Workload location |
Organization only workloads |
Audit log source |
|
Audited operations |
|
API server
Log type: Control plane.
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | user |
For example, "user":{ "groups":["system:authenticated"], "username":"fop-platform-admin@example.com" } |
Target (Fields and values that call the API) |
objectRef |
"objectRef":{ "resource":"aeadkeys", "apiGroup":"kms.gdc.goog", "apiVersion":"v1", "namespace":"kms-test1" } |
Action (Fields containing the performed operation) |
verb |
For example,
|
Event timestamp | requestReceivedTimestamp |
For example,
|
Source of action | sourceIPs |
For example, "sourceIPs":[ "10.200.0.7" ] |
Outcome | responseStatus |
For example, "responseStatus": { "metadata": {}, "code": 200 } |
Other fields | Not applicable | Not applicable |
Example log
{
"user":{
"groups":["system:authenticated"],
"username":"fop-platform-admin@example.com"
},
"auditID":"bec33328-b4ba-431e-96a2-9bbb77666478",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-wxw7t",
"stage":"RequestReceived",
"_gdch_cluster":"org-1-admin",
"userAgent":"kubectl/v1.25.4 (linux/amd64) kubernetes/872a965",
"kind":"Event",
"level":"Metadata",
"stageTimestamp":"2022-12-08T03:59:20.025703Z",
"requestReceivedTimestamp":"2022-12-08T03:59:20.025703Z",
"objectRef":{
"resource":"aeadkeys",
"apiGroup":"kms.gdc.goog",
"apiVersion":"v1",
"namespace":"kms-test1"
},
"sourceIPs":[
"10.200.0.7"
],
"apiVersion":"audit.k8s.io/v1",
"requestURI":"/apis/kms.gdc.goog/v1/namespaces/kms-test1/aeadkeys?fieldManager=kubectl-client-side-apply&fieldValidation=Strict",
"verb":"create",
"_gdch_service_name":"apiserver"
}
Istio
Log type: Data plane.
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | username |
For example,
|
Target (Fields and values that call the API) |
resource |
"resource":{ "node_name":"sidecar~10.253.166.144~kms-backend-84f5c4f4c7-ncl4d.kms-system~kms-system.svc.cluster.local", "cluster_name":"kms-backend.kms-system", "zone_name":"europe-west4-b", "log_name":"otel_envoy_accesslog" } |
Action (Fields containing the performed operation) |
path |
For example,
|
Event timestamp | start_time |
For example,
|
Source of action | x_forwarded_for |
For example,
|
Outcome | response_code |
For example,
|
Other fields | Not applicable | Not applicable |
Example log
{
"response_code":"200",
"response_code_details":"via_upstream",
"response_flags":"-",
"route_name":"default",
"severity_number":0,
"severity_text":"",
"start_time":"2022-12-08T04:03:33.859Z",
"_gdch_service_name":"istio",
"upstream_host":"10.253.166.144:8080",
"upstream_local_address":"127.0.0.6:54383",
"user_agent":"grpc-go/1.49.0",
"_gdch_service_tenant":"platform-obs",
"username":"fop-platform-admin@example.com",
"x_envoy_upstream_service_time":"104",
"x_forwarded_for":"10.253.165.123",
"x_goog_api_client":"-",
"x_request_id":"c11cbf94-765d-440d-9d36-56654d93d834",
"authority":"kms.org-1.zone1.google.gdch.test",
"bytes_received":"32756",
"body":{},
"upstream_transport_failure_reason":"-",
"bytes_sent":"0",
"downstream_local_address":"10.253.166.144:8080",
"downstream_remote_address":"10.253.165.123:0",
"duration":"318",
"method":"POST",
"observed_time_unix_nano":0,
"protocol":"HTTP/2",
"requested_server_name":"outbound_.8080_._.kms-backend.kms-system.svc.cluster.local",
"_gdch_namespace":"istio-system",
"path":"/goog.gdc.kms.v1.CryptoOperationsService/Encrypt",
"connection_termination_details":"-",
"time_unix_nano":1670472213859570944,
"upstream_cluster":"inbound|8080||",
"resource":{
"node_name":"sidecar~10.253.166.144~kms-backend-84f5c4f4c7-ncl4d.kms-system~kms-system.svc.cluster.local",
"cluster_name":"kms-backend.kms-system",
"zone_name":"europe-west4-b",
"log_name":"otel_envoy_accesslog"
},
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-cr9h7"
}
Server
Log type: Data plane.
Fields in the log entry that contain audit information | ||
---|---|---|
Audit metadata | Audit field name | Value |
User or service identity | message.user.identity |
For example,
|
Target (Fields and values that call the API) |
_gdch_service_name |
|
Action (Fields containing the performed operation) |
message.action |
For example,
|
Event timestamp | time |
For example,
|
Source of action | _gdch_cluster |
For example,
|
Outcome | message.response |
For example,
|
Other fields | The message.description field contains the complete log message. |
For more information, see the Example log. |
Example log
{
"pri":"46",
"time":"2023-05-30T20:58:25Z",
"host":"kms-backend-9dd54b666-jfp5v",
"ident":"/kms_bin",
"pid":"1",
"msgid":"audit-log",
"extradata":"-",
"message":"{\"time\":\"2023-08-01T18:04:00.458810232Z\",\"auditID\":\"6f848640-8af1-4659-b9c9-a358d19bea5f\",\"user\":{\"identity\":\"fop-platform-admin@example.com\"},\"resource\":\"namespaces/testnamespace/aeadKeys/testcryptokey\",\"action\":\"/goog.gdc.kms.v1.CryptoOperationsService/Decrypt\",\"description\":\"{\"duration_ms\":202}\",\"userAgent\":\"grpc-go/1.55.0\",\"response\":\"OK\",\"_gdch_service\":\"kms\"}",
"_gdch_org_name":"org-1",
"_gdch_org_id":"org-1.zone1.google.gdch.test",
"_gdch_cluster":"org-1-admin",
"_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-5lq2g",
"_gdch_service_name":"kms-backend",
"_gdch_tenant_id":"platform-obs"
}