Get started
Yandex Audit Trails

Searching for Yandex Cloud events in Object Storage

Written by

Getting started

  1. Install and set up s3fs or goofys to mount Object Storage buckets using FUSE.
  2. Mount a bucket with audit logs to your file system using s3fs or goofys.
  3. Install the jq utility to search through data in JSON format.

  1. To search through multiple files, use the find command. As a command-line argument, enter the path to the mount directory of the audit log bucket or to its subdirectory with logs for a certain month or day.

    Example command to search events by type:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select( .event_type == "yandex.cloud.audit.iam.CreateServiceAccount")'

  2. To find out who deleted a folder from the cloud, search by the eventType (event type) field across all files for the period, filtering by the folder ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select( .event_type == "yandex.cloud.audit.resourcemanager.DeleteFolder" and .details.folder_id == "<folder ID>") | .authentication'

  3. To find out who created/stopped/restarted/deleted a VM instance, search by the eventType field in all files for the period, filtering by the VM instance ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select((.event_type | test("yandex\\.cloud\\.audit\\.compute\\..*Instance")) and .details.instance_id == "<VM instance ID>") | .authentication'

  4. To find out what actions a user performed over a period of time, search by the subject ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.authentication.subject_id == "<user ID>" and .event_time > "2021-03-01" and .event_time < "2021-04-01")'

    You can also search by the subject name:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.authentication.subject_name == "<username>" and .event_time > "2021-03-01" and .event_time < "2021-04-01")'

  5. To find out which events occurred to objects in a certain folder, search by the folder ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.resource_metadata != null and .resource_metadata.path != null) | select( .resource_metadata.path[] | .resource_type == "resource-manager.folder" and .resource_id == "<folder ID>")'

    You can also search by the folder name:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.resource_metadata != null and .resource_metadata.path != null) | select( .resource_metadata.path[] | .resource_type == "resource-manager.folder" and .resource_name == "<folder name>")'

See also

In this article: