[Yandex Cloud documentation](../../index.md) > [Yandex Audit Trails](../index.md) > [Concepts](index.md) > Trail

# Trail


A trail is an Audit Trails resource that collects the audit logs of Yandex Cloud resources and writes them to an Object Storage [bucket](../../storage/concepts/bucket.md), Cloud Logging [log group](../../logging/concepts/log-group.md), Data Streams [data flow](../../data-streams/concepts/glossary.md#stream-concepts), or Yandex EventRouter [bus](../../serverless-integrations/concepts/eventrouter/bus.md).

## Audit log collection scope {#collecting-area}

In the trail settings, you can choose where to collect audit logs from:
* Organization: Audit logs of resources of the services in selected clouds of the organization.
* Cloud: Audit logs of resources of the services residing in selected folders of the cloud.
* Folder: Audit logs of the folder.

The trail will collect logs of all the [resources](events.md) within the specified scope, including those added to the scope after the trail was created.

For resources added to the audit log collection scope after the trail was created, collecting audit logs will start automatically.

For [management events](control-plane-vs-data-plane.md#control-plane-events), the collection scope includes all supported [Yandex Cloud services](../../overview/concepts/services.md#list).

For [data events](control-plane-vs-data-plane.md#data-plane-events), the collection scope is configured on a per-service basis.

You can disable collecting all management or data events for any single service or multiple services whenever you need to.

## Pre-installed events {#default}

When creating a trail in the [management console](https://console.yandex.cloud), some [data events](events-data-plane.md) are collected by default. This is done for security in line with the cloud infrastructure protection [standard](../../security/standard/audit-logs.md#audit-trails). If a service is not used, you can disable the events. Delivered events are billed as per the [pricing policy](../pricing.md).

Services for which the sending of events is on by default:

#|
|| **Service** | **Events** ||
|| [Yandex Certificate Manager](../../certificate-manager/at-ref.md#data-plane-events) | All events ||
|| [Yandex Identity and Access Management](../../iam/at-ref.md#data-plane-events) | All events ||
|| [Yandex Key Management Service](../../kms/at-ref.md#data-plane-events) | All events ||
|| [Yandex Lockbox](../../lockbox/at-ref.md#data-plane-events) | All events ||
|| [Yandex Managed Service for MySQL®](../../managed-mysql/at-ref.md#data-plane-events) |
* `yandex.cloud.audit.mdb.mysql.CreateDatabase`
* `yandex.cloud.audit.mdb.mysql.CreateUser`
* `yandex.cloud.audit.mdb.mysql.DeleteDatabase`
* `yandex.cloud.audit.mdb.mysql.DeleteUser`
* `yandex.cloud.audit.mdb.mysql.GrantUserPermission`
* `yandex.cloud.audit.mdb.mysql.RevokeUserPermission`
* `yandex.cloud.audit.mdb.mysql.UpdateUser`
||
|| [Yandex Managed Service for PostgreSQL](../../managed-postgresql/at-ref.md#data-plane-events) |
* `yandex.cloud.audit.mdb.postgresql.CreateDatabase`
* `yandex.cloud.audit.mdb.postgresql.CreateUser`
* `yandex.cloud.audit.mdb.postgresql.DeleteDatabase`
* `yandex.cloud.audit.mdb.postgresql.DeleteUser`
* `yandex.cloud.audit.mdb.postgresql.GrantUserPermission`
* `yandex.cloud.audit.mdb.postgresql.RevokeUserPermission`
* `yandex.cloud.audit.mdb.postgresql.UpdateDatabase`
* `yandex.cloud.audit.mdb.postgresql.UpdateUser`
||
|#

## Destination object {#target}

Each trail uploads audit logs only to a single destination object: bucket, log group, data stream, or bus.

#|
|| **Destination** | **Use for** | **Delay** | **Format** ||
|| Object Storage bucket | Long-term storage and compliance | 5 min | JSON array ||
|| Cloud Logging log group | Real-time monitoring | Seconds | Cloud Logging log stream: one Cloud Logging log entry corresponds to one Audit Trails event ||
|| Data Streams data stream | Integration with SIEM, analytics | Seconds | JSON object stream ||
|| EventRouter bus | Further processing and sending to different [targets](../../serverless-integrations/concepts/eventrouter/rule.md#target) | Seconds | EventRouter event stream: one EventRouter event corresponds to one Audit Trails event ||
|#

Each destination object has its advantages:

* **Object Storage**: Provides long-term storage of large amounts of data for further processing.
* **Cloud Logging**: Helps respond to events and analyze logs in real time.
* **Data Streams**: Enables streaming data to other services and systems.
* **EventRouter**: Processes and sends data to different handlers and systems depending on event types and other conditions.

When uploading audit logs to a bucket, Audit Trails generates audit log files approximately once every 5 minutes. The trail will write all the [events](events.md) that occurred to the cloud resources during that period to one or more files. If no events occurred during the period, no files are generated.

Audit Trails uploads audit logs to a log group, data stream, and bus in near-real time.

The type of destination object determines the structure and content of the message used by Audit Trails to transmit audit logs:
* If the destination object is a bucket, the message is a file containing a [JSON object](format.md#scheme) array of the audit log.
* If the destination object is a log group, the message includes a single JSON object of the audit log.
* If the destination object is a data stream, the messages containing JSON objects of the audit log are sent to the stream.
* If the destination object is a bus, the message includes a single JSON object of the audit log.

{% note info %}

Changing the destination object of an existing trail may result in the loss of some events. To prevent data loss, create a dedicated trail for each destination object.

{% endnote %}

Each trail runs independently of one another. Using multiple trails, you can differentiate access to various log groups for users and services according to your information security policy.

## Trail settings {#trail-settings}

The trail contains all the audit log settings:
* **Name**: Required parameter.
* **Description**: Optional parameter.
* **Destination** section:
    * **Destination**: `Object Storage`, `Cloud Logging`, `Data Streams`, or `EventRouter`.
    * For the `Object Storage` value:
        * **Bucket**: Bucket.
        * **Object prefix**: Optional parameter used in the [full name](format.md#log-file-name) of the audit log file.
        * **Encryption key**: Yandex Key Management Service symmetric [encryption key](../../kms/concepts/key.md) for the bucket.
    * For the `Cloud Logging` value:
        * **Log group**: Log group.
    * For the `Data Streams` value:
        * **Data stream**: Data stream.
        * **Codec**: Event compression method when writing to Data Streams.

            If the event flow write speed in Data Streams is over 1 MB/s, enable compression. This will cut the volume of transmitted data, reduce the risk of [throttling](https://en.wikipedia.org/wiki/Dynamic_frequency_scaling) for individual YDS segments, and improve your flow bandwidth performance.
            
            The compression setting is available when [creating](../operations/create-trail.md) or [modifying](../operations/manage-trail.md) a trail via the CLI, API, or Terraform UI. Available compression methods: `GZIP` ([GNU Zip](https://wikipedia.org/wiki/Gzip)) or `ZSTD` ([Zstandard](https://wikipedia.org/wiki/Zstandard)). There is no compression default (`RAW`).
            
            To read data via the native YDS protocol, additionally enable compression on the YDS reader. The HTTP Kinesis and Apache Kafka® protocols are not supported yet.
    * For the `EventRouter` value:
        * **Connector**: EventRouter bus [connector](../../serverless-integrations/concepts/eventrouter/connector.md) with the `Audit Trails` source type.
* **Service account** section: Service account to use for uploading audit logs to a bucket, a log group, or a data stream. If the account needs more roles, a warning with a list of roles will show up.
* **Collecting management events** section:
    * **Status**: Toggles the collection of management event audit logs.
    * **Resource**: `Organization`, `Cloud`, or `Folder`.
    * For the `Organization` value:
        * **Organization**: Name of the current organization. The value is populated automatically.
    * For the `Cloud` value:
        * **Cloud**: Name of the cloud hosting the current trail. The value is populated automatically.
        * **Folder**: Folders for whose resources the trail will collect management event audit logs. If you do not specify any folder, the trail will collect audit logs from all resources in the cloud.
    * For the `Folder` parameter:
        * **Folder**: Name of the folder hosting the trail. The value is populated automatically.
* **Collecting data events** section:
    * **Status**: Toggles the collection of data event audit logs.
    * List of [services](events-data-plane.md#services), each configured individually for:
        * Data event audit log collection [scope](trail.md#collecting-area).
        * Event filter type:
            * `Receive all`: To receive all events within the service.
            * `Selected`: To only receive the selected events.
            * `Exclude`: To receive all events except for the selected ones.
        * List of [events](events-data-plane.md#dns) is `Selected` or `Exclude` filter type is selected.


## Use cases {#examples}

* [Searching for events in audit logs](../tutorials/search-events-audit-logs/index.md)
* [Configuring dashboards and alerts in Yandex Monitoring](../tutorials/alerts-monitoring.md)
* [Configuring responses in Yandex Cloud Logging and Yandex Cloud Functions](../tutorials/logging-functions.md)
* [Processing Yandex Audit Trails events](../tutorials/audit-trails.md)
* [Exporting audit logs to MaxPatrol SIEM](../tutorials/maxpatrol/index.md)
* [Uploading audit logs to Splunk SIEM](../tutorials/export-logs-to-splunk.md)
* [Uploading audit logs to ArcSight SIEM](../tutorials/export-logs-to-arcsight.md)
* [Uploading audit logs to KUMA SIEM using the management console, CLI, or API](../tutorials/audit-trails-events-to-kuma/console.md)


## What's next {#whats-next}

* Learn more about the [audit log format](format.md).
* See [trail diagnostic logs](diagnostics.md).
* Learn about [events](events.md).