This page describes the audit logs created by Cloud IoT Core as part of Cloud Audit Logging.
Overview
Google Cloud Platform services write audit logs to help you answer the questions, "Who did what, where, and when?" Your GCP projects each contain only the audit logs for resources that are directly within the project. Other entities, including folders, organizations, and billing accounts, each contain the audit logs for the entity itself.
Cloud IoT Core writes, and provides by default, audit logs for Admin Activity, which include operations that modify the configuration or metadata of a resource. These include device settings, cloud-to-device configurations, and device registry settings.
Cloud IoT Core writes, and doesn't provide by default, audit logs for Data Access, which record API calls that read user-provided data.
Enabling audit logging
Admin Activity audit logs are enabled by default and can only be disabled through Stackdriver Logging exclusions.
Most GCP Data Access audit logs are disabled by default. The exception is Data Access audit logs for BigQuery, which are enabled by default and cannot be disabled; BigQuery Data Access logs do not count against your project's logging quota.
To enable some or all of your Data Access logs, see Configuring Data Access Logs.
The Data Access logs that you configure can affect your logs pricing in Stackdriver. For more information, see the Pricing section on this page.
Audited operations
The following table summarizes which API operations correspond to each audit log type in Cloud IoT Core:
| Audit logs category | Cloud IoT Core operations |
|---|---|
| Admin Activity logs |
|
Data Access logs (ADMIN_READ) |
|
Data Access logs (DATA_READ) |
None |
Data Access logs (DATA_WRITE) |
None |
Data Access logs
There are three categories of Data Access audit logs: ADMIN_READ, DATA_READ,
and DATA_WRITE. However, Cloud IoT Core only uses ADMIN_READ
data access logs. This is because DATA_READ and DATA_WRITE logs are only
used for services that store and manage user data (such as Cloud Storage,
Cloud Spanner, and Cloud SQL), which doesn't apply to
Cloud IoT Core.
| Data Access log type | Description | Availability |
|---|---|---|
ADMIN_READ |
Operations that read the configuration or metadata of a resource. | Cloud IoT Core doesn't provide ADMIN_READ logs by default. |
DATA_READ |
Operations that read user-provided data from a resource. | Cloud IoT Core doesn't provide DATA_READ logs. |
DATA_WRITE |
Operations that write user-provided data to a resource. | Cloud IoT Core doesn't provide DATA_WRITE logs. |
You can configure audit information that isn't provided by default. For details, see Configuring Data Access Logs.
Audit log format
Audit log entries, which can be viewed using the Logs
Viewer, the API, or the SDK gcloud logging command, include the following
objects:
The log entry itself, which is an object of type
LogEntry. Useful fields include the following:logNamecontains the project identification and audit log typeresourcecontains the target of the audited operationtimestampcontains the time of the audited operationprotoPayloadcontains the audited information
The audit information, which is an
AuditLogobject held in theprotoPayloadfield of the log entry.
For other fields in these objects, samples of their contents, and sample queries on information in the objects, see Audit Log Datatypes.
Log name and service name
Cloud Audit Logging log names indicate the project or other entity that owns the audit logs, and whether the log contains Admin Activity or Data Access information. For example, the following shows log names for a project's Admin Activity logs and an organization's Data Access logs.
projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
Service names and resource types
Cloud IoT Core audit logs use the service name
cloudiot.googleapis.com.
Cloud IoT Core audit logs use the resource types cloudiot_device
and cloudiot_device_registry
for all audit logs.
For more details on logging services and resources, see Mapping services to resources.
Audit log permissions
Cloud Identity and Access Management permissions and roles determine which audit logs you can view or export. Logs reside in projects and in some other entities including organizations, folders, and billing accounts. For more information, see Understanding Roles.
To view Admin Activity logs, you must have one of the following Cloud IAM roles in the project that contains your audit logs:
- Project Owner, Project Editor, or Project Viewer. For more information, see IAM Roles.
- The Logging Logs Viewer role.
- A custom Cloud IAM role with the
logging.logEntries.listCloud IAM permission.
To view Data Access logs, you must have one of the following roles in the project that contains your audit logs:
- Project Owner.
- The Logging Private Logs Viewer role.
- A custom Cloud IAM role with the
logging.privateLogEntries.listCloud IAM permission.
If you are using audit logs from a non-project entity, such as an organization, then change the Project roles to suitable organization roles.
Viewing logs
To view audit logs for one of your projects, do one of the following:
View a summary of your Admin Activity logs in the Activity dashboard:
View all your audit logs using the Logs Viewer.
For more details, see the following options:
Basic Viewer
You can use the Logs Viewer basic interface to retrieve your audit log entries by doing the following:
- In the first menu, select the resource type whose audit logs you wish to see. Select a specific resource or all of them.
- In the second menu, select the log name you want to see:
activityfor Admin Activity audit logs anddata_accessfor Data Access audit logs. If you don't see one or both of those options, then there are no audit logs of that type available.
Advanced Viewer
- Switch to the advanced filter interface in the Logs Viewer.
- Create a filter that specifies the resource type(s) and log names you want. For more information, see Retrieving audit logs.
API
To read your log entries through the Logging API,
see entries.list.
SDK
To read your log entries using the Cloud SDK gcloud command-line tool,
see Reading log entries.
Exporting audit logs
You can export audit logs in the same way you export other kinds of logs. For details about how to export your logs, see Exporting Logs. Here are some applications of exporting audit logs:
To keep audit logs for a longer period of time or to use more powerful search capabilities, you can export copies of your audit logs to Cloud Storage, BigQuery, or Cloud Pub/Sub. Using Cloud Pub/Sub, you can export to other applications, other repositories, and to third parties.
To manage your audit logs across an entire organization, you can create aggregated export sinks that can export logs from any or all projects in the organization.
If your enabled Data Access logs are pushing your projects over their logs allotments, you can export and exclude the Data Access logs from Logging. For details, see Excluding Logs.
Pricing
Stackdriver Logging doesn't charge you for audit logs that are enabled by default, including all Admin Activity logs. These logs don't count towards your log ingestion quota.
Stackdriver Logging charges you for Data Access logs that you explicitly request.
For more information on logs pricing, including audit logs pricing, see Stackdriver Pricing.
Exempt methods
The following Cloud IoT Core API methods aren't logged in audit logs:
registries.testIamPermissionsregistries.devices.configVersions.listregistries.devices.states.list
