Audit logging

This page describes the audit logging processes created by Telecom Network Automation as part of Cloud Audit Logs.

Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources. Your Google Cloud projects contain only the audit logs for directly included resources. Other resources (such as folders, organizations, and billing accounts) have their own audit logs. For more information on the audit log format, see Understand audit logs.

Available audit logs

The Telecom Network Automation system provides two types of audit logs:

  • Admin Activity audit logs: Include "admin write" operations that write metadata or configuration information and cannot be disabled.
  • Data Access audit logs: Include "admin read" operations that read metadata or configuration information. They also include "data read" and "data write" operations that read or write user-provided data. To receive Data Access audit logs, you must specifically enable them.

For full descriptions of the audit log types, see Types of audit logs.

Audited operations

The following table summarizes the API operations that correspond to each audit log type in Telecom Network Automation:

Audit log category Methods
Data Access (DATA_READ) audit logs
  • telcoautomation.orchestrationClusters.list
  • telcoautomation.orchestrationClusters.get
  • telcoautomation.edgeSlms.list
  • telcoautomation.edgeSlms.get
  • telcoautomation.blueprints.get
  • telcoautomation.blueprints.list
  • telcoautomation.deployments.list
  • telcoautomation.publicBlueprints.list
  • telcoautomation.publicBlueprints.get
  • telcoautomation.deployments.get
  • telcoautomation.locations.get
  • telcoautomation.locations.list
  • telcoautomation.operations.get
  • telcoautomation.operations.cancel
  • telcoautomation.operations.list
Data Access (DATA_WRITE) audit logs
  • telcoautomation.orchestrationClusters.create
  • telcoautomation.orchestrationClusters.delete
  • telcoautomation.edgeSlms.create
  • telcoautomation.edgeSlms.delete
  • telcoautomation.blueprints.create
  • telcoautomation.blueprints.update
  • telcoautomation.blueprints.delete
  • telcoautomation.blueprints.approve
  • telcoautomation.blueprints.propose
  • telcoautomation.deployments.create
  • telcoautomation.deployments.update
  • telcoautomation.deployments.delete
  • telcoautomation.deployments.apply
  • telcoautomation.operations.delete

Service name

The Telecom Network Automation audit logs use the telcoautomation.googleapis.com service name. For a list of all the Cloud Logging API service names and their corresponding monitored resource type, see Map services to resources.

Resource types

All audit logs in Telecom Network Automation use the resource type audited_resource. For a list of all the Cloud Logging monitored resource types and descriptive information, see Monitored resource types.

Caller identities

The caller's IP address is stored in the RequestMetadata.caller_ip field of the AuditLog object. Some caller identities and IP addresses can be redacted during logging. For information on redacted audit logs, see Caller identities in audit logs.

Start audit logging

Admin Activity audit logs are always enabled and cannot be disabled. Data Access audit logs are disabled by default and only written when explicitly enabled, except for BigQuery Data Access audit logs which cannot be disabled. For information about enabling Data Access audit logs, see Enable Data Access audit logs.

Permissions and roles

Access to the audit logs data for Google Cloud resources is determined by IAM permissions and roles. To decide which logging-specific permissions and roles apply to your use case, consider the following:

  • The Logs Viewer role (roles/logging.viewer) provides read-only access to Admin Activity, Policy Denied, and System Event audit logs. However, it does not allow access to Data Access audit logs that are stored in the _Default` bucket.
  • The Private Logs Viewer role (roles/logging.privateLogViewer) includes all the permissions of the Logs Viewer role, as well as the ability to read Data Access audit logs in the _Default bucket.

For more information about the IAM permissions and roles that apply to audit logs data, see Access control with IAM.

View logs

There are two options for querying audit logs. You can either query for all audit logs or specify a particular audit log name. The audit log name contains the resource identifier of the Google Cloud project, folder, billing account, or organization for which you want to view the audit logging information. Your queries can include indexed LogEntry fields. If you use the Log Analytics page, which supports SQL queries, you can view your query results as a chart.

For more information about querying your logs, see the following pages:

You can access audit logs for Cloud Logging using the Google Cloud console, Google Cloud CLI, or Logging API.

You can use the Logs Explorer in the Google Cloud console to retrieve your audit log entries for your Google Cloud project, folder, or organization:

  1. In the Google Cloud console, select Logging > Logs Explorer.
  2. Select an existing Google Cloud project, folder, or organization.

  3. To display the audit logs, enter either of the following queries into the query editor field, and click Run query:

    logName:"cloudaudit.googleapis.com"

    protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog"

  4. To display the audit logs for a specific resource and audit log type, do the following in the Query builder pane:

    1. In Resource type, select the Google Cloud resource whose audit logs you want to see.

    2. In Log name, select the audit log type that you want to see:

      • For Admin Activity audit logs, select activity.
      • For Data Access audit logs, select data_access.
      • For System Event audit logs, select system_event.
      • For Policy Denied audit logs, select policy.

    3. Click Run query.

  5. If you're unable to locate these options, audit logs available for that type in the Google Cloud project, folder, or organization are not available.

For issues related to viewing logs in the Logs Explorer, see the troubleshooting information.

For information about querying by using the Logs Explorer, see Build queries in the Logs Explorer. For information about summarizing log entries in the Logs Explorer by using Gemini, see Summarize log entries with Gemini assistance.

Route audit logs

You can route audit logs to supported destinations in the same way that you can route other kinds of logs. Here are some reasons why you might want to route your audit logs:

  • To keep the audit logs for an extended period of time or utilize more advanced search features, you can send copies of your audit logs to Cloud Storage, BigQuery, or Pub/Sub. By using Pub/Sub, you can send them to other applications, other repositories, or to third parties.
  • To manage the audit logs across an entire organization, you can create aggregated sinks that can route logs from any or all Google Cloud projects in the organization.
  • If your Google Cloud projects are exceeding your log allotments due to enabled Data Access audit logs, you can create sinks to exclude them from Logging.

For instructions about routing logs, see Route logs to supported destinations.