Skip to main content
Audit event export lets you deliver audit events for a fixed time range to an Object Storage bucket. Exports are one-time and run asynchronously, writing files directly to the bucket. This is useful for long-term retention, processing data in external tools, and data portability. After the export completes, you can download the exported objects from the bucket to store them locally or move them to a different provider.

Prerequisites

Currently, exporting audit events is only possible to a bucket located in the eu-north1 region. For example, you can export audit events for resources located in us-central1 region only to a bucket located in eu-north1 region.

How to export events

  1. Copy the ID of the tenant you want to export events for: 
    nebius iam tenant list
  2. Select an existing bucket or create a new one. Copy the bucket ID.
  3. Start an export: 
    nebius audit v2 audit-event-export start \
   --parent-id <tenant_ID> \
   --params-from <time_in_ISO_8601> \
   --params-to <time_in_ISO_8601> \
   --params-event-type <control_plane|data_plane> \
   --nebius-object-storage-bucket-by-id-id <bucket_ID> \
   --nebius-object-storage-object-prefix <prefix> \
   --params-filter "<filter_expression>"
    In the command above, specify:
    • --parent-id: Tenant ID that you copied earlier.
    • --params-from: Start time for the export, in the ISO 8601 format.
    • --params-to: End time for the export, in the ISO 8601 format.
    • --params-event-type (optional): Type of audit event to export: control_plane or data_plane. Default: control_plane.
      • Control plane events (default): Track management operations on resources, such as creating, updating or deleting virtual machines, clusters or other infrastructure resources.
      • Data plane events: Track data access operations, such as reading or writing objects in Object Storage buckets.
    • --nebius-object-storage-bucket-by-id-id: Destination bucket ID that you copied earlier.
    • --nebius-object-storage-object-prefix (optional): Object prefix. If you omit it, the auditlogs prefix is used by default.
    • --params-filter (optional): Filter expression to narrow down exported events. For more information, see How to filter audit events.
The command returns an operation that confirms the export was created. The export itself continues running in the background.

How to check an export status

To check the current state and parameters of an export, get it by ID: 
nebius audit v2 audit-event-export get --id <export_ID>
Export lifecycle states include RUNNING, DONE, FAILED and CANCELED.

How to list exports

To find a specific export, list all exports created for a tenant: 
nebius audit v2 audit-event-export list --parent-id <tenant_ID>

How to download exported events

After an export reaches the DONE state, the exported audit events are available as objects in the destination bucket. To download these objects to your local machine for data portability or local storage:
  1. List the objects in the bucket to find the exported files. The objects are stored under the prefix that you specified when you launched the export, or under the default auditlogs prefix.
  2. Download the objects from the bucket to your local machine. You can download a single object or all objects with a specific prefix. For example, to download all exported audit events with the default auditlogs prefix: 
    aws s3 cp --recursive \
    s3://<bucket_name>/auditlogs/<local/destination/path/>

How to cancel an export

To stop an active export, run: 
nebius audit v2 audit-event-export cancel --id <export_ID>
The export transitions to the CANCELED state. Data that is already written to the bucket is preserved.