[Yandex Cloud documentation](../../../index.md) > [Tutorials](../../index.md) > [Security](../index.md) > [Exporting audit logs to MaxPatrol SIEM](index.md) > Management console

# Exporting audit logs to MaxPatrol SIEM using the management console or Yandex Cloud CLI


[MaxPatrol SIEM](https://www.ptsecurity.com/ru-ru/products/mpsiem/) enables reading Yandex Cloud [audit logs](../../../audit-trails/concepts/events.md) from a data stream in [Yandex Data Streams](../../../data-streams/index.md). To complete this tutorial, you need access to a MaxPatrol SIEM instance.

To set up audit log export using the management console or Yandex Cloud CLI:

1. [Get your cloud ready](#before-begin).
1. [Set up your environment](#environment-preparing).
1. [Create a trail to send logs to the stream in Data Streams](#create-trail).
1. [In MaxPatrol SIEM, set up a task to collect data from the stream in Data Streams](#configure-maxpatrol).

If you no longer need the resources you created, [delete them](#clear-out).


## Getting started {#before-begin}

Sign up for Yandex Cloud and create a [billing account](../../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../../billing/quickstart/index.md) and [link](../../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../../resource-manager/concepts/resources-hierarchy.md).


### Required paid resources {#paid-resources}

The cost of support for the new infrastructure includes:
* Using a data stream (see [Data Streams pricing](../../../data-streams/pricing.md)).
* Using Yandex Managed Service for YDB in serverless mode (see [Managed Service for YDB pricing](../../../ydb/pricing/serverless.md)).

## Set up your environment {#environment-preparing}

### Create service accounts {#create-sa}

The [trail](../../../audit-trails/concepts/trail.md) will use the `maxpatrol-sa` [service account](../../../iam/concepts/users/service-accounts.md) to collect logs for all your organization's resources and upload them to the specified [data stream](../../../data-streams/concepts/glossary.md#stream-concepts) in Data Streams. MaxPatrol SIEM will use the `maxpatrol-reader-sa` service account to load audit logs from the data stream.

Create a service account in the same folder where you will be creating the trail, e.g., in `example-folder`:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `example-folder`.
  1. Navigate to **Identity and Access Management**.
  1. Click **Create service account**.
  1. In the **Name** field, specify `maxpatrol-sa`.
  1. In the **Roles in the folder** field, click ![plus](../../../_assets/console-icons/plus.svg) **Add role** and select the `yds.writer` [role](../../../data-streams/security/index.md#yds-writer) for the folder.
  1. Click **Create**.

  Repeat these steps to create the `maxpatrol-reader-sa` service account and assign it the `yds.viewer` [role](../../../data-streams/security/index.md#yds-viewer) for the folder.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Create a service account named `maxpatrol-sa`:

      ```bash
      yc iam service-account create \
        --name maxpatrol-sa
      ```

      Result:

      ```text
      done (2s)
      id: ajecq2artiv5********
      folder_id: b1g5bhjofg7o********
      created_at: "2026-03-18T18:29:53Z"
      name: maxpatrol-sa
      ```

  1. Repeat these steps to create the `maxpatrol-reader-sa` service account.

  For more information about the `yc iam service-account create` command, see the [CLI reference](../../../cli/cli-ref/iam/cli-ref/service-account/create.md).

{% endlist %}

### Assign roles to the service accounts {#sa-assign-roles}

Assign the missing roles to the service accounts:

{% list tabs group=instructions %}

- Cloud Center UI {#console}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization) using an administrator or organization owner account.

  1. In the left-hand panel, select ![persons-lock](../../../_assets/console-icons/persons-lock.svg) **Access bindings**.
  1. Click **Assign roles** in the top-right corner of the page. In the window that opens, select the `maxpatrol-sa` service account. If required, use the search bar.
  1. Click ![plus](../../../_assets/console-icons/plus.svg) **Add role** and select [`audit-trails.viewer`](../../../audit-trails/security/index.md#at-viewer).
  1. Click **Save**.

- CLI {#cli}

  1. Assign the `yds.writer` [role](../../../data-streams/security/index.md#yds-writer) for `example-folder` to the `maxpatrol-sa` service account:

      ```bash
      yc resource-manager folder add-access-binding example-folder \
        --role yds.writer \
        --subject serviceAccount:<service_account_ID>
      ```

      Where:

      * `--role`: Role to assign.
      * `--subject`: `maxpatrol-sa` service account ID.

  1. Repeat these steps to assign the `yds.viewer` [role](../../../data-streams/security/index.md#yds-viewer) to the `maxpatrol-reader-sa` service account for `example-folder`.

      For more information about the `yc resource-manager folder add-access-binding` command, see the [CLI reference](../../../cli/cli-ref/resource-manager/cli-ref/folder/add-access-binding.md).

  1. Assign the `maxpatrol-sa` service account the `audit-trails.viewer` [role](../../../audit-trails/security/index.md#at-viewer) for the organization:

      ```bash
      yc organization-manager organization add-access-binding \
        --role audit-trails.viewer \
        --id <organization_ID> \
        --service-account-id <service_account_ID>
      ```

      Where:

      * `--role`: Role being assigned.
      * `--id`: [ID](../../../organization/operations/organization-get-id.md) of the organization the service account belongs to.
      * `--service-account-id`: `maxpatrol-sa` service account ID.

      For more information about the `yc organization-manager organization add-access-binding` command, see the [CLI reference](../../../cli/cli-ref/organization-manager/cli-ref/organization/add-access-binding.md).

{% endlist %}

### Create a static access key for MaxPatrol SIEM {#create-static-keys}

MaxPatrol SIEM uses [static access keys](../../../iam/concepts/authorization/access-key.md) to authorize Data Streams queries.

Create a static access key for the `maxpatrol-reader-sa` service account:

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `example-folder`.
  1. Navigate to **Identity and Access Management**.
  1. In the left-hand panel, select ![FaceRobot](../../../_assets/console-icons/face-robot.svg) **Service accounts** and select the `maxpatrol-reader-sa` service account from the list that opens.
  1. In the top panel, click ![plus](../../../_assets/console-icons/plus.svg) **Create new key** and select **Create static access key**.
  1. Enter a description for the key and click **Create**.

  {% note alert %}

  Save the ID and secret key. After you close this dialog, the key value will no longer be available.

  {% endnote %}

- CLI {#cli}

  Run this command:

  ```bash
  yc iam access-key create \
    --service-account-name maxpatrol-reader-sa
  ```

  Result:

  ```text
  access_key:
  id: aje38c5mjq11********
  service_account_id: ajegtlf2q28a********
  created_at: "2026-03-18T17:39:41.851532824Z"
  key_id: YCAJEnmnfsV8GpAMk********
  secret: YCMVxx-n0t8Y6s48zJDdKw9lWMB1iGU-********
  ```

  {% note alert %}

  Save the ID (`key_id`) and secret key (`secret`). You cannot get the secret key again.

  {% endnote %}

  For more information about the `yc iam access-key create` command, see the [CLI reference](../../../cli/cli-ref/iam/cli-ref/access-key/create.md).

{% endlist %}


### Create a YDB serverless database {#serverless}

The database is required for the stream in `Data Streams`.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `example-folder`.
  1. Click **Create resource** and select **YDB database**.
  1. Specify **Name**: `maxpatrol-db`.
  1. Under **Database type**, select `Serverless`.
  1. Keep the default values for all other parameters.
  1. Click **Create a database**.

  Wait for the database status to change to `Running`.

- CLI {#cli}

  1. Create a database:

      ```bash
      yc ydb database create \
        --name maxpatrol-db \
        --serverless \
        --folder-name example-folder
      ```

      Where:
      * `--name`: Database name.
      * `--serverless`: `serverless` database type.
      * `--folder-name`: Folder name.

      Result:

      ```text
      done (36s)
      id: etnubo9ude8e********
      folder_id: b1g5bhjofg7o********
      created_at: "2026-03-18T18:34:31Z"
      name: maxpatrol-db
      status: PROVISIONING
      ...
      ```

      For more information about the `yc ydb database create` command, see the [CLI reference](../../../cli/cli-ref/ydb/cli-ref/database/create.md).

  1. Check the status of the new database:

      ```bash
      yc ydb database get maxpatrol-db
      ```

      Wait for the database status to change to `RUNNING`.

{% endlist %}


### Create a data stream {#create-stream}

The trail will upload organization resource logs to this data stream.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `example-folder`.
  1. Click **Create resource** and select **Data stream**.
  1. In the **Database** field, select `maxpatrol-db`.
  1. Specify the **Name**: `maxpatrol-stream`.
  1. Leave the other settings at their defaults.
  1. Click **Create**.

  Wait for the data stream status to change to `Running`.

{% endlist %}


## Create a trail {#create-trail}

The trail will collect management event audit logs for all your organization's resources and upload them to the `maxpatrol-stream` data stream.

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select `example-folder`.
  1. Click **Create resource** and select **Trail**.
  1. Specify the **Name** for the new trail: `maxpatrol-trail`.
  1. Under **Destination**, configure the destination object:
      * **Destination**: `Data Streams`.
      * **Data stream**: Select `maxpatrol-stream`.
  1. Under **Service account**, select `maxpatrol-sa`.
  1. Under **Collecting management events**, configure the collection of management event audit logs:
      * **Collecting events**: Select `Enabled`.
      * **Resource**: Select `Organization`.
      * **Organization**: Automatically populated field displaying the name of the organization to host the trail.
      * **Cloud**: Keep the default value, `All`.
  1. Under **Collecting data events**, select `Disabled` in the **Collecting events** field.
  1. Click **Create**.

- CLI {#cli}

  Create the `maxpatrol-trail` trail:

  ```bash
  yc audit-trails trail create \
    --name maxpatrol-trail \
    --service-account-id <service_account_ID> \
    --destination-yds-stream maxpatrol-stream \
    --destination-yds-database-id <YDS_database_ID> \
    --filter-all-organisation-id <organization_ID>
  ```

  Where:
  * `--name`: Name of the new trail.
  * `--service-account-id`: `maxpatrol-sa` service account ID.
  * `--destination-yds-stream`: Data stream name.
  * `--destination-yds-database-id`: `maxpatrol-db` database ID.
  * `--filter-all-organisation-id`: [ID of the organization](../../../organization/operations/organization-get-id.md) to create the trail and store audit logs in.

  Result:

  ```text
  done (1s)
  id: cnpvbmk64136********
  folder_id: b1g5bhjofg7o********
  created_at: "2026-03-18T10:57:33.322Z"
  updated_at: "2026-03-18T10:57:33.322Z"
  name: maxpatrol-trail
  destination:
    data_stream:
      database_id: etn5bfdglcn8********
      stream_name: maxpatrol-stream
      codec: RAW
  service_account_id: aje1jot7q7eh********
  status: ACTIVE
  cloud_id: b1gj9ja2h4ct********
  filtering_policy:
    management_events_filter:
      resource_scopes:
        - id: bpfaidqca8vd********
          type: organization-manager.organization
  ```

  For more information about the `yc audit-trails trail create` command, see the [CLI reference](../../../cli/cli-ref/audit-trails/cli-ref/trail/create.md).

{% endlist %}

For more information about creating a trail, see [Creating a trail to upload audit logs](../../../audit-trails/operations/create-trail.md).

## Configure MaxPatrol SIEM {#configure-maxpatrol}

### Create credentials {#static-key-account}

You can use credentials to store secrets. Create credentials named `static-key-id` and `static-key-private` to host the ID and secret access key for the `maxpatrol-reader-sa` service account:

1. Log in to the MaxPatrol SIEM web interface.
1. Under **Data collection**, click **Credentials**.
1. Click **Add credential** → **Password** and specify the following:
    * **Name**: `static-key-id`.
    * **Password**: Static key ID.
    * **Confirm password**: Reenter static key ID.
1. Click **Save**.

Similarly, create a credential named `static-key-private` containing the secret key.


### Create a data collection task {#create-task}

Create and run a data collection task with the Yandex Data Streams profile:
1. Log in to the MaxPatrol SIEM web interface.
1. Under **Data collection**, click **Tasks**.
1. On the **Data collection tasks** page:
    1. In the toolbar, click **Create task**.
    1. Click **Data collection**.
1. On the **Create data collection task** page, specify the following parameters:
    1. **Name**: `YDS-logs-task`.
    1. **Profile**: `Yandex Data Streams`.
    1. In the hierarchy list, select **Run script**.
    1. Under **Connection**, specify:
        * **Credentials**: `static-key-id`.
        * **Credentials for privilege elevation**: `static-key-private`.
    1. **Script settings**:
        * **database**: `<maxpatrol-db_ID>`;
        * **folder**: `<cloud_ID_for_example-folder>`;
        * **region_name**: `ru-central1`.
        * **stream_name**: `maxpatrol-stream`.
    1. In the **Data collection targets** panel:
        1. Select the **Include** tab.
        1. In the **Network addresses** field, enter `yandex-cloud`.
    1. Click **Save and run**.

To view logs, go to the events page:
1. Go the to the **Data collection tasks** page.
1. Click `YDS-logs-task`.
1. Click **Collected events** → **Select**.

## How to delete the resources you created {#clear-out}

Delete the resources you no longer need to avoid paying for them:

* [Delete](../../../data-streams/operations/manage-streams.md#delete-data-stream) `maxpatrol-stream`.
* [Delete](../../../ydb/operations/manage-databases.md#delete-db) `maxpatrol-db`.

#### See also {#see-also}

* [Exporting audit logs to MaxPatrol SIEM using Terraform](terraform.md)