Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Intertech Services AG
Yandex Audit Trails
  • Getting started
  • Step-by-step guides
  • Tutorials
    • Searching for Yandex Cloud events in Yandex Query
    • Searching for Yandex Cloud events in Object Storage
    • Searching for Yandex Cloud events in Cloud Logging
    • Setting up alerts in Yandex Monitoring
    • Configuring a response in Cloud Functions
    • Uploading audit logs to Yandex Managed Service for ClickHouse and data visualiation in Yandex DataLens
    • Exporting audit logs to SIEM systems
  • Concepts
    • Overview
    • Trail
    • Audit log of events
    • Event reference
    • Exporting to SIEM systems
    • Quotas and limits
    • Metrics
  • Access management
  • Pricing policy
  1. Tutorials
  2. Searching for Yandex Cloud events in Object Storage

Searching for Yandex Cloud events in Object Storage

Written by
Yandex Cloud
  • Getting started
  • Search scenarios

Getting started

  1. Install and set up s3fs or goofys to mount Object Storage buckets using FUSE.
  2. Mount a bucket with audit logs to your file system using s3fs or goofys.
  3. Install the jq utility to search through data in JSON format.

Search scenarios

  1. To search through multiple files, use the find command. As a command-line argument, enter the path to the mount directory of the audit log bucket or to its subdirectory with logs for a certain month or day.

    Example command to search events by type:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select( .event_type == "yandex.cloud.audit.iam.CreateServiceAccount")'
    
  2. To find out who deleted a folder from the cloud, search by the eventType (event type) field across all files for the period, filtering by the folder ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select( .event_type == "yandex.cloud.audit.resourcemanager.DeleteFolder" and .details.folder_id == "<folder ID>") | .authentication'
    
  3. To find out who created/stopped/restarted/deleted a VM instance, search by the eventType field in all files for the period, filtering by the VM instance ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select((.event_type | test("yandex\\.cloud\\.audit\\.compute\\..*Instance")) and .details.instance_id == "<VM instance ID>") | .authentication'
    
  4. To find out what actions a user performed over a period of time, search by the subject ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.authentication.subject_id == "<user ID>" and .event_time > "2021-03-01" and .event_time < "2021-04-01")'
    

    You can also search by the subject name:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.authentication.subject_name == "<username>" and .event_time > "2021-03-01" and .event_time < "2021-04-01")'
    
  5. To find out which events occurred to objects in a certain folder, search by the folder ID:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.resource_metadata != null and .resource_metadata.path != null) | select( .resource_metadata.path[] | .resource_type == "resource-manager.folder" and .resource_id == "<folder ID>")'
    

    You can also search by the folder name:

    find <directory path> -type f -exec cat {} \; | jq '.[] | select(.resource_metadata != null and .resource_metadata.path != null) | select( .resource_metadata.path[] | .resource_type == "resource-manager.folder" and .resource_name == "<folder name>")'
    

See also

  • Audit log
  • Jq documentation
  • s3fs
  • goofys

Was the article helpful?

Language / Region
Yandex project
© 2023 Intertech Services AG
In this article:
  • Getting started
  • Search scenarios