Collecting, monitoring, and analyzing audit logs
An audit log is a record of all events in the system, including access to it and operations performed. By collecting and verifying audit logs, you can monitor compliance with the established security procedures and standards and identify vulnerabilities in your security mechanisms.
Events in audit logs occur on different levels:
- Nebius AI level: Events that occur with Nebius AI resources.
- OS level.
- Application level.
- Network level (Flow Logs).
Note
For more information about Kubernetes events, see Collecting, monitoring, and analyzing audit logs in Managed Service for Kubernetes.
Nebius AI level
Collecting events
You can export audit logs to a to a customer's SIEM system to analyze information about events and incidents.
Exporting events to SIEM
Audit Trails
Utilities like s3fs can help set up export to any SIEM. They allow you to mount an Object Storage bucket as a VM's local disk. Next, you need to install a SIEM connector on the VM and configure reading JSON files from the bucket.
OS level
When using IaaS cloud services and Kubernetes node groups, the customer is responsible for ensuring OS security and collecting OS-level events on their own. Free tools for collecting standard OS-generated events and exporting them to the customer's SIEM system include:
Additional event generation options can be implemented using Auditd for Linux or Sysmon for Windows.
To describe events to be searched for in audit logs, we recommend using Sigma
Application level
Customers may collect events that occur at the level of applications deployed on Compute Cloud resources on their own. For example, save application logs to files and transfer them to a SIEM system using the tools listed in OS level above.
Network level
Currently, VPC network traffic event logs (Flow Logs) can only be collected by customers. You can use Nebius AI Marketplace solutions (such as network products) or free software for collecting and transmitting events.
Time synchronization
To get the exact time of OS- and application-level events, configure clock synchronization.