View audit logs

To view audit logs, enable Data Access audit logs for your project.

The generated pgAudit logs for a given instance are sent to Cloud Logging as Data Access audit logs.

You can view the generated pgAudit logs through the Logs Explorer application.

To view the pgAudit logs, select the cloudaudit.googleapis.com/data_access log filter in the Logs Explorer application.

To view the pgAudit logs, select the cloudaudit.googleapis.com/data_access log filter in the Logs Explorer application.

Alternatively, you can use the following query to show all pgAudit logs for an AlloyDB project through the Advanced Filter interface:

resource.type="alloydb.googleapis.com/Instance"
logName="projects/your-project-name/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.request.@type="type.googleapis.com/google.cloud.alloydb.audit.v1.PgAuditEntry"

Log format for pgAudit

Each pgAudit log entry in the Data Access audit logs has fields representing the information collected for a query.

Sample pgAudit log entry:

{
  protoPayload: {
    @type: "type.googleapis.com/google.cloud.audit.AuditLog"
    methodName: "alloydb.instances.query"
    request: {
      @type: "type.googleapis.com/google.cloud.alloydb.audit.v1.PgAuditEntry"
      auditClass: "READ"
      auditType: "SESSION"
      chunkCount: "1"
      chunkIndex: "1"
      command: "SELECT"
      database: "finance"
      databaseSessionId: 2209692
      parameter: "[not logged]"
      statement: "SELECT * FROM revenue"
      statementId: 2
      substatementId: 1
      user: "alice"
    }
  }
}

The following are descriptions of the fields in the Data Access audit logs:

  • auditClass. The type of the statement that is logged. Possible values are READ, WRITE, FUNCTION, ROLE, DDL, MISC, and MISC_SET.

  • auditType. SESSION or OBJECT.

  • chunkCount. Chunking can occur on the data provided in the parameter and statement fields. The chunkCount field indicates the total number of chunks. Also see the description of the chunkIndex field.

  • chunkIndex. Specifies the index number of the data chunks in the parameter and statement fields in the current request container. The initial number is 1. Also see the description of the chunkCount field.

  • command. For example, ALTER TABLE or SELECT.

  • parameter. The chunkIndex field can determine the contents of this field; see the description of the chunkIndex field. If the value for pgaudit.log_parameter is set, the parameter field can contain the statement parameters as quoted CSV data. If there are no parameters, this field contains [none]. Otherwise, this field contains [not logged].

  • statement. Statement that is executed on the backend. The chunkIndex field can determine the contents of the statement field; see the description of the chunkIndex field.

  • statementId. Unique statement ID for this session. Each statement ID represents a backend call. Statement IDs are sequential, even if some statements are not logged.

  • substatementId. Sequential ID for each sub-statement within the main statement.

    • Some of these fields are also described in the pgAudit documentation.