# Yandex Audit Trails overview

Yandex Audit Trails allows you to collect [management event audit logs](events.md) and [data event audit logs](events-data-plane.md) for Yandex Cloud resources and upload them to a [bucket](../../storage/concepts/bucket.md) in Object Storage, [log group](../../logging/concepts/log-group.md) in Cloud Logging, data stream in Data Streams, or [bus](../../serverless-integrations/concepts/eventrouter/bus.md) in Yandex EventRouter:

* [Uploading audit logs to a bucket](../operations/create-trail.md#bucket_1).
* [Uploading audit logs to Cloud Logging](../operations/create-trail.md#logging_1).
* [Uploading audit logs to a data stream](../operations/create-trail.md#data-streams_1).
* [Uploading audit logs to a bus](../operations/create-trail.md#eventrouter_1).

Collecting audit logs enables you to use analytical tools and promptly respond to Yandex Cloud events:

* [Searching for events in audit logs](../tutorials/search-events-audit-logs/index.md).
* [Exporting audit logs to SIEM systems](export-siem.md).
* [Setting up alerts in Yandex Monitoring](../tutorials/alerts-monitoring.md).

The following [management events](events.md) are logged:

* Logins by federated users
* Creating or deleting service accounts
* Creating/deleting keys of service accounts
* Editing user roles and service accounts
* Creating/deleting resources
* Editing resource settings
* Stopping/restarting a resource
* Changing access policies
* Creating/editing security groups
* Actions with encryption keys and secrets

## Current service limits {#known-restrictions}

The audit log does not capture authentication errors. For example, if a user makes an API call without an IAM token, this information will not be included in the audit logs.

The log captures authorization errors. For example, if a user attempts to create a resource without sufficient privileges, the log will include an error message.

The service has [quotas and limits](limits.md).

If you upload audit logs to a log group or a data stream, make sure their size is both within the Audit Trails limits and the [Yandex Cloud Logging](../../logging/concepts/limits.md) and [Yandex Data Streams](../../data-streams/concepts/limits.md) limits. If the limits are exceeded, information in event audit logs that are large in size will be incomplete.

When uploading to Cloud Logging, you may get duplicate events in a [log group](../../logging/concepts/log-group.md). To find duplicates, refer to the unique record ID, `json_payload.event_id`.

We also recommend uploading audit logs to the Object Storage bucket.

{% note info %}

The retention period of audit logs in a trail with the `Error` status is limited. There is no guarantee that logs that are older than 28 days will be delivered once the trail returns to the `Active` status.

{% endnote %}