Get started
Yandex Audit Trails

Audit log

Written by

An audit log stores a JSON object with events that occurred to Yandex Cloud resources.

Log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.

An event object is the service resource that the operation is performed with. An event subject is an account on behalf of which the operation is performed.

Data schema

{
  "event_id": string,
  "event_source": string,
  "event_type": string,
  "event_time": string,
  "authentication": {
    "authenticated": boolean,
    "subject_type": string,
    "subject_id": string,
    "subject_name": string
  },
  "authorization": {
    "authorized": boolean
  },
  "resource_metadata": {
    "path": [{
      "resource_type": string,
      "resource_id": string,
      "resource_name": string
    }]
  },
  "request_metadata": {
    "remote_address": string,
    "user_agent": string,
    "request_id": string
  },
  "event_status": string,
  "error": {
    "code": number,
    "message": string,
    "details": {
      object
    }
  },
  "details": {
    object
  }
}
Field Description
event_id string
Event ID.
event_source string
Name of the service that is the event source.
event_type string
Event type. Determined by the event source service. For more information, see Event reference.
event_time string
The time the event occurred.
authentication object
Authentication data of the event subject.
authentication.authenticated boolean
Authentication result. Possible values:
  • true: Authentication is successful.
  • false: Authentication failed.
authentication.subject_type string
Subject type. Possible values:
  • YANDEX_PASSPORT_USER_ACCOUNT: A Yandex account.
  • SERVICE_ACCOUNT: A service account.
  • FEDERATED_USER_ACCOUNT: A federated account.
authentication.subject_id string
Subject ID.
authentication.subject_name string
Subject name.
authorization object
Authorization data of the event subject.
authorization.authorized boolean
Authorization result. Possible values:
  • true: Authorization is successful.
  • false: Authorization failed.
resource_metadata object
Metadata of the event object.
resource_metadata.path[] array
The path to the resource where the event occurred.
resource_metadata.path[].resource_type string
Resource type.
resource_metadata.path[].resource_id string
Resource ID.
resource_metadata.path[].resource_name string
Resource name.
request_metadata object
Details of a query triggering the event.
request_metadata.remote_address string
IP address of an event subject.
request_metadata.user_agent string
User-agent of an event subject.
request_metadata.request_id string
Query ID.
event_status string
Event status. Determined by the source service and the event type. Possible values:
  • STARTED: The operation started.
  • ERROR: The operation failed.
  • DONE: The operation completed successfully.
  • CANCELLED: The operation is canceled.
error object
Status error. google.rpc.Status object:
details object
Event details. Determined by the source service and the event type.

Audit log format

Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:

  • If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
  • If the destination object is a log group, the message includes a single JSON object of the audit log.

Audit log file in a bucket

Below is the template for the full name of an audit log file in a bucket:

<object prefix>/<trail ID>/<year>/<month>/<file_name.json>

Log group entry

Values of log group entries:

  • Time: The value of event_time of the event.
  • JSON: The JSON object of the event.
  • Level: Calculated depending on the value of event_status of the event:
    • ERROR: For the ERROR value.
    • WARN: For the CANCELLED value.
    • INFO: For all other cases.
  • Message: Includes the values of the event_status, event_type, subject_name, cloud_name, and resource_name.
In this article: