Determine event filters for Cloud Audit Logs

Stay organized with collections Save and categorize content based on your preferences.

An Eventarc trigger declares your interest in a certain event or set of events, allowing you to capture and act on specific events. Eventarc triggers with send requests to your service or workflow when an audit log is created that matches the trigger's filter criteria. Matches are made on the following values from the audit log entry:

  • serviceName: the service that wrote the audit log
  • methodName: the operation that is being audited
  • resourceName: the resource that is being audited

For a list of Google Cloud services that provide audit logs, see Google services with audit logs.

For a list of the audit log events supported by Eventarc, including serviceName and methodName values, see Events supported by Eventarc.

Identify event filters

To identify the exact event filters needed to create a trigger, generate the event that you want to capture, and then view its corresponding Cloud Audit Logs entry. Note that data from a log entry might be split and distributed across several entries.

  1. Ensure that you have enabled the data access audit log types for your service.

    Go to Audit Logs

    Note that any services that have auditing enabled by default are not listed.

    1. In the main table on the Audit Logs page, select a Google Cloud service from the Title column.

    2. In the Log Type tab, select the Admin Read, Data Read, and Data Write checkboxes and then click Save.

  2. Perform the operation you want to create an event filter for and generate an audit log entry. For example, store a file in a Cloud Storage bucket.

  3. In the Google Cloud console, go to the Logs Explorer.

    Go to Logs Explorer

  4. In the Query builder pane, build and run a query to filter the log entries and retrieve the results. For example:

    resource.type="gcs_bucket" resource.labels.bucket_name="eventarc-bucket"

    For more details on how to build queries to retrieve and refine logs, see Building log queries.

  5. To see the full details of one log entry, click the expander arrow (▸) at the start of the entry.

    The protoPayload field distinguishes an audit log entry from other log entries. In the following example, some parts of the log entry are omitted, and some fields are highlighted:


    • The following information can be used to verify the contents of this audit log entry:

      • The protoPayload.@type field is

      • The logName field includes the domain

    • The protoPayload.serviceName field is the service that wrote the audit log.

    • The protoPayload.methodName field is the operation that is being audited.

    • The protoPayload.resourceName field is the resource that is being audited.

    For more details on how to find information in an audit log entry, see Understanding audit logs.

Eventarc trigger examples

The following example creates a trigger called cal-workflows-trigger for a Workflows destination. The trigger filters for audit logs that are written by and for the operation identified as jobservice.jobcompleted:

gcloud eventarc triggers create cal-workflows-trigger \
   --location=us-central1 \
   --destination-workflow=my-workflow \
   --destination-workflow-location=europe-west4 \
   --event-filters="" \
   --event-filters="" \
   --event-filters="methodName=jobservice.jobcompleted" \

The following example creates a trigger called cal-run-trigger for a Cloud Run destination. The trigger filters for audit logs that are written by and for the operation identified as

gcloud eventarc triggers create cal-run-trigger \
   --location=us-central1 \
   --destination-run-service=helloworld-events \
   --destination-run-region=us-central1 \
   --event-filters="" \
   --event-filters="" \
   --event-filters="" \
   --event-filters="resourceName=projects/_/locations/us-central1/workflows/test-workflow" \

Split Cloud Audit Logs

Cloud Logging splits single audit log entries larger than 512 KB size limit and distributes the data contained in the original audit log entry across several split log entries. The split field is a LogSplit object that contains the information needed to identify related split log entries.

Each protoPayload of the split entries will include the same serviceName, methodName, and resourceName values to help filter the Cloud Audit Logs events. Eventarc triggers will deliver an event for each split log entry.

When you have an audit log entry that is split into multiple log entries, you can filter for any of the fields in the LogEntry. For example, if you need the first entry from a split log entry, you can run the following gcloud CLI command, using split.index to indicate the position of the entry in the series of split entries. (The first entry from the split has index 0.):

gcloud logging read "split.index=0"

For more information on split log entries, including how to recognize entries and sample queries, see Split audit-log entries.

What's next