This page provides supplemental information for using Cloud Audit Logs with Compute Engine. Use Cloud Audit Logs to generate logs for API operations performed in Compute Engine.
Audit logs are not the same as legacy activity logs. Audit logs help you determine who did what, where, and when. Specifically, audit logs track how your Compute Engine resources are modified and accessed within your Google Cloud projects for auditing purposes. Legacy activity logs contain a subset of that information and are to be deprecated. If you are using activity logs, read Migrating from activity logs to audit logs.
Logged information
Cloud Audit Logs returns three types of logs:
Admin activity logs: Contains log entries for operations that modify the configuration or metadata of a Compute Engine resource. Any API call that modifies a resource such as creation, deletion, updating, or modifying a resource using a custom verb fall into this category.
System event logs: Contains log entries for system maintenance operations on Compute Engine resources.
Data access logs: Contains log entries for operations that perform read-only operations that don't modify any data, such as get, list, and aggregated list methods. Unlike audit logs for other services, Compute Engine only has
ADMIN_READdata access logs and doesn't generally offerDATA_READandDATA_WRITElogs. This is becauseDATA_READandDATA_WRITElogs are only used for services that store and manage user data such as Cloud Storage, Cloud Spanner, and Cloud SQL, and this doesn't apply to Compute Engine. There is one exception to this rule:instance.getSerialPortOutputdoes generate aDATA_READlog because the method reads data directly from the VM instance.
The following table summarizes which Compute Engine operations fall into each log type:
| Log entry type | Sub-type | Operations |
|---|---|---|
| Admin Activity | N/A |
|
| System event | N/A |
|
| Data Access | ADMIN_READ |
|
DATA_READ |
Get the contents of the serial port console |
Compute Engine logs use an
AuditLog
object and follows the same format as other Cloud Audit Logs. Logs
contain information such as:
- The user who made the request, including the email address of that user.
- The resource name on which the request was made.
- The outcome of the request.
Log settings
Admin activity and system event logs are recorded by default. These logs do not count towards your log ingestion quota.
Data access logs aren't recorded by default. These logs count towards your log ingestion quota. To learn how to enable logs for data access-type operations, see Configuring data access logs.
Log access
The following users can view admin activity and system event logs:
- Project owners, editors, and viewers.
- Users with the Logs viewer IAM role.
- Users with the
logging.logEntries.listIAM permission.
The following users can view data access logs:
- Project owners.
- Users with the Private logs viewer IAM role.
- Users with the
logging.privateLogEntries.listIAM permission.
See Adding IAM members to a project for instructions about granting access.
Viewing logs
You can view a summary of the audit logs for your project in the activity stream in the Google Cloud Console. A more detailed version of the logs can be found in the Logs Viewer.
For instructions about filtering logs in the logs viewer, see the Cloud Logging guide.
Data redaction in audit logs
Audit logs record the request and response data of the API actions that were performed. However, in the following circumstances, the request or response info is unavailable or is redacted:
- For
instance.setMetadataandproject.setCommonInstanceMetadataAPI requests, the metadata portion of the request body is redacted to avoid logging sensitive information sent in the metadata. - Sensitive fields are redacted from requests, such as private keys for SSL certificates and customer-supplied encryption keys for disks.
- For get and list responses, the response body is redacted to avoid logging private information.
What's next
- Read up on Cloud Logging.
- Learn how to migrate from using legacy activity logs to using audit logs instead.