This page describes how audit logging works when securing the Google Cloud console and the Google Cloud APIs with BeyondCorp Enterprise.
BeyondCorp Enterprise by default logs all access requests to the Google Cloud console and the Google Cloud APIs that are denied because of security policy violations to Cloud Logging. The audit log records are securely stored in Google infrastructure and available for future analysis. The content of the audit log is available on a per-organization basis in the Google Cloud console. The BeyondCorp Enterprise audit log is written into the "Audited Resource" logging stream and is available in Cloud Logging.
Audit log record content
Each audit log record contains information which can be divided into two major categories: the information about the original call, and information about security policy violations. It is filled as follows:
|Audit Log Field
|The organization identification and audit log type.
|The name of the service handling the call,
contextawareaccess.googleapis.com, that resulted in the
creation of this audit record.
|Email address of the user issuing the original call.
|The time of the targeted operation.
|The target of the audited operation.
|The organization intended to receive this audit record.
|The IP address from which the call originated.
|The active access levels satisfied by the request.
|The overall status of handling an operation described in this record.
|An instance of
protobuf type, serialized as a JSON Struct. Its 'unsatisfiedAccessLevels'
field contains a list of the access levels that the request failed
Accessing the audit log
The content of the audit log is available on a per-organization basis in the Google Cloud console. The BeyondCorp Enterprise audit log is written into the "Audited Resource" logging stream and is available in Cloud Logging.
- Learn more about Cloud Audit Logs.
- Learn more about Enabling Cloud Audit Logs in Identity-Aware Proxy.
- Learn more about Audit Logging in VPC Service Controls.