Create the first data trail to be uploaded to Data Streams. To make it easier to upload objects from the Security Content library, name the stream “audittrails.”
Deploy a cluster using Managed Service for OpenSearch.
Configure the Source endpoint of the Data Transfer service with Data Streams as the source. Make sure to select the AuditTrails.v1 parser option in the settings (Advanced settings → Conversion rules).
Configure the Receiver endpoint in the Data Transfer service using Managed Service for OpenSearch as the receiver. Before importing data into the OpenSearch cluster, create a user with limited access and specify their details.
We’ve set up two endpoints. To enable data transfer between them, click the Activate button.
All done! The data transfer is in progress.
If you’re looking for a more advanced method to move Audit Trails logs to OpenSearch, you can also use S3 and automation scripts from the Yandex Cloud Security Solution Library.
Check that the data was loaded into OpenSearch successfully.
In the OpenSearch cluster’s web interface, open the Global tenant. Create an index pattern containing the “audittrails*” string. The index into which the data from Audit Trails is loaded will be named “audittrails” after the data stream’s name in Data Streams.
Go to the auditlogs/export-auditlogs-to-Opensearch/update-opensearch-scheme/include/audit-trail folder and run the following command:
In the OpenSearch console, go to Stack management → Saved Objects → Import and import the dashboard.ndjson, filters.ndjson, search.ndjson files.
Open the dashboard.
In the Discover section, go to the Open tab and enter the query Search: Yandexcloud: Yandexcloud: Interesting fields. The columns contain events that can be filtered.
Alerts can be set up in OpenSearch. To save time when parsing the format for writing the monitor entity, we have prepared a sample code that you can simply copy into the monitor creation window. You can also use the example of creating a trigger action by specifying the event fields.
Feel free to modify our service to your needs and contact us if you have any questions or concerns.
Head of the Security & Compliance Product Architecture Team.