Skip to main content

Audit Logs FAQ

Last update:

Why don't I see some events?

The Audit Logs service is currently in active development. At the moment, not all products and event types are displayed in audit logs — we are adding them gradually.

Why don't I see some fields in the logs?

Some fields in the event structure are optional and may not be filled in by some services. If information is missing from these fields, they are not displayed in the events.

What does "subject_id": "undefined" mean?

This means that the event subject identifier could not be retrieved due to a failure or the internal design of the source services. For such situations, reserved values are used.

In some events, detailed information about the subject is provided in a paired authentication event. In it, events of type iam.account.init_action are linked to the main event via the request_id field. Such events include:

  • in the iam service — events related to the account and users;
  • in the billing service — events related to financial signals of the cloud platform and deferred payments.

How can I identify a user?

By the value of the subject_id or resource_id field, you can find the details of the user who is the subject or resource of the logged event — full name, email, phone number (for users with control panel access), or the name of a service user.

  1. In the control panel, click IAM in the top menu.
  2. Go to the Users section.
  3. Enter the value of the subject_id or resource_id field of the user from the action log in the search bar.
  4. If the information is not found, go to the Service Users section and enter the value in the search bar.
  5. If the information is not found, create a ticket.

How do I set up integration with a SIEM system?

You can configure integration using the Audit Logs API of our audit log service. With it, a SIEM system can regularly download events in JSON or CSV format.

  1. Get an IAM token for your account.

  2. In your SIEM system or via an intermediate script, set up regular API requests for periodic log unloading:

    2.1. Set an interval — for example, once every five minutes or every hour.

    2.2. Filter the export by events, services, or projects.

  3. Select an export format:

    • JSON — recommended for automatic processing;
    • or CSV — for importing into table systems.

  4. Configure log forwarding to your SIEM. You can send the retrieved logs to your SIEM:

    • via built-in connectors, if the SIEM supports ingestion via API or file;
    • using syslog agents, if you need to convert logs into a specific format;
    • using buffers, such as an intermediate parser or a queue.

How can I export specific logs?

You can export logs manually or set up a manual export via API.

To export only the necessary events, you can use filters:

  • by date and time;
  • by projects;
  • by service, can be viewed in the event list;
  • by event, can be viewed in the event list.