Viewing audit logs

This page provides supplemental information for using Cloud Audit Logs with Compute Engine. Use Cloud Audit Logs to generate logs for API operations performed in Compute Engine.

Audit logs are not the same as legacy activity logs. Audit logs help you determine who did what, where, and when. Specifically, audit logs track how your Compute Engine resources are modified and accessed within your Google Cloud Platform projects for auditing purposes. Legacy activity logs contain a subset of that information and are to be deprecated. If you are using activity logs, read Migrating from activity logs to audit logs.

Logged information

Cloud Audit Logs returns three types of logs:

• Admin activity logs: Contains log entries for operations that modify the configuration or metadata of a Compute Engine resource. Any API call that modifies a resource such as creation, deletion, updating, or modifying a resource using a custom verb fall into this category.

• System event logs: Contains log entries for system maintenance operations on Compute Engine resources.

• Data access logs: Contains log entries for operations that perform read-only operations that don't modify any data, such as get, list, and aggregated list methods. Unlike audit logs for other services, Compute Engine only has ADMIN_READ data access logs and doesn't generally offer DATA_READ and DATA_WRITE logs. This is because DATA_READ and DATA_WRITE logs are only used for services that store and manage user data such as Cloud Storage, Cloud Spanner, and Cloud SQL, and this doesn't apply to Compute Engine. There is one exception to this rule: instance.getSerialPortOutput does generate a DATA_READ log because the method reads data directly from the VM instance.

The following table summarizes which Compute Engine operations fall into each log type:

Compute Engine logs use an AuditLog object and follows the same format as other Cloud Audit Logs. Logs contain information such as:

• The user who made the request, including the email address of that user.
• The resource name on which the request was made.
• The outcome of the request.

Log settings

Admin activity and system event logs are recorded by default. These logs do not count towards your log ingestion quota.

Data access logs aren't recorded by default. These logs count towards your log ingestion quota. To learn how to enable logs for data access-type operations, see Configuring data access logs.

Log access

The following users can view admin activity and system event logs:

• Project owners, editors, and viewers.
• Users with the Logs viewer IAM role.
• Users with the logging.logEntries.list IAM permission.

The following users can view data access logs:

• Project owners.
• Users with the Private logs viewer IAM role.
• Users with the logging.privateLogEntries.list IAM permission.

See Adding IAM members to a project for instructions about granting access.

Viewing logs

You can view a summary of the audit logs for your project in the activity stream in the Google Cloud Platform Console. A more detailed version of the logs can found in the logs viewer.

For instructions about filtering logs in the logs viewer, see the Stackdriver Logging guide.

Data redaction in audit logs

Audit logs record the request and response data of the API actions that were performed. However, in the following circumstances, the request or response info is unavailable or is redacted:

• For instance.setMetadata and project.setCommonInstanceMetadata API requests, the metadata portion of the request body is redacted to avoid logging sensitive information sent in the metadata.
• Sensitive fields are redacted from requests, such as private keys for SSL certificates and customer-supplied encryption keys for disks.
• For get and list responses, the response body is redacted to avoid logging private information.

What's next

• Read up on Stackdriver Logging.
• Learn how to migrate from using legacy activity logs to using audit logs instead.