Audit log

Written by

Data schema
Audit log format
- Audit log file in a bucket
- Log group entry

An audit log stores a JSON object with events that occurred to Yandex Cloud resources.

Log entry format is universal for any event. The values of some fields are determined both by the source resource and the event type.

An event object is the service resource that the operation is performed with. An event subject is an account on behalf of which the operation is performed.

Data schema

{
  "event_id": string,
  "event_source": string,
  "event_type": string,
  "event_time": string,
  "authentication": {
    "authenticated": boolean,
    "subject_type": string,
    "subject_id": string,
    "subject_name": string
  },
  "authorization": {
    "authorized": boolean
  },
  "resource_metadata": {
    "path": [{
      "resource_type": string,
      "resource_id": string,
      "resource_name": string
    }]
  },
  "request_metadata": {
    "remote_address": string,
    "user_agent": string,
    "request_id": string
  },
  "event_status": string,
  "details": {
    object
  }
}

Field	Description
`event_id`	string Event ID.
`event_source`	string Name of the event source service.
`event_type`	string Event type. Determined by the event source service. For more information, see Event reference.
`event_time`	string The time the event occurred.
`authentication`	object Authentication data of the event subject.
`authentication.authenticated`	boolean Authentication result. Possible values: `true`: Authentication successful. `false`: Authentication failed.
`authentication.subject_type`	string Subject type. Possible values: `YANDEX_PASSPORT_USER_ACCOUNT`: A Yandex account. `SERVICE_ACCOUNT`: A service account. `FEDERATED_USER_ACCOUNT`: A federated account.
`authentication.subject_id`	string Subject ID.
`authentication.subject_name`	string Subject name.
`Authorization`	object Authorization data of the event subject.
`authorization.authorized`	boolean Authorization result. Possible values: `true`: Authorization successful. `false`: Authorization failed.
`resource_metadata`	object Metadata of the event object.
`resource_metadata.path[]`	array The path to the resource where the event occurred.
`resource_metadata.path[].resource_type`	string Resource type.
`resource_metadata.path[].resource_id`	string Resource ID.
`resource_metadata.path[].resource_name`	string Resource name.
`request_metadata`	object Details of a query triggering the event.
`request_metadata.remote_address`	string IP address of an event subject.
`request_metadata.user_agent`	string User-agent of an event subject.
`request_metadata.request_id`	string Query ID.
`event_status`	string Event status. Determined by the source service and the event type. Possible values: `STARTED`: Operation started. `ERROR`: Operation failed. `DONE`: Operation successful. `CANCELLED`: Operation canceled.
`details`	object Event details. Determined by the source service and the event type.

Audit log format

Depending on the destination object (a bucket or log group), the message used by Audit Trails to transmit audit logs has a different structure and content:

If the destination object is a bucket, the message is a file containing an array of JSON objects of the audit log.
If the destination object is a log group, the message includes a single JSON object of the audit log.

Audit log file in a bucket

Below is the template for the full name of an audit log file in a bucket:

<object prefix>/<trail ID>/<year>/<month>/<file_name.json>

Log group entry

Values of log group entries:

Time: The value of event_time of the event.
JSON: The JSON object of the event.
Level: Calculated depending on the value of event_status of the event:
- ERROR: For the ERROR value.
- WARN: For the CANCELLED value.
- INFO: For all other cases.
Message: Includes the values of the event_status, event_type, subject_name, cloud_name, and resource_name.

Audit log

Data schema

Audit log format

Audit log file in a bucket

Log group entry

Was the article helpful?