This page provides supplemental information for using Cloud Audit Logs with AI Platform Prediction. Use Cloud Audit Logs to generate logs for API operations performed in AI Platform Prediction.
Audit logs are not the same as job logs. Job logs provide debugging information for training and prediction jobs. Audit logs help you determine who did what, where, and when. Specifically, audit logs track how your AI Platform Prediction resources are modified and accessed within your Google Cloud Platform projects for auditing purposes. For more information about Cloud Audit Logs general concepts and how-to guides, see Cloud Audit Logs.Logged information
Cloud Audit Logs includes the following types of logs:
Admin Activity logs: Contains log entries for operations that modify the configuration or metadata of an AI Platform Prediction resource. Admin Activity logs include any API call that creates, deletes, updates or modifies a resource using a custom verb.
Data Access logs: Contains log entries for operations that perform read-only operations that do not modify any data, such as get and list. Unlike audit logs for other services, AI Platform Prediction only has
ADMIN_READ
Data Access logs and does not generally offerDATA_READ
andDATA_WRITE
logs. This is becauseDATA_READ
andDATA_WRITE
logs are only used for services that store and manage user data such as Cloud Storage, Spanner, and Cloud SQL, which does not apply to AI Platform Prediction.
The following table summarizes which AI Platform Prediction operations fall into each log type:
Log entry type | Sub-type | Operations |
---|---|---|
Admin Activity | N/A |
|
Data Access | ADMIN_READ |
|
AI Platform Prediction logs use an
AuditLog
object and follows the same format as other Cloud Audit Logs logs. Logs contain
information such as:
- The user who made the request, including the email address of that user.
- The resource name on which the request was made.
- The outcome of the request.
Log settings
Admin Activity logs are recorded by default. These logs do not count towards your log ingestion quota.
Data Access logs are not recorded by default. These logs count towards your log ingestion quota. To learn how to enable logs for data access-type operations, see Configuring Data Access Logs.
Log access
Users who can access logs for AI Platform Prediction can also access AI Platform Vizier logs and AI Platform Training logs.The following users can view Admin Activity logs:
- Project owners, editors, and viewers.
- Users with the Logs Viewer IAM role.
- Users with the
logging.logEntries.list
IAM permission.
The following users can view Data Access logs:
- Project owners.
- Users with the Private Logs Viewer IAM role.
- Users with the
logging.privateLogEntries.list
IAM permission.
For instructions on granting access, see Granting, changing, and revoking access to resources.
Viewing logs
For information on reading your audit logs, see Viewing audit logs.
Exporting your logs
You can export copies of some or all of your logs to other applications, other repositories, or third parties. To export your logs, see Overview of logs exports.
To read your log entries through the API, see entries.list. To read your log entries using the SDK, see Reading log entries.
What's next
- Read up on Cloud Logging.