Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Audit Trails
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Uploading audit logs to Cloud Logging
      • Organization
      • Cloud
      • Folder
    • Uploading audit logs to Data Streams
      • Organization
      • Cloud
      • Folder
    • Uploading audit logs to Object Storage
      • Organization
      • Cloud
      • Folder
  • Practical guidelines
    • Searching for Yandex Cloud events in Yandex Query
    • Searching for Yandex Cloud events in Object Storage
    • Searching for Yandex Cloud events in Cloud Logging
    • Setting up alerts in Yandex Monitoring
    • Configuring a response in Cloud Functions
    • Uploading audit logs to Yandex Managed Service for ClickHouse and data visualization in Yandex DataLens
    • Exporting audit logs to SIEM systems
      • Uploading audit logs to Yandex Managed Service for Elasticsearch
      • Exporting audit logs to MaxPatrol SIEM
      • Exporting audit logs to SIEM Splunk systems
      • Uploading audit logs to ArcSight SIEM
  • Concepts
    • Overview
    • Trail
    • Audit log of events
    • Event reference
    • Exporting to SIEM systems
    • Quotas and limits
    • Metrics
  • Access management
  • Pricing policy
  1. Practical guidelines
  2. Searching for Yandex Cloud events in Yandex Query

Searching for Yandex Cloud events in Yandex Query

Written by
Yandex Cloud
  • Before you begin
  • Required paid resources
  • Prepare the environment
    • Create a bucket for audit logs
    • Create service accounts
    • Assign rights to service accounts
  • Create a trail
  • Create a connection between a trail and YQ
  • Execute a query to logs in Object Storage
  • How to delete created resources

Audit Trails support is integrated in Yandex Query. You can analyze events of Yandex Cloud resources by executing analytical and streaming YQL queries.

You can execute analytical queries for logs stored in a bucket and streaming queries for logs stored in a Yandex Data Streams data stream.

To connect a bucket with audit logs to Yandex Query and execute YQL queries:

  1. Prepare the environment.
  2. Create a connection between a trail and YQ.
  3. Execute a query to logs in Object Storage.

If you no longer need these resources, delete them.

Before you begin

Before working, you need to register in Yandex Cloud and create a billing account:

  1. Go to the management console. Then log in to Yandex Cloud or sign up if don't already have an account.
  2. On the billing page, make sure you linked a billing account, and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

If you have an active billing account, you can create or select a folder to run your VM in from the Yandex Cloud page.

Learn more about clouds and folders.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

Required paid resources

The cost of infrastructure support includes a fee for a bucket (see Pricing for Object Storage).

Prepare the environment

Create a bucket for audit logs

Management console
  1. In the management console, select the folder where you wish to create a bucket, for example, example-folder.
  2. Select Object Storage.
  3. Click Create bucket.
  4. On the bucket creation page:
    • Enter the Name: bucket-yq.
    • For the other parameters, leave the default settings.
  5. Click Create bucket.

Create service accounts

Create a service account named trail-sa:

Management console
  1. In the management console, go to the example-folder folder.
  2. Go to the Service accounts tab.
  3. Click Create service account.
  4. Enter the Name: trail-sa.
  5. Click Create.

Use the same method to create a service account named bucket-yq-sa.

Assign rights to service accounts

Assign the audit-trails.viewer and storage.uploader roles to the trail-sa service account:

CLI
  1. The audit-trails.viewer role to the organization:

    yc organization-manager organization add-access-binding \
    --role audit-trails.viewer \
    --id <organization_ID> \
    --service-account-id <trail-sa_service_account_ID>
    

    Result:

    done (1s)
    

    For more information about the yc resource-manager organization add-access-binding command, see the CLI reference.

  2. The storage.uploader role to example-folder:

    yc resource-manager folder add-access-binding example-folder \
        --role storage.uploader \
        --subject serviceAccount:<trail-sa_service_account_ID>
    

    Result:

    done (1s)
    

    For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

Assign the bucket-yq-sa service account the storage.viewer role to example-folder:

CLI
yc resource-manager folder add-access-binding example-folder \
    --role storage.viewer \
    --subject serviceAccount:<bucket-yq-sa_service_account_ID>

Result:

done (1s)

For more information about the yc resource-manager folder add-access-binding command, see the CLI reference.

Create a trail

Management console
  1. In the management console, select the example-folder folder.
  2. Select Audit Trails.
  3. Click Create trail and specify:
    • Name: logsyq.
    • Resource: Select Organization.
    • Organization: An automatically populated field containing the name of the current organization.
    • Destination: Object Storage.
    • Bucket: bucket-yq.
    • Service account: trail-sa.
    • For the other parameters, leave the default settings.
  4. Click Create.

Create a connection between a trail and YQ

A connection must be created only the first time a trail is connected to YQ.

Management console
  1. In the management console, select the example-folder folder.
  2. Select Audit Trails.
  3. Select the logsyq trail.
  4. Click Process in YQ.
  5. Create a connection.
    • Select Service account: bucket-yq-sa.
    • For the other parameters, leave the default settings.
  6. Click Create.
  7. In the window with data binding options, click Create.

You will go to the page for creating a query to trail logs.

Execute a query to logs in Object Storage

Open the page to create an analytical query to Audit Trails logs:

Management console
  1. In the management console, select a folder with a trail.
  2. In the list of services, select Audit Trails.
  3. Select the trail for which a connection to YQ is configured.
  4. Click Process in YQ to go to the analytical query execution page.

Execute event queries to bind audit-trails-logsyq-object_storage:

  1. Deleting a folder:

    1. From the list, select query 1. Find out who deleted a folder.

    2. Edit the query by specifying the folder ID:

      SELECT * FROM bindings.`audit-trails-logsyq-object_storage`
      WHERE
          JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.resourcemanager.DeleteFolder'
          and JSON_VALUE(data, "$.details.folder_name") = '<folder_ID>'
          LIMIT 100;
      
    3. Click Execute.

  2. Enabling access via the serial console:

    1. From the list, select query 6. Changing a VM: Adding access to the serial console.

    2. Edit the query by specifying the number of displayed records:

      SELECT * FROM bindings.`<audit-trails-logsyq-object_storage>`
      WHERE
          JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.compute.UpdateInstance'
          and JSON_VALUE(data, "$.details.metadata_serial_port_enable") = '1'
          LIMIT <number_of_records>;
      
    3. Click Execute.

  3. Changing access rights to an Object Storage bucket:

    1. From the list, select query 11. Suspicious activities with the Audit Trails log repository (Object Storage Bucket).

    2. Edit the query by specifying the number of displayed records:

      SELECT * FROM bindings.`audit-trails-logsyq-object_storage`
      WHERE
          (JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.storage.BucketAclUpdate'
          or JSON_VALUE(data, "$.event_type") = 'yandex.cloud.audit.storage.BucketPolicyUpdate')
          LIMIT <number_of_records>;
      
    3. Click Execute.

  4. Assigning administrator rights:

    1. From the list, select query 20. Assigning admin rights (for resources: folder, cloud).

    2. Edit the query by specifying the number of displayed records:

      SELECT * FROM bindings.`audit-trails-logsyq-object_storage`
      WHERE
          JSON_VALUE(data, "$.details.access_binding_deltas.access_binding.role_id") = 'admin'
          LIMIT <number_of_records>;
      
    3. Click Execute.

How to delete created resources

If you created a separate bucket to follow these instructions, you can delete it to stop paying for bucket use.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Before you begin
  • Required paid resources
  • Prepare the environment
  • Create a bucket for audit logs
  • Create service accounts
  • Assign rights to service accounts
  • Create a trail
  • Create a connection between a trail and YQ
  • Execute a query to logs in Object Storage
  • How to delete created resources