Audit log
Written by
An audit log stores a JSON object with events that occurred to Yandex Cloud resources.
Log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.
An event object is the service resource that the operation is performed with. An event subject is an account on behalf of which the operation is performed.
Data schema
{
"event_id": string,
"event_source": string,
"event_type": string,
"event_time": string,
"authentication": {
"authenticated": boolean,
"subject_type": string,
"subject_id": string,
"subject_name": string
},
"authorization": {
"authorized": boolean
},
"resource_metadata": {
"path": [{
"resource_type": string,
"resource_id": string,
"resource_name": string
}]
},
"request_metadata": {
"remote_address": string,
"user_agent": string,
"request_id": string
},
"event_status": string,
"details": {
object
}
}
Field | Description |
---|---|
event_id |
string Event ID. |
event_source |
string Name of the event source service. |
event_type |
string Event type. Determined by the event source service. For more information, see Event reference. |
event_time |
string The time the event occurred. |
authentication |
object Authentication data of the event subject. |
authentication.authenticated |
boolean Authentication result. Possible values:
|
authentication.subject_type |
string Subject type. Possible values:
|
authentication.subject_id |
string Subject ID. |
authentication.subject_name |
string Subject name. |
Authorization |
object Authorization data of the event subject. |
authorization.authorized |
boolean Authorization result. Possible values:
|
resource_metadata |
object Metadata of the event object. |
resource_metadata.path[] |
array The path to the resource where the event occurred. |
resource_metadata.path[].resource_type |
string Resource type. |
resource_metadata.path[].resource_id |
string Resource ID. |
resource_metadata.path[].resource_name |
string Resource name. |
request_metadata |
object Details of a query triggering the event. |
request_metadata.remote_address |
string IP address of an event subject. |
request_metadata.user_agent |
string User-agent of an event subject. |
request_metadata.request_id |
string Query ID. |
event_status |
string Event status. Determined by the source service and the event type. Possible values:
|
details |
object Event details. Determined by the source service and the event type. |
Audit log format
Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:
- If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
- If the destination object is a log group, the message includes a single JSON object of the audit log.
Audit log file in a bucket
Below is the template for the full name of an audit log file in a bucket:
<object prefix>/<trail ID>/<year>/<month>/<file_name.json>
Log group entry
Values of log group entries:
- Time: The value of
event_time
of the event. - JSON: The JSON object of the event.
- Level: Calculated depending on the value of
event_status
of the event:ERROR
: For theERROR
value.WARN
: For theCANCELLED
value.INFO
: For all other cases.
- Message: Includes the values of the
event_status
,event_type
,subject_name
,cloud_name
, andresource_name
.