This document describes audit logging for Cloud Next Generation Firewall. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. To learn more about Cloud Audit Logs, refer to the following documentation pages:
- Types of audit logs
- Audit log entry structure
- How to store and route audit logs
- How to enable Data Access audit logs
- Cloud Logging pricing summary
Service name
Cloud Next Generation Firewall audit logs use the service name networksecurity.googleapis.com.
Filter for this service:
protoPayload.serviceName="networksecurity.googleapis.com"
Methods by permission type
Each IAM permission has a type property, whose value is an enum
that can be one of four values: ADMIN_READ, ADMIN_WRITE,
DATA_READ, or DATA_WRITE. When you call a method,
Cloud Next Generation Firewall generates an audit log whose category is dependent on the
type property of the permission required to perform the method.
Methods that require an IAM permission with the type property value
of DATA_READ, DATA_WRITE, or ADMIN_READ generate
Data Access audit logs.
Methods that require an IAM permission with the type property value
of ADMIN_WRITE generate
Admin Activity audit logs.
| Permission type | Methods |
|---|---|
ADMIN_READ |
google.cloud.networksecurity.v1.FirewallActivation.GetFirewallEndpointgoogle.cloud.networksecurity.v1.FirewallActivation.GetFirewallEndpointAssociationgoogle.cloud.networksecurity.v1.FirewallActivation.ListFirewallEndpointAssociationsgoogle.cloud.networksecurity.v1.FirewallActivation.ListFirewallEndpointsgoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.GetSecurityProfilegoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.GetSecurityProfileGroupgoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.ListSecurityProfileGroupsgoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.ListSecurityProfilesgoogle.longrunning.Operations.GetOperation |
ADMIN_WRITE |
google.cloud.networksecurity.v1.FirewallActivation.CreateFirewallEndpointgoogle.cloud.networksecurity.v1.FirewallActivation.CreateFirewallEndpointAssociationgoogle.cloud.networksecurity.v1.FirewallActivation.DeleteFirewallEndpointgoogle.cloud.networksecurity.v1.FirewallActivation.DeleteFirewallEndpointAssociationgoogle.cloud.networksecurity.v1.FirewallActivation.UpdateFirewallEndpointgoogle.cloud.networksecurity.v1.FirewallActivation.UpdateFirewallEndpointAssociationgoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.CreateSecurityProfilegoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.CreateSecurityProfileGroupgoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.DeleteSecurityProfilegoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.DeleteSecurityProfileGroupgoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.UpdateSecurityProfilegoogle.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.UpdateSecurityProfileGroup |
API interface audit logs
For information about how and which permissions are evaluated for each method, see the Identity and Access Management documentation for Cloud Next Generation Firewall.
google.cloud.networksecurity.v1.FirewallActivation
The following section contains details about audit logs associated with
methods belonging to google.cloud.networksecurity.v1.FirewallActivation.
CreateFirewallEndpoint
- Method:
google.cloud.networksecurity.v1.FirewallActivation.CreateFirewallEndpoint - Audit log type: Admin activity
- Permissions:
networksecurity.firewallEndpoints.create - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.CreateFirewallEndpoint"
CreateFirewallEndpointAssociation
- Method:
google.cloud.networksecurity.v1.FirewallActivation.CreateFirewallEndpointAssociation - Audit log type: Admin activity
- Permissions:
networksecurity.firewallEndpointAssociations.create - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.CreateFirewallEndpointAssociation"
DeleteFirewallEndpoint
- Method:
google.cloud.networksecurity.v1.FirewallActivation.DeleteFirewallEndpoint - Audit log type: Admin activity
- Permissions:
networksecurity.firewallEndpoints.delete - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.DeleteFirewallEndpoint"
DeleteFirewallEndpointAssociation
- Method:
google.cloud.networksecurity.v1.FirewallActivation.DeleteFirewallEndpointAssociation - Audit log type: Admin activity
- Permissions:
networksecurity.firewallEndpointAssociations.delete - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.DeleteFirewallEndpointAssociation"
GetFirewallEndpoint
- Method:
google.cloud.networksecurity.v1.FirewallActivation.GetFirewallEndpoint - Audit log type: Data access
- Permissions:
networksecurity.firewallEndpoints.get - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.GetFirewallEndpoint"
GetFirewallEndpointAssociation
- Method:
google.cloud.networksecurity.v1.FirewallActivation.GetFirewallEndpointAssociation - Audit log type: Data access
- Permissions:
networksecurity.firewallEndpointAssociations.get - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.GetFirewallEndpointAssociation"
ListFirewallEndpointAssociations
- Method:
google.cloud.networksecurity.v1.FirewallActivation.ListFirewallEndpointAssociations - Audit log type: Data access
- Permissions:
networksecurity.firewallEndpointAssociations.list - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.ListFirewallEndpointAssociations"
ListFirewallEndpoints
- Method:
google.cloud.networksecurity.v1.FirewallActivation.ListFirewallEndpoints - Audit log type: Data access
- Permissions:
networksecurity.firewallEndpoints.list - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.ListFirewallEndpoints"
UpdateFirewallEndpoint
- Method:
google.cloud.networksecurity.v1.FirewallActivation.UpdateFirewallEndpoint - Audit log type: Admin activity
- Permissions:
networksecurity.firewallEndpoints.update - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.UpdateFirewallEndpoint"
UpdateFirewallEndpointAssociation
- Method:
google.cloud.networksecurity.v1.FirewallActivation.UpdateFirewallEndpointAssociation - Audit log type: Admin activity
- Permissions:
networksecurity.firewallEndpointAssociations.update - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.FirewallActivation.UpdateFirewallEndpointAssociation"
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService
The following section contains details about audit logs associated with
methods belonging to google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.
CreateSecurityProfile
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.CreateSecurityProfile - Audit log type: Admin activity
- Permissions:
networksecurity.securityProfiles.create - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.CreateSecurityProfile"
CreateSecurityProfileGroup
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.CreateSecurityProfileGroup - Audit log type: Admin activity
- Permissions:
networksecurity.securityProfileGroups.create - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.CreateSecurityProfileGroup"
DeleteSecurityProfile
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.DeleteSecurityProfile - Audit log type: Admin activity
- Permissions:
networksecurity.securityProfiles.delete - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.DeleteSecurityProfile"
DeleteSecurityProfileGroup
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.DeleteSecurityProfileGroup - Audit log type: Admin activity
- Permissions:
networksecurity.securityProfileGroups.delete - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.DeleteSecurityProfileGroup"
GetSecurityProfile
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.GetSecurityProfile - Audit log type: Data access
- Permissions:
networksecurity.securityProfiles.get - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.GetSecurityProfile"
GetSecurityProfileGroup
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.GetSecurityProfileGroup - Audit log type: Data access
- Permissions:
networksecurity.securityProfileGroups.get - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.GetSecurityProfileGroup"
ListSecurityProfileGroups
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.ListSecurityProfileGroups - Audit log type: Data access
- Permissions:
networksecurity.securityProfileGroups.list - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.ListSecurityProfileGroups"
ListSecurityProfiles
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.ListSecurityProfiles - Audit log type: Data access
- Permissions:
networksecurity.securityProfiles.list - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.ListSecurityProfiles"
UpdateSecurityProfile
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.UpdateSecurityProfile - Audit log type: Admin activity
- Permissions:
networksecurity.securityProfiles.update - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.UpdateSecurityProfile"
UpdateSecurityProfileGroup
- Method:
google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.UpdateSecurityProfileGroup - Audit log type: Admin activity
- Permissions:
networksecurity.securityProfileGroups.update - ADMIN_WRITE
- Method is a long-running or streaming operation:
Long-running operation
- Filter for this method:
protoPayload.methodName="google.cloud.networksecurity.v1.OrganizationSecurityProfileGroupService.UpdateSecurityProfileGroup"
google.longrunning.Operations
The following section contains details about audit logs associated with
methods belonging to google.longrunning.Operations.
GetOperation
- Method:
google.longrunning.Operations.GetOperation - Audit log type: Data access
- Permissions:
networksecurity.operations.get - ADMIN_READ
- Method is a long-running or streaming operation:
No.
- Filter for this method:
protoPayload.methodName="google.longrunning.Operations.GetOperation"
Available audit logs
The following types of audit logs are available for Cloud Next Generation Firewall:
-
Admin Activity audit logs
Includes "admin write" operations that write metadata or configuration information.
You can't disable Admin Activity audit logs.
-
Data Access audit logs
Includes "admin read" operations that read metadata or configuration information.
To receive Data Access audit logs, you must explicitly enable them.
For fuller descriptions of the audit log types, see Types of audit logs.
Audit log format
Audit log entries include the following objects:
The log entry itself, which is an object of type
LogEntry. Useful fields include the following:- The
logNamecontains the resource ID and audit log type. - The
resourcecontains the target of the audited operation. - The
timeStampcontains the time of the audited operation. - The
protoPayloadcontains the audited information.
- The
The audit logging data, which is an
AuditLogobject held in theprotoPayloadfield of the log entry.Optional service-specific audit information, which is a service-specific object. For earlier integrations, this object is held in the
serviceDatafield of theAuditLogobject; later integrations use themetadatafield.
For other fields in these objects, and how to interpret them, review Understand audit logs.
Log name
Cloud Audit Logs log names include resource identifiers indicating the Google Cloud project or other Google Cloud entity that owns the audit logs, and whether the log contains Admin Activity, Data Access, Policy Denied, or System Event audit logging data.
The following are the audit log names, including variables for the resource identifiers:
projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivity folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fdata_access folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fsystem_event folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fpolicy billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Factivity billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Fdata_access billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Fpolicy organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fsystem_event organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fpolicy
Enable audit logging
Admin Activity audit logs are always enabled; you can't disable them.
Data Access audit logs are disabled by default and aren't written unless explicitly enabled (the exception is Data Access audit logs for BigQuery, which can't be disabled).
For information about enabling some or all of your Data Access audit logs, see Enable Data Access audit logs.
View audit logs
You can query for all audit logs or you can query for logs by their
audit log name. The audit log name includes the
resource identifier
of the Google Cloud project, folder, billing account, or
organization for which you want to view audit logging information.
Your queries can specify indexed LogEntry fields, and if you use
the Log Analytics page, which supports SQL queries, then you can
view your query results as a chart.
For more information about querying your logs, see the following pages:
- Build queries in the Logs Explorer.
- Query and view logs in Log Analytics.
- Sample queries for security insights.
You can view audit logs in Cloud Logging by using the Google Cloud console, the Google Cloud CLI, or the Logging API.
Console
In the Google Cloud console, you can use the Logs Explorer to retrieve your audit log entries for your Google Cloud project, folder, or organization:
-
In the Google Cloud console, go to the Logs Explorer page:
If you use the search bar to find this page, then select the result whose subheading is Logging.
Select an existing Google Cloud project, folder, or organization.
To display all audit logs, enter either of the following queries into the query-editor field, and then click Run query:
logName:"cloudaudit.googleapis.com"
protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog"
To display the audit logs for a specific resource and audit log type, in the Query builder pane, do the following:
In Resource type, select the Google Cloud resource whose audit logs you want to see.
In Log name, select the audit log type that you want to see:
- For Admin Activity audit logs, select activity.
- For Data Access audit logs, select data_access.
- For System Event audit logs, select system_event.
- For Policy Denied audit logs, select policy.
Click Run query.
If you don't see these options, then there aren't any audit logs of that type available in the Google Cloud project, folder, or organization.
If you're experiencing issues when trying to view logs in the Logs Explorer, see the troubleshooting information.
For more information about querying by using the Logs Explorer, see Build queries in the Logs Explorer. For information about summarizing log entries in the Logs Explorer by using Gemini, see Summarize log entries with Gemini assistance.
gcloud
The Google Cloud CLI provides a command-line interface to the Logging API. Supply a valid resource identifier in each of the log names. For example, if your query includes a PROJECT_ID, then the project identifier you supply must refer to the currently selected Google Cloud project.
To read your Google Cloud project-level audit log entries, run the following command:
gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" \
--project=PROJECT_ID
To read your folder-level audit log entries, run the following command:
gcloud logging read "logName : folders/FOLDER_ID/logs/cloudaudit.googleapis.com" \
--folder=FOLDER_ID
To read your organization-level audit log entries, run the following command:
gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com" \
--organization=ORGANIZATION_ID
To read your Cloud Billing account-level audit log entries, run the following command:
gcloud logging read "logName : billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com" \
--billing-account=BILLING_ACCOUNT_ID
Add the --freshness flag
to your command to read logs that are more than 1 day old.
For more information about using the gcloud CLI, see
gcloud logging read.
API
When building your queries, supply a valid resource identifier in each of the log names. For example, if your query includes a PROJECT_ID, then the project identifier you supply must refer to the currently selected Google Cloud project.
For example, to use the Logging API to view your project-level audit log entries, do the following:
Go to the Try this API section in the documentation for the
entries.listmethod.Put the following into the Request body part of the Try this API form. Clicking this prepopulated form automatically fills the request body, but you need to supply a valid PROJECT_ID in each of the log names.
{ "resourceNames": [ "projects/PROJECT_ID" ], "pageSize": 5, "filter": "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" }Click Execute.