Determining event filters for Cloud Audit Logs

An Eventarc trigger declares your interest in a certain event or set of events. For Cloud Audit Logs, triggers are applied when an audit log is created that matches the trigger's filter criteria, allowing you to capture and act on specific events.

For a list of Google Cloud services that provide audit logs, see Google services with audit logs.

For a list of the audit log events supported by Eventarc, including serviceName and methodName values, see Events supported by Eventarc.

To identify the exact event filters needed to create a trigger, generate the event that you want to capture, and then view its corresponding Cloud Audit Logs entry.

  1. Ensure that you have enabled the data access audit log types for your service.

    Go to Audit Logs

    Note that any services that have auditing enabled by default are not listed.

    1. In the main table on the Audit Logs page, select a Google Cloud service from the Title column.

    2. In the Log Type tab, select the Admin Read, Data Read, and Data Write checkboxes and then click Save.

  2. Perform the operation you want to create an event filter for and generate an audit log entry. For example, store a file in a Cloud Storage bucket.

  3. In the Cloud Console, go to the Logs Explorer.

    Go to Logs Explorer

  4. In the Query builder pane, build and run a query to filter the log entries and retrieve the results. For example:

    resource.type="gcs_bucket" resource.labels.bucket_name="eventarc-bucket"
    

    For more details on how to build queries to retrieve and refine logs, see Building log queries.

  5. To see the full details of one log entry, click the expander arrow (▸) at the start of the entry.

    The protoPayload field distinguishes an audit log entry from other log entries. In the following example, some parts of the log entry are omitted, and some fields are highlighted:

    {
       protoPayload:{
          @type:"type.googleapis.com/google.cloud.audit.AuditLog",
          status:{},
          authenticationInfo:{},
          requestMetadata:{},
          serviceName:"storage.googleapis.com",
          methodName:"storage.objects.create",
          authorizationInfo:[],
          resourceName:"projects/_/buckets/eventarc-bucket/objects/random.txt",
          resourceLocation:{}
       },
       insertId:"il9evleafpdk",
       resource:{
          type:"gcs_bucket",
          labels:{
             project_id:"cloud-run-test",
             location:"us-central1",
             bucket_name:"eventarc-bucket"
          }
       },
       timestamp:"2021-03-05T15:55:20.754688805Z",
       severity:"INFO",
       logName:"projects/cloud-run-test/logs/cloudaudit.googleapis.com%2Fdata_access",
       receiveTimestamp:"2021-03-05T15:55:20.884984611Z"
    }
    

    • The following information can be used to verify the contents of this audit log entry:

      • The protoPayload.@type field is type.googleapis.com/google.cloud.audit.AuditLog.

      • The logName field includes the domain cloudaudit.googleapis.com.

    • The protoPayload.serviceName field is the service that wrote the audit log.

    • The protoPayload.methodName field is the operation that is being audited.

    • The protoPayload.resourceName field is the resource that is being audited.

    For more details on how to find information in an audit log entry, see Understanding audit logs.

What's next