Google Cloud Audit Logging

Google Cloud Audit Logging consists of two log streams, Admin Activity and Data Access, which are generated by Google Cloud Platform services to help you answer the question of "who did what, where, and when?" within your Google Cloud Platform projects.

Audit log entries are visible in the Google Cloud Platform Console in two places:

All Google Cloud Platform services will eventually generate audit logs. The services that presently generate audit logs are listed in the following section, Audit log types.

Audit log types

This is an overview of the two audit logs types: Admin Activity and Data Access. For details about the format of audit log entries and how to retrieve them using the Logs Viewer and the Stackdriver Logging API, see Audit Log Datatypes.

Admin Activity logs

Admin Activity logs contain log entries for API calls or administrative actions that modify the configuration or metadata of a service or project. This log is always enabled and is visible by all project members. Admin Activity log entries do not count against your logs allotment. The following services presently generate Admin Activity logs:

Services with Admin Activity logs Release Notes
App Engine GA
Application Identity Beta Audits OAuth 2.0 client IDs and brands.
BigQuery GA
Cloud IAM GA Audits Service Account API.
Cloud Resource Manager GA Audits Project API.
Cloud Dataflow GA
Cloud Dataproc Beta
Cloud Deployment Manager Beta
Cloud DNS Beta
Cloud KMS Beta
Cloud Spanner Beta
Cloud SQL Beta
Cloud Storage Beta Does not yet include request/response information.
Compute Engine Beta
Compute Engine Serial Port Access Beta
Container Engine Beta
Service Management Beta
Stackdriver Debugger GA
Stackdriver Logging GA

Admin Activity logs are named cloudaudit.googleapis.com/activity. The service being audited is identified by the field serviceName in the log entry's payload. In the Logs Viewer, the audit log is named activity within the service generating the logs. See Audit Log Datatypes for an example audit log entry.

Data Access logs

Data Access logs contain log entries for API calls that create, modify, or read user-provided data managed by a service, such as data stored in a database service. Data Access logs are visible only by project owners and users with the Private Logs Viewer role. The following services presently generate Data Access logs:

Services with Data Access logs Release Notes
BigQuery GA Data Access logs are enabled by default.

As more services generate Data Access logs, those logs—unlike BigQuery— will not be enabled by default as they can have a much higher volume than Admin Activity logs. Data Access logs that are enabled by default do not count toward your logs allotment. However, if you enable Data Access logs that are not enabled by default, then those logs do count toward your logs allotment.

Data Access logs are named cloudaudit.googleapis.com/data_access. The service being audited is identified by the field serviceName in the log entry's payload. In the Logs Viewer, the audit log is named data_access within the service generating the logs. See Audit Log Datatypes for an example audit log entry.

Searching audit logs

You can search for specific Admin Access or Data Access log entries using advanced logs filters. Following is a sample filter that selects Admin Activity log entries from the Cloud Resource Manager. You can use filters like this in the Logs Viewer, the command-line interface, or the Stackdriver Logging API. To search for Data Access log entries, change the name of the log from activity to data_access.

resource.type = (organization OR project) AND
logName  = "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity" AND
protoPayload.serviceData.policyDelta.bindingDeltas.member = "user:someone@example.com"

Audit log retention

Individual audit log entries are kept for a specified length of time and are then deleted. The Stackdriver Logging Quota Policy explains how long log entries are retained. You cannot otherwise delete or modify audit logs or their entries.

For longer retention, you can export audit log entries like any other Stackdriver Logging log entries and keep them for as long as you wish.

User identities in audit logs

Audit logs record the email address of the user who performs logged actions in the AuthenticationInfo field of AuditLog objects. In the following circumstances user identity is unavailable or is redacted:

  • App Engine: Email addresses are not collected from the legacy App Engine API.

  • BigQuery: Email addresses and caller IP addresses are currently redacted from the audit logs unless at least one of the following conditions are met:

    • The user is a service account.
    • The user is a member of the authorized domain associated with the project.
    • The user has permission to run queries in the project and the action is an administrative action or a job.insert action.

Send feedback about...

Stackdriver Logging