Audit log collection scope
In the trail settings, you can choose where to collect audit logs from:
- Organization: Audit logs of all resources in all clouds of the organization.
- Cloud: Audit logs of resources in all folders in a given cloud.
- Individual folders: Audit logs of specific folders in a cloud.
The trail will collect the audit logs of all resources in the specified audit log collection scope, including the resources added to the scope after trail creation, and upload them to a bucket or log group.
If resources are added to the audit log collection scope after a trail is created, the trail will automatically start collecting audit logs for them.
Each trail uploads audit logs only to one destination object: a bucket or a log group.
When uploading audit logs to a bucket, Audit Trails generates audit log files approximately once every 5 minutes. The trail will record all events that occurred to the cloud resources during that period to one or more files. If no events occurred during the period, no files are generated.
Audit Trails loads audit logs to log groups in near real time.
The type of destination object determines the structure and content of the message used by Audit Trails to transmit audit logs:
- If the destination object is a bucket, the message is a file containing a JSON object array of the audit log.
- If the destination object is a log group, the message includes only one JSON object of the audit log.
Each trail runs independently of one another. Using multiple trails, you can differentiate access to various log groups for users and services according to your information security policy.
The trail contains all the audit log settings:
- Name: Required parameter.
- Description: Optional parameter.
- Service account: The account on behalf of which audit logs will be uploaded to a bucket or a log group. To determine the available audit log collection scope, the access rights of this account are checked.
- Destination: Object Storage or Cloud Logging.
- For Object Storage:
- Bucket: The name of the bucket.
- Object prefix: An optional parameter used in the full name of the audit log file.
- For Cloud Logging:
- Group: The name of the log group.
- Cloud: The name of the cloud hosting the current trail, must be selected manually.
- Folders: The folders whose resources the trail is going to collect audit logs for. If no folder is specified, the trail collects audit logs for every resource in the cloud.
- Organization: The name of the organization.
A trail can have two statuses:
Statuses indicate the state of the trail itself and have nothing to do with events occurring to resources for which the trail collects audit logs:
active: The trail is running and collecting audit logs from the resources in scope.
error: There might be issues with the trail's destination objects or the trail itself.