This page describes how audit logging works for secured private applications using BeyondCorp Enterprise client connector. Enabling Cloud Audit Logs lets you view a user access request to a private application and see all the access levels a user has and has not met.
Enable audit logs
These logs are considered Data Access logs.
Therefore, they must be explicitly enabled for audit logging under the
beyondcorp.googleapis.com service name since they are disabled by default.
For information about enabling some or all of your Data Access audit logs, see Configure Data Access audit logs.
Audit log record content
Each audit log record contains information about users who attempted to access the private application, what access levels were enforced, and whether they were denied or granted access.
The following are some important values:
| Field | Value |
|---|---|
authenticationInfo |
The email of the user who tried to access the resource as principalEmail. |
requestMetadata.callerIp |
The IP address the request originated from. |
requestMetadata.requestAttributes |
Contains access level names used for policy enforcement on the user access. |
authorizationInfo.resource |
The client connector service resource being accessed. |
authorizationInfo.granted |
A boolean representing whether the user was permitted the requested access. |
method.Name |
The called policy enforcement method. Should always be AuthorizeUser |