billing account, and it has the
ACTIVEor
TRIAL_ACTIVEstatus. If you don't have a billing account, create one.
If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.
Learn more about clouds and folders.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
Some steps are completed in Terraform. If you don't have Terraform, install it and configure the Yandex Cloud provider.
Some Yandex Cloud features described in this tutorial are at the Preview stage. Request access to these features from the support team:
Required paid resources
The infrastructure support cost includes:
- A fee for computing resources and Elasticsearch cluster storage capacity in the
Platinumedition (see Yandex Managed Service for Elasticsearch pricing).
- A fee for the intermediate VM's computing resources and disk (see Yandex Compute Cloud pricing).
- A fee for storing the intermediate VM's Docker image in Container Registry (see Yandex Container Registry pricing).
- A fee for data storage in a bucket and operations with data (see Yandex Object Storage pricing).
Prepare the environment
Create a new bucket to use for uploading audit logs
- In the management console, select the folder where you want to create a bucket.
- Select Object Storage.
- Click Create bucket.
- On the bucket creation page:
- Enter the bucket name following the naming guidelines, such as
trails-bucket.
- Specify the maximum size of the bucket: No limit.
- Select the Limited access type.
- Select the storage class: Standard.
- Click Create bucket to complete the operation.
- Enter the bucket name following the naming guidelines, such as
Create a service account
- In the management console, select the folder where you wish to create a service account.
- Go to the Service accounts tab.
- Click Create service account.
- Enter a name for the service account, such as
trails-sa.
- Click Create.
To create a service account, run the command:
yc iam service-account create --name <service_account_name>
Where
name is the service account name, such as
trails-sa.
Assign roles to the service account
Assign the
audit-trails.viewer and
storage.uploader roles to the service account:
-
The
storage.uploaderrole to the folder with a bucket:
- In the management console, select the folder containing your bucket.
- Go to the Access bindings tab.
- Click Assign bindings.
- In the Configure access bindings window, click Select user.
- Go to the Service accounts tab.
- Select the
trails-saservice account.
- Click Add role.
- Select the
storage.uploaderrole.
- Click Save.
-
The
audit-trails.viewerrole to the cloud whose logs will be sent to the Elasticsearch cluster:
- In the management console, go to the appropriate cloud.
- Go to the Access bindings tab.
- Click Assign bindings.
- In the Configure access bindings window, click Select user.
- Go to the Service accounts tab.
- Select the
trails-saservice account.
- Click Add role.
- Select the
audit-trails.viewerrole.
- Click Save.
-
Assign the
storage.uploaderrole to the folder with your bucket:
yc resource-manager folder add-access-binding \ --role storage.uploader \ --id <folder_ID> \ --service-account-id <trails-sa_service_account_ID>
Where:
role: The role assigned.
id: The ID of the folder with the bucket.
service-account-id: The ID of your service account.
-
-
Assign the
audit-trails.viewerrole to the cloud whose logs will be sent to the Elasticsearch cluster:
yc resource-manager cloud add-access-binding \ --role audit-trails.viewer \ --id <cloud_ID> \ --service-account-id <trails-sa_service_account_ID>
Where:
role: The role assigned.
id: The ID of the cloud whose logs will be sent to the Elasticsearch cluster.
service-account-id: The ID of your service account.
-
Check your roles
- In the management console, select the cloud to collect the audit logs from.
- Click the Access bindings tab.
- At the top right, select Inherited roles to display the roles inherited from the organization.
- Make sure that you have the following roles:
iam.serviceAccounts.userfor the service account.
audit-trails.editorfor the folder to host the trail.
audit-trails.viewerfor the cloud whose audit logs will be collected.
storage.viewerfor the bucket or the folder.
-
Create a cloud network
If you don't have a cloud network, create one:
- In the management console, go to the folder where you need to create a cloud network.
- In the list of services, select Virtual Private Cloud.
- Click Create network.
- Enter a network name, such as
trails-network.
- Select the Create subnets option.
- Click Create network.
To create a cloud network, run the command:
yc vpc network create --name <cloud_network_name>
Where
name is the name of your cloud network, like
trails-network.
Create subnets
- In the management console, select the folder to create a subnet in.
- In the list of services, select Virtual Private Cloud.
- Select a cloud network, such as
trails-network.
- Click Add subnet.
- Name the subnet, such as
trails-subnet-1.
- Select an availability zone, such as
ru-central1-a.
- Enter the subnet CIDR: its IP address and mask (for example,
10.128.0.0/24).
- Click Create subnet.
- Create two more subnets:
trails-subnet-2in the
ru-central1-bavailability zone with the
10.129.0.0/24subnet CIDR.
trails-subnet-3in the
ru-central1-cavailability zone with the
10.130.0.0/24subnet CIDR.
-
-
Get the name of the cloud network to create a subnet in:
yc vpc network list --folder-id <folder_ID>
Where
folder-idis the ID of the folder where the cloud network is located.
Result:
+----------------------+----------------+ | ID | NAME | +----------------------+----------------+ | enpavfmgapumnl7cqin8 | trails-network | +----------------------+----------------+
-
Create a subnet:
yc vpc subnet create \ --name <subnet_name> \ --folder-id <folder_ID> \ --network-name <cloud_network_name> \ --zone <availability_zone> \ --range <subnet_CIDR>
Where:
name: Name of the subnet, such as
trails-subnet-1.
folder-id: ID of the folder where the cloud network is located.
network-name: Name of the cloud network, such as
trails-network.
zone: Availability zone, for example
ru-central1-a.
range: Subnet CIDR, like
10.128.0.0/24.
-
-
Create two more subnets:
trails-subnet-2in the
ru-central1-bavailability zone with the
10.129.0.0/24subnet CIDR.
trails-subnet-3in the
ru-central1-cavailability zone with the
10.130.0.0/24subnet CIDR.
-
Configure the subnet
-
Enable NAT to the internet for the subnet where the intermediate VM will be deployed.
-
Configure network traffic permissions in the default security group. If a security group is unavailable, any incoming or outgoing traffic will be allowed for the Elasticsearch cluster.
If a security group is available, add to it the rules below:
Traffic
direction
Description Port
range
Protocol Source
type
Source/Purpose Incoming incoming-https 443 TCP CIDR 0.0.0.0/0 Incoming incoming-9002 9200 TCP CIDR 0.0.0.0/0
Note
You can also deploy the required environment using Terraform. See a sample configuration file.
Create a trail
- In the management console, select the folder where you wish to host the trail.
- Select Audit Trails.
- Click Create trail.
- In the Name field, enter a name for the trail.
- Under Filter, set up the audit log scope:
- Resource: Select
Cloud.
- Cloud: An automatically populated field showing the name of the cloud to host the trail.
- Folders: Leave the default
all foldersvalue.
- Resource: Select
- Under Destination, set up the destination object:
- Destination:
Object Storage.
- Bucket: Select the bucket where you want to upload audit logs, such as
trails-bucket.
- Object prefix: An optional parameter used in the full name of the audit log file.
- Destination:
- Under Service account, select the service account that the trail will use to upload audit log files to the bucket, such as
trails-sa.
- Click Create.
Warning
The solution will delete the audit logs from the bucket after they are exported to the Elasticsearch cluster.
To store the logs in the bucket and the Elasticsearch cluster simultaneously, create two trails for two buckets: one to store the logs and the other one to export them to the Elasticsearch cluster.
Deploy a Elasticsearch cluster and intermediate VM
yc-managed-elkcreates a Elasticsearch cluster and assigns a password to the
adminuser. Cluster parameters:
- Number of hosts: Three, one in each availability zone.
- Host class: s2.medium.
- Edition:
Platinum.
- Storage: network-hdd, 1 TB.
- Number of index replicas: 2.
- Policy for creating new indexes: Rollover (new indexes are created once in 30 days or after reaching 50 GB). For more information, see Recommendations for high data availability.
yc-elastic-trail:
- Creates a static access key for the service account to use JSON objects in the bucket and encrypt or decrypt secrets.
- Creates an intermediate VM based on the
cr.yandex/sol/s3-elk-importer:latestimage with a script that transfers audit logs from the bucket to the Elasticsearch cluster.
- Creates an SSH key pair and saves the private part to the disk and the public part to the VM.
- Creates a KMS key.
- Assigns the
kms.keys.encrypterDecrypterrole to the service account for the secret encryption key.
- Encrypts secrets and passes them to a Docker container.
Create a file named
main.tf and copy the following Terraform configuration there:
terraform {
required_providers {
yandex = {
source = "yandex-cloud/yandex"
}
}
required_version = ">= 0.13"
}
provider "yandex" {
token = "<OAuth>"
cloud_id = "<cloud_ID>"
folder_id = "<folder_ID>"
}
module "yc-managed-elk" {
source = "<path_to_yc-managed-elk_directory>"
folder_id = "<folder_ID>"
subnet_ids = ["<ID_of_subnet_1>", "<ID_of_subnet_2>", "<ID_of_subnet_3>"]
network_id = "<cloud_network_ID>"
elk_edition = "platinum"
elk_datanode_preset = "s2.medium"
elk_datanode_disk_size = 1000
elk_public_ip = false
}
module "yc-elastic-trail" {
source = "<path_to_yc-elastic-trail_directory>"
folder_id = "<folder_ID>"
elk_credentials = module.yc-managed-elk.elk-pass
elk_address = module.yc-managed-elk.elk_fqdn
bucket_name = "<bucket_name>"
bucket_folder = "<bucket_log_prefix>"
sa_id = "<service_account_ID>"
coi_subnet_id = "<ID_of_subnet_1>"
}
output "elk-pass" {
value = module.yc-managed-elk.elk-pass
sensitive = true
}
output "elk_fqdn" {
value = module.yc-managed-elk.elk_fqdn
}
output "elk-user" {
value = "admin"
}
Where:
token: OAuth token.
cloud_id: Cloud ID.
folder_id: ID of the folder.
sourcein the
yc-managed-elkmodule section: Path to the
yc-managed-elkdirectory.
sourcein the
yc-elastic-trailmodule section: Path to the
yc-elastic-traildirectory.
subnet_ids: IDs of the subnets that will host the Elasticsearch cluster, such as
trails-subnet-1,
trails-subnet-2, and
trails-subnet-3.
network_id: ID of the cloud network that will host the Elasticsearch cluster, such as
trails-network.
elk_public_ip: Set
trueif public access to the Elasticsearch cluster is required, or else, set
false.
bucket_name: Name of the bucket to send audit logs to, such as
trails-bucket.
bucket_folder: Prefix of audit logs in the bucket. Leave it empty if logs are written to the bucket's root directory.
sa_id: ID of the service account on whose behalf audit logs are transferred, such as
trails-sa.
coi_subnet_id: ID of the subnet that will host the intermediate VM, such as
trails-subnet-1.
Initiate Terraform. In the terminal, go to the directory where you created the configuration file and run the command:
terraform init
Make sure that the configuration files are correct:
terraform plan
If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contain errors, Terraform will point them out.
Deploy cloud resources:
terraform apply
Confirm resource creation: type
yes in the terminal and press Enter.
The command output will contain the parameters required to access the Elasticsearch cluster:
elk_fqdn: Elasticsearch cluster network address.
elk-user: Elasticsearch cluster user name.
You can use the management console to check the created resources.
Get the password to access the Elasticsearch cluster:
terraform output elk-pass
To connect to the Elasticsearch cluster, type the cluster address in the browser and specify the username and password on the page that opens.
Keep the infrastructure up-to-date.
To use the latest version of the solution for exporting audit logs to your Elasticsearch cluster:
-
Make sure you're using the current version of the intermediate VM's Docker container and the latest available version of the
cr.yandex/sol/s3-elk-importer:latestimage. You can update the Docker container in one of the following ways:
- Delete the intermediate VM and create it again using Terraform.
- Stop and delete the
audit-trail-worker-*Docker container on the intermediate VM, delete the
s3-elk-importerimage, and restart the intermediate VM. Once restarted, a new image is downloaded and a new container is created.
-
Make sure the correlation rules and security event queries are up-to-date. To update the data in Kibana, run the
elk-updatercontainer:
docker run \ -it \ --rm \ -e ELASTIC_AUTH_USER='<Elasticsearch_cluster_user_name>' \ -e ELASTIC_AUTH_PW='<Elasticsearch_cluster_access_password>' \ -e KIBANA_SERVER='<Elasticsearch_cluster_network_address>' \ --name elk-updater cr.yandex/sol/elk-updater:latest
Where:
ELASTIC_AUTH_USERis the Elasticsearch cluster user name.
ELASTIC_AUTH_PWis the password to access the Elasticsearch cluster.
KIBANA_SERVERis the Elasticsearch cluster network address.
-
Tip
You can also check the yandex-cloud/yc-solution-library-for-security repository for solution updates.
How to delete created resources
To stop paying for the resources created:
-
Delete the resources created with Terraform:
terraform destroy
Confirm resource deletion: type
yesin the terminal and press Enter.
-
Delete the respective bucket.