Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Audit Trails
  • Getting started
  • Concepts
    • Overview
    • Trail
    • Audit event log
    • Event reference
    • Exporting to SIEM systems
    • Quotas and limits
    • Metrics
  • Step-by-step instructions
    • Uploading audit logs to a log group
    • Uploading audit logs to a bucket
  • Practical guidelines
    • Searching a bucket
    • Searching a log group
    • Setting up alerts in Yandex Monitoring
    • Configuring a response in Cloud Functions
  • Access management
  • Pricing policy
  1. Concepts
  2. Audit event log

Audit log

Written by
Yandex.Cloud
  • Data schema
  • Audit log format
    • Audit log file in a bucket
    • Log group entry

An audit log stores a JSON object with events that occurred to Yandex Cloud resources.

Log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.

An event object is the service resource that the operation is performed with. An event subject is an account on behalf of which the operation is performed.

Data schema

{
  "event_id": string,
  "event_source": string,
  "event_type": string,
  "event_time": string,
  "authentication": {
    "authenticated": boolean,
    "subject_type": string,
    "subject_id": string,
    "subject_name": string
  },
  "authorization": {
    "authorized": boolean
  },
  "resource_metadata": {
    "path": [{
      "resource_type": string,
      "resource_id": string,
      "resource_name": string
    }]
  },
  "request_metadata": {
    "remote_address": string,
    "user_agent": string,
    "request_id": string
  },
  "event_status": string,
  "details": {
    object
  }
}
Field Description
event_id string
Event ID.
event_source string
Name of the event source service.
event_type string
Event type. Determined by the event source service. For more information, see Event reference.
event_time string
The time the event occurred.
authentication object
Authentication data of the event subject.
authentication.authenticated boolean
Authentication result. Possible values:
  • true: Authentication successful.
  • false: Authentication failed.
authentication.subject_type string
Subject type. Possible values:
  • YANDEX_PASSPORT_USER_ACCOUNT: A Yandex account.
  • SERVICE_ACCOUNT: A service account.
  • FEDERATED_USER_ACCOUNT: A federated account.
authentication.subject_id string
Subject ID.
authentication.subject_name string
Subject name.
Authorization object
Authorization data of the event subject.
authorization.authorized boolean
Authorization result. Possible values:
  • true: Authorization successful.
  • false: Authorization failed.
resource_metadata object
Metadata of the event object.
resource_metadata.path[] array
The path to the resource where the event occurred.
resource_metadata.path[].resource_type string
Resource type.
resource_metadata.path[].resource_id string
Resource ID.
resource_metadata.path[].resource_name string
Resource name.
request_metadata object
Details of a query triggering the event.
request_metadata.remote_address string
IP address of an event subject.
request_metadata.user_agent string
User-agent of an event subject.
request_metadata.request_id string
Query ID.
event_status string
Event status. Determined by the source service and the event type. Possible values:
  • STARTED: Operation started.
  • ERROR: Operation failed.
  • DONE: Operation successful.
  • CANCELLED: Operation canceled.
details object
Event details. Determined by the source service and the event type.

Audit log format

Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:

  • If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
  • If the destination object is a log group, the message includes a single JSON object of the audit log.

Audit log file in a bucket

Below is the template for the full name of an audit log file in a bucket:

<object prefix>/<trail ID>/<year>/<month>/<file_name.json>

Log group entry

Values of log group entries:

  • Time: The value of event_time of the event.
  • JSON: The JSON object of the event.
  • Level: Calculated depending on the value of event_status of the event:
    • ERROR: For the ERROR value.
    • WARN: For the CANCELLED value.
    • INFO: For all other cases.
  • Message: Includes the values of the event_status, event_type, subject_name, cloud_name, and resource_name.

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Data schema
  • Audit log format
  • Audit log file in a bucket
  • Log group entry