Trail
A trail is an Audit Trails resource for collecting and delivering audit logs of Yandex Cloud resources to an Object Storage bucket, a Cloud Logging log group, or a Data Streams data stream.
Audit log collection scope
In the trail settings, you can choose where to collect audit logs from:
- Organization: Audit logs of service resources in selected clouds of the organization in which the trail is located.
- Cloud: Audit logs of service resources that are located in selected folders of the cloud in which the trail us located.
- Folder: Collect audit logs from the folder hosting the trail.
A trail will collect the audit logs of all the resources found in a specified area, including resources added to this area after the trail was created, and upload them to a bucket, a log group, or a data stream.
If resources are added to the audit log collection scope after a trail is created, the trail will automatically start collecting audit logs for them.
Destination object
Each trail only loads audit logs to a single destination object, such as a bucket, a log group, or a data stream.
When uploading audit logs to a bucket, Audit Trails generates audit log files approximately once every 5 minutes. The trail will write all the events that occurred to the cloud resources during that period to one or more files. If no events occurred during the period, no files are generated.
Audit Trails loads audit logs to log groups in near real time.
The type of destination object determines the structure and content of the message used by Audit Trails to transmit audit logs:
- If the destination object is a bucket, the message is a file containing a JSON object array of the audit log.
- If the destination object is a log group, the message includes only one JSON object of the audit log.
- If the destination object is a data stream, the messages containing JSON objects of the audit log are sent to the stream.
Each trail runs independently of one another. Using multiple trails, you can differentiate access to various log groups for users and services according to your information security policy.
Trail settings
The trail contains all the audit log settings:
- Name: Required parameter
- Description: Optional parameter
- Destination section:
- Destination: Values of
Object Storage
,Cloud Logging
, orData Streams
. - For the
Object Storage
value:- Bucket: Bucket name
- Object prefix: Optional parameter used in the full name of the audit log file.
- For the
Cloud Logging
value:- Log group: Log group name
- For the
Data Streams
value:- Data stream: Data stream name
- Destination: Values of
- Service account section: Service account to use for uploading audit logs to a bucket, a log group, or a data stream. If the account needs more roles, a warning with a list of roles will show up.
- Collecting events from the configuration level (Control plane) section:
- Status: Enables/disables the collection of management event audit logs.
- Resource:
Organization
,Cloud
, orFolder
values. - For the
Organization
value:- Organization: Name of the current organization. The value is populated automatically.
- For the
Cloud
value:- Cloud: Name of the cloud hosting the current trail. The value is populated automatically.
- Folder: Folders for whose resources the trail will collect configuration-level audit logs. If you do not specify any folder, the trail will collect audit logs from all resources in the cloud.
- For the
Folder
parameter:- Folder: Name of the folder hosting the trail. The value is populated automatically.
- Collecting events from the service level (Data plane) section:
What's next
- Learn more about the audit log format.
- See trail diagnostic logs.
- Learn about events.