Version 1.13. This version is no longer supported. For information about how to upgrade to version 1.14, see Upgrading Anthos on bare metal in the 1.14 documentation. For more information about supported and unsupported versions, see the Version history page in the latest documentation.
This document describes how to use Cloud Audit Logs for Google Distributed Cloud.
Google Distributed Cloud uses
Kubernetes Audit Logging,
which keeps a chronological record of calls made to a cluster's Kubernetes API
server. Audit logs are useful for investigating suspicious API requests and for
collecting statistics. For information about audit logging for the
Anthos On-Prem API, see
Cloud API audit logging.
About Cloud Audit Logs
Audit logs are written to
Cloud Audit Logs in your
Google Cloud project. Writing to Cloud Audit Logs has several benefits over writing to
disk or capturing logs in an on-premises logging system:
Audit logs for all Anthos clusters can be centralized.
Log entries written to Cloud Audit Logs are immutable.
Cloud Audit Logs entries are retained for 400 days.
Cloud Audit Logs feature is included in the price of Anthos.
You can configure Google Distributed Cloud to write logs to disk or to
Cloud Audit Logs.
Disk-based audit logging
If Cloud Audit Logs is disabled explicitly, audit logs in Google Distributed Cloud
are written to a persistent disk so that cluster restarts and upgrades don't
cause the logs to disappear. Google Distributed Cloud retains up to 1 GiB of
audit log entries.
Access the disk-based audit logs by logging into control plane Nodes. The logs
are located in the /var/log/apiserver/ directory.
Cloud Audit Logs
Admin Activity audit log entries from all Kubernetes API servers are sent to
Google Cloud, using the project and location that you specify when you
create a user cluster. To buffer and write log entries to Cloud Audit Logs,
Google Distributed Cloud deploys an audit-proxy daemon set that runs on the
control plane nodes.
Limitations
Cloud Audit Logs for Google Distributed Cloud has the following limitations:
Data access logging is not supported.
Modifying the Kubernetes audit policy is not supported.
Cloud Audit Logs is not resilient to extended network outages. If the
log entries cannot be exported to Google Cloud, they are cached in a
10 GiB disk buffer. If that buffer fills, then the oldest entries are
dropped.
Creating a service account for Cloud Audit Logs
Before you can use Cloud Logging and Cloud Monitoring with
Google Distributed Cloud, you must first configure the following:
Create a Cloud Monitoring Workspace within the Google Cloud project, if you
don't have one already.
In the Google Cloud console, click the following button and
follow the workflow.
Click Run query to display all audit logs from Google Distributed Cloud
clusters that were configured to log in to this project.
gcloud
List the first two log entries in your project's Admin Activity log that
apply to the k8s_cluster resource type:
gcloudloggingread\
'logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity" \ AND resource.type="k8s_cluster" \ AND protoPayload.serviceName="anthosgke.googleapis.com" '\
--limit2\
--freshness300d
Replace PROJECT_ID with your project ID.
The output shows two log entries. Notice that for each log entry, the
logName field has the value
projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity
and protoPayload.serviceName is equal to anthosgke.googleapis.com.
Audit policy
The Kubernetes audit policy defines rules for which events are recorded as log
entries and specifies what data the log entries should include. Changing this
policy to modify Cloud Audit Logs behavior isn't supported currently.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCloud Audit Logs, enabled by default in Google Distributed Cloud from release 1.9.0, provides a centralized and immutable record of API server calls, retained for 400 days.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Distributed Cloud writes audit logs to Cloud Audit Logs in your Google Cloud project, using an \u003ccode\u003eaudit-proxy\u003c/code\u003e daemon set to send Admin Activity entries from all Kubernetes API servers.\u003c/p\u003e\n"],["\u003cp\u003eDisk-based audit logging is available if Cloud Audit Logs is disabled, retaining up to 1 GiB of entries in the \u003ccode\u003e/var/log/apiserver/\u003c/code\u003e directory on control plane nodes.\u003c/p\u003e\n"],["\u003cp\u003eTo use Cloud Logging and Monitoring, you must create a Cloud Monitoring Workspace and enable the Anthos Audit, Stackdriver, Monitoring, and Logging APIs, in addition to assigning specific IAM roles to your service account.\u003c/p\u003e\n"],["\u003cp\u003eAccessing Cloud Audit Logs can be done through the Google Cloud Console's Logs Explorer, or using \u003ccode\u003egcloud\u003c/code\u003e commands, by querying for \u003ccode\u003ek8s_cluster\u003c/code\u003e resources and \u003ccode\u003eexternalaudit.googleapis.com/activity\u003c/code\u003e logs.\u003c/p\u003e\n"]]],[],null,["# Use Kubernetes audit logging\n\n\u003cbr /\u003e\n\nThis document describes how to use Cloud Audit Logs for Google Distributed Cloud.\nGoogle Distributed Cloud uses\n[Kubernetes Audit Logging](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/),\nwhich keeps a chronological record of calls made to a cluster's Kubernetes API\nserver. Audit logs are useful for investigating suspicious API requests and for\ncollecting statistics. For information about audit logging for the\nAnthos On-Prem API, see\n[Cloud API audit logging](/anthos/clusters/docs/bare-metal/1.13/how-to/audit-logging-api).\n| **Note:** Starting with Google Distributed Cloud release 1.9.0, Cloud Audit Logs is enabled by default. Cloud Audit Logs is automatically enabled for 1.8.x clusters that are upgraded to 1.13.10 unless it was explicitly disabled for the 1.8.x cluster by setting `disableCloudAuditLogging` to `true`.\n\nAbout Cloud Audit Logs\n----------------------\n\nAudit logs are written to\n[Cloud Audit Logs](https://cloud.google.com/logging/docs/audit) in your\nGoogle Cloud project. Writing to Cloud Audit Logs has several benefits over writing to\ndisk or capturing logs in an on-premises logging system:\n\n- Audit logs for all Anthos clusters can be centralized.\n- Log entries written to Cloud Audit Logs are immutable.\n- Cloud Audit Logs entries are retained for 400 days.\n- Cloud Audit Logs feature is included in the price of Anthos.\n- You can configure Google Distributed Cloud to write logs to disk or to Cloud Audit Logs.\n\n### Disk-based audit logging\n\nIf Cloud Audit Logs is disabled explicitly, audit logs in Google Distributed Cloud\nare written to a persistent disk so that cluster restarts and upgrades don't\ncause the logs to disappear. Google Distributed Cloud retains up to 1 GiB of\naudit log entries.\n\nAccess the disk-based audit logs by logging into control plane Nodes. The logs\nare located in the `/var/log/apiserver/` directory.\n\n### Cloud Audit Logs\n\nAdmin Activity audit log entries from all Kubernetes API servers are sent to\nGoogle Cloud, using the project and location that you specify when you\ncreate a user cluster. To buffer and write log entries to Cloud Audit Logs,\nGoogle Distributed Cloud deploys an `audit-proxy` daemon set that runs on the\ncontrol plane nodes.\n\n### Limitations\n\nCloud Audit Logs for Google Distributed Cloud has the following limitations:\n\n- Data access logging is not supported.\n- Modifying the Kubernetes audit policy is not supported.\n- Cloud Audit Logs is not resilient to extended network outages. If the log entries cannot be exported to Google Cloud, they are cached in a 10 GiB disk buffer. If that buffer fills, then the oldest entries are dropped.\n\nCreating a service account for Cloud Audit Logs\n-----------------------------------------------\n\nBefore you can use Cloud Logging and Cloud Monitoring with\nGoogle Distributed Cloud, you must first configure the following:\n\n1. Create a Cloud Monitoring Workspace within the Google Cloud project, if you\n don't have one already.\n\n In the Google Cloud console, click the following button and\n follow the workflow.\n\n [Go to Monitoring](https://console.cloud.google.com/monitoring)\n2. Click the following buttons to enable the required APIs:\n\n [Enable the Anthos Audit API](https://console.cloud.google.com/apis/library/anthosaudit.googleapis.com)\n\n [Enable the Stackdriver API](https://console.cloud.google.com/apis/library/stackdriver.googleapis.com)\n\n [Enable the Monitoring API](https://console.cloud.google.com/apis/library/monitoring.googleapis.com)\n\n [Enable the Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com)\n3. Assign the following IAM roles to the service account used by the Stackdriver agents:\n\n - `logging.logWriter`\n - `monitoring.metricWriter`\n - `stackdriver.resourceMetadata.writer`\n - `monitoring.dashboardEditor`\n\nAccessing Cloud Audit Logs\n--------------------------\n\n### Console\n\n1. In the Google Cloud console, go to the **Logs Explorer** page in the\n **Logging** menu.\n\n [Go to the Logs Explorer](https://console.cloud.google.com/logs/query)\n\n If the **Legacy Logs Viewer** page opens, choose **Upgrade to the new\n Logs Explorer** from the **Upgrade** drop-down menu.\n2. Click **Query** to access the text box for submitting queries.\n\n3. Fill the text box with the following query:\n\n resource.type=\"k8s_cluster\"\n logName=\"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/logs/externalaudit.googleapis.com%2Factivity\"\n protoPayload.serviceName=\"anthosgke.googleapis.com\"\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID.\n4. Click **Run query** to display all audit logs from Google Distributed Cloud\n clusters that were configured to log in to this project.\n\n### gcloud\n\nList the first two log entries in your project's Admin Activity log that\napply to the `k8s_cluster` resource type: \n\n gcloud logging read \\\n 'logName=\"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/logs/externalaudit.googleapis.com%2Factivity\" \\\n AND resource.type=\"k8s_cluster\" \\\n AND protoPayload.serviceName=\"anthosgke.googleapis.com\" ' \\\n --limit 2 \\\n --freshness 300d\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID.\n\nThe output shows two log entries. Notice that for each log entry, the\n`logName` field has the value\n`projects/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/logs/externalaudit.googleapis.com%2Factivity`\nand `protoPayload.serviceName` is equal to `anthosgke.googleapis.com`.\n\nAudit policy\n------------\n\nThe Kubernetes audit policy defines rules for which events are recorded as log\nentries and specifies what data the log entries should include. Changing this\npolicy to modify Cloud Audit Logs behavior isn't supported currently."]]
