Migrating from activity logs to audit logs

If you use legacy activity logs, read this guide to understand how to find your log entries using audit logging instead.

Legacy activity logs are to be deprecated in a future release. Some activity log entries will be discontinued on June 1, 2020.

Audit logs contain the same information that is available through legacy activity logs, and more. But audit logs present the information differently compared to activity logs.

To use audit logs instead of activity logs, you must adjust your queries to filter on:

Distinguishing between activity log entries and audit log entries

Audit logs and legacy activity logs each contain log entry objects. But their contents are different. When issuing queries to view log entries, keep these differences in mind as you migrate from activity logs to audit logs.

You can distinguish audit logs from legacy activity logs by examining the contents of their log entries: they have different log names and different payloads.

Log entry example
Legacy activity log
{
  insertId:  "1x3bbhjg2wwvz1x"
  jsonPayload: {…}
  labels: {…}
  logName:  "projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log"
  receiveTimestamp:  "2019-08-26T12:22:44.602794616Z"
  ...
}
Audit log
{
  insertId:  "-w6o499e22fwk"
  logName:  "projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
  protoPayload: {…}
  receiveTimestamp:  "2019-08-26T12:22:46.881198276Z"
  ...
}

Read mapping log entry fields to learn how to map legacy activity log fields to audit log fields.

Mapping log entry fields from activity logs to audit logs

Audit logs contain the same information as activity logs. But the names of log entry fields can be different. The values can also be different.

Field names

Use the following table to map legacy activity log field names to audit log field names. For example, if your legacy activity log query contained a filter based on jsonPayload.resource.type, your new audit log query should filter on resource.type instead.

Legacy activity log field name Audit log field name
insertId insertId
jsonPayload.actor.user protoPayload.authenticationInfo.principalEmail
jsonPayload.event_subtype protoPayload.methodName
jsonPayload.event_timestamp_us resource.timestamp
jsonPayload.request protoPayload.request
jsonPayload.operation operation
jsonPayload.resource.id resource.lablels.instance_id
jsonPayload.resource.name protoPayload.resourceName
jsonPayload.resource.type resource.type
jsonPayload.resource.zone resource.labels.zone
jsonPayload.trace_id operation.id
jsonPayload.user_agent protoPayload.requestMetadata.callerSuppliedUserAgent
labels.compute.googleapis.com/resource_id resource.labels.[RESOURCE_TYPE]_id
labels.compute.googleapis.com/resource_name protoPayload.resourceName
labels.compute.googleapis.com/resource_type resource.type
labels.compute.googleapis.com/resource_zone One of:
  • resource.labels.zone
  • resource.labels.region
  • resource.labels.location
logName logName
receiveTimestamp receiveTimestamp
resource.labels resource.labels
severity severity
timestamp timestamp

Field values

Compared to activity logs, audit logs have different log names and different payloads, and they provide versioned method names.

Log names

An audit log has a logName that includes cloudaudit.googleapis.com.

Log nameLog contents
Legacy activity logprojects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_logAdmin activity and system events
Audit logprojects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2FactivityAdmin activity
projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fsystem_eventSystem events
projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_accessData access

Payloads

An audit log has a protoPayload instead of a jsonPayload.

Payload typePayload example
Legacy activity logjsonPayload
    jsonPayload: {
      actor: {…}
      event_subtype:  "compute.instances.start"
      event_timestamp_us:  "1566404493487248"
      event_type:  "GCE_API_CALL"
      ip_address:  ""
      operation: {…}
      request: {…}
      resource: {…}
      trace_id:  "operation-1566404491560-590a2f74b4705-a1ae0686-d896d772"
      user_agent:  "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36"
      version:  "1.2"
    }
Audit logprotoPayload
    protoPayload: {
      @type:  "type.googleapis.com/google.cloud.audit.AuditLog"
      authenticationInfo: {…}
      methodName:  "v1.compute.instances.start"
      request: {…}
      requestMetadata: {…}
      resourceName:  "projects/[PROJECT_ID]/zones/us-central1-a/instances/alert"
      serviceName:  "compute.googleapis.com"
    }

To learn how these payloads relate to each other, and how to map legacy activity log fields to audit log fields, read log entry field mappings.

Method names

In audit logs, API method names (in the protoPayload.methodName field) are prefixed with their version, like: v1.compute.instances.delete.

FieldValueQuery example
Legacy activity logjsonPayload.event_subtype[RESOURCE].[METHOD]jsonPayload.event_subtype=compute.instances.delete
Audit logprotoPayload.methodName[API_VERSION].[RESOURCE].[METHOD]protoPayload.methodName=v1.compute.instances.delete
or
protoPayload.methodName=beta.compute.instances.delete
or
protoPayload.methodName:compute.instances.delete

If you use unversioned API method names in your legacy activity log queries, you can keep using them, but make sure that you use a "has" operator (:) in your query, instead of an "equals" operator (=). For example: protoPayload.methodName:compute.instances.delete returns all instance delete API calls, regardless of version. For more information about operators, see comparisions.

Query examples

This section contains a few sample queries to help you start using audit logging instead of activity logs. See Viewing logs for more information about basic and advanced queries.

Querying for recent admin activity log entries

Query example
Legacy activity loglogName="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log"
Audit loglogName="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"

Querying for recent instance creation log entries

Query example
Legacy activity loglogName="projects/[PROJECT_ID]/logs/compute.googleapis.com%2Factivity_log"
jsonPayload.event_subtype=compute.instances.insert
Audit loglogName="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName:compute.instances.insert

What's next

Trang này có hữu ích không? Hãy cho chúng tôi biết đánh giá của bạn:

Gửi phản hồi về...

Compute Engine Documentation