Skip to main content

Frequently asked questions about audit logs

Last update:

Why am I not seeing some of the events?

Audit-logs service is under active development. At the moment not all products and event types are displayed in audit-logs — we are gradually adding them.

Why am I not seeing some fields in the logs?

Some fields in the event structure are optional and may not be filled in by some services.If there is no information in the fields, they are not displayed in events.

What does "subject_id": "undefined" mean?

This means that it was not possible to retrieve the value of the event subject identifier due to a failure or internal device of the event source services. Reserved values are used for such situations.

In some events, detailed information about the subject is provided in a paired authentication event.It combines events with type iam.account.init_action with the main event via the request_id field. These events include:

  • in iam service — events with account, users;
  • in biling service — events with financial signals of cloud platform, deferred payment.

How do you identify the user?

By the value of the subject_id or resource_id field you can find out the data of the user who is the subject or resource of the logged event — full name, email, phone number (for control panel users) or service user name.

  1. In the control panel, on the top menu, click Account.
  2. Go to the Users section.
  3. Enter the value of the subject_id or resource_id field of the user from the action log in the search.
  4. If no information is found, go to Service Users and enter a value in the search.
  5. If the information is not found, create a ticket.

How to set up integration with SIEM system?

You can customize the integration using the Audit Logs API of our Audit Logs service.With it, the SIEM system can regularly download events in JSON or CSV format.

  1. Get an IAM token for the account.

  2. In the SIEM system or via an intermediate script, configure regular requests to the API for periodic uploads:

    2.1 Set an interval — for example, every five minutes or an hour.

    2.2 Filter the upload by events, services, or projects.

  3. Select the upload format:

    • JSON — recommended for automatic processing;
    • or CSV — for import into spreadsheet systems.

  4. Configure the sending of logs to the SIEM. The received logs can be sent to the SIEM:

    • via embedded connectors if the SIEM supports ingest by API or file;
    • syslog-agents if you need to convert logs to the required format;
    • buffers — for example, an intermediate parser or queue.

How do I unload the logs I need?

The maximum number of rows in the upload is 1000.

To unload only the events you want, you can use filters:

  • by date and time;
  • on projects;
  • by service, you can look it up in the event list;
  • by event, can be viewed in the event list.