If you use legacy activity logs, read this guide to understand how to find your log entries using audit logging instead.
Legacy activity logs are to be deprecated in a future release. Some activity log entries will be discontinued on June 1, 2020.
Audit logs contain the same information that is available through legacy activity logs, and more. But audit logs present the information differently compared to activity logs.
To use audit logs instead of activity logs, you must adjust your queries to filter on:
- Different field names
- Different field values, including:
- Different log names
- Different payloads
- Versioned method names
Distinguishing between activity log entries and audit log entries
Audit logs and legacy activity logs each contain log entry objects. But their contents are different. When issuing queries to view log entries, keep these differences in mind as you migrate from activity logs to audit logs.
You can distinguish audit logs from legacy activity logs by examining the contents of their log entries: they have different log names and different payloads.
| Log entry example | |
|---|---|
| Legacy activity log | {
insertId: "1x3bbhjg2wwvz1x"
jsonPayload: {…}
labels: {…}
logName: "projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log"
receiveTimestamp: "2019-08-26T12:22:44.602794616Z"
...
} |
| Audit log | {
insertId: "-w6o499e22fwk"
logName: "projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload: {…}
receiveTimestamp: "2019-08-26T12:22:46.881198276Z"
...
} |
Read mapping log entry fields to learn how to map legacy activity log fields to audit log fields.
Mapping log entry fields from activity logs to audit logs
Audit logs contain the same information as activity logs. But the names of log entry fields can be different. The values can also be different.
Field names
Use the following table to map legacy activity log field names to audit log
field names. For example, if your legacy activity log query contained a
filter based on
jsonPayload.resource.type, your new audit log query should filter on
resource.type instead.
| Legacy activity log field name | Audit log field name |
|---|---|
insertId |
insertId |
jsonPayload.actor.user |
protoPayload.authenticationInfo.principalEmail |
jsonPayload.event_subtype |
protoPayload.methodName |
jsonPayload.event_timestamp_us |
resource.timestamp |
jsonPayload.request |
protoPayload.request |
jsonPayload.operation |
operation |
jsonPayload.resource.id |
resource.lablels.instance_id |
jsonPayload.resource.name |
protoPayload.resourceName |
jsonPayload.resource.type |
resource.type |
jsonPayload.resource.zone |
resource.labels.zone |
jsonPayload.trace_id |
operation.id |
jsonPayload.user_agent |
protoPayload.requestMetadata.callerSuppliedUserAgent |
labels.compute.googleapis.com/resource_id |
resource.labels.[RESOURCE_TYPE]_id |
labels.compute.googleapis.com/resource_name |
protoPayload.resourceName |
labels.compute.googleapis.com/resource_type |
resource.type |
labels.compute.googleapis.com/resource_zone |
One of:
|
logName |
logName |
receiveTimestamp |
receiveTimestamp |
resource.labels |
resource.labels |
severity |
severity |
timestamp |
timestamp |
Field values
Compared to activity logs, audit logs have different log names and different payloads, and they provide versioned method names.
Log names
An audit log has a logName that includes cloudaudit.googleapis.com.
| Log name | Log contents | |
|---|---|---|
| Legacy activity log | projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log | Admin activity and system events |
| Audit log | projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity | Admin activity |
projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fsystem_event | System events | |
projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access | Data access |
Payloads
An audit log has a protoPayload instead of a jsonPayload.
| Payload type | Payload example | |
|---|---|---|
| Legacy activity log | jsonPayload | jsonPayload: {
actor: {…}
event_subtype: "compute.instances.start"
event_timestamp_us: "1566404493487248"
event_type: "GCE_API_CALL"
ip_address: ""
operation: {…}
request: {…}
resource: {…}
trace_id: "operation-1566404491560-590a2f74b4705-a1ae0686-d896d772"
user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
version: "1.2"
} |
| Audit log | protoPayload | protoPayload: {
@type: "type.googleapis.com/google.cloud.audit.AuditLog"
authenticationInfo: {…}
methodName: "v1.compute.instances.start"
request: {…}
requestMetadata: {…}
resourceName: "projects/[PROJECT_ID]/zones/us-central1-a/instances/alert"
serviceName: "compute.googleapis.com"
} |
To learn how these payloads relate to each other, and how to map legacy activity log fields to audit log fields, read log entry field mappings.
Method names
In audit logs, API method names (in the protoPayload.methodName field) are
prefixed with their version, like: v1.compute.instances.delete.
| Field | Value | Query example | |
|---|---|---|---|
| Legacy activity log | jsonPayload.event_subtype | [RESOURCE].[METHOD] | jsonPayload.event_subtype=compute.instances.delete |
| Audit log | protoPayload.methodName | [API_VERSION].[RESOURCE].[METHOD] | protoPayload.methodName=v1.compute.instances.deleteor protoPayload.methodName=beta.compute.instances.deleteor protoPayload.methodName:compute.instances.delete |
If you use unversioned API method names in your legacy activity log queries, you
can keep using them, but make sure that you use a "has" operator (:) in your
query, instead of an "equals" operator (=). For example:
protoPayload.methodName:compute.instances.delete returns all instance delete
API calls, regardless of version. For more information about operators, see
comparisions.
Query examples
This section contains a few sample queries to help you start using audit logging instead of activity logs. See Viewing logs for more information about basic and advanced queries.
Querying for recent admin activity log entries
| Query example | |
|---|---|
| Legacy activity log | logName="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log"
|
| Audit log | logName="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" |
Querying for recent instance creation log entries
| Query example | |
|---|---|
| Legacy activity log | logName="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log" |
| Audit log | logName="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" |
What's next
- Learn more about Cloud Audit Logs.
- Learn about Stackdriver Logging.
- Learn about advanced logging filters.
