Audit logging

This page describes how audit logging works when securing the Cloud Console and the Google Cloud APIs with BeyondCorp Enterprise.

BeyondCorp Enterprise by default logs all access requests to the Cloud Console and the Google Cloud APIs that are denied because of security policy violations to Cloud Logging. The audit log records are securely stored in Google infrastructure and available for future analysis. The content of the audit log is available on a per-organization basis in the Google Cloud Console. The BeyondCorp Enterprise audit log is written into the "Audited Resource" logging stream and is available in Cloud Logging.

Audit log record content

Each audit log record contains information which can be divided into two major categories: the information about the original call, and information about security policy violations. It is filled as follows:

Audit Log Field Meaning
logName The organization identification and audit log type.
serviceName The name of the service handling the call, contextawareaccess.googleapis.com, that resulted in the creation of this audit record.
authenticationInfo.principal_email Email address of the user issuing the original call.
timestamp The time of the targeted operation.
resource The target of the audited operation.
resourceName The organization intended to receive this audit record.
requestMetadata.callerIp The IP address from which the call originated.
requestMetadata.requestAttributes.auth.accessLevels The active access levels satisfied by the request.
status The overall status of handling an operation described in this record.
metadata An instance of google.cloud.audit.ContextAwareAccessAuditMetadata protobuf type, serialized as a JSON Struct. Its 'unsatisfiedAccessLevels' field contains a list of the access levels that the request failed to satisfy.

Accessing the audit log

The content of the audit log is available on a per-organization basis in the Google Cloud Console. The BeyondCorp Enterprise audit log is written into the "Audited Resource" logging stream and is available in Cloud Logging.

What's next