Google Cloud Audit Logging consists of two log streams, Admin Activity and Data Access, which are generated by Google Cloud Platform services to help you answer the question of "who did what, where, and when?" within your Google Cloud Platform projects.
Audit log entries are visible in the Google Cloud Platform Console in two places:
Summaries of the audit log entries are in the Activity Feed in the Cloud Platform Console at the Home > Activity page.
The full entries are in the Logs Viewer, in the Cloud Platform Console at the Stackdriver > Logging page.
All Google Cloud Platform services will eventually generate audit logs. The services that presently generate audit logs are listed in the following section, Audit log types.
Audit log types
This is an overview of the two audit logs types: Admin Activity and Data Access. For details about the format of audit log entries and how to retrieve them using the Logs Viewer and the Stackdriver Logging API, see Audit Log Datatypes.
Admin Activity logs
Admin Activity logs contain log entries for API calls or administrative actions that modify the configuration or metadata of a service or project. This log is always enabled and is visible by all project members. Admin Activity log entries do not count against your logs allotment. The following services presently generate Admin Activity logs:
|Services with Admin Activity logs||Release||Notes|
|Application Identity||Beta||Audits OAuth 2.0 client IDs and brands.|
|Cloud Deployment Manager||Beta|
|Cloud IAM||GA||Audits Service Account API.|
|Cloud Resource Manager||GA||Audits Project API.|
|Cloud Storage||Beta||Does not yet include request/response information.|
|Compute Engine Serial Port Access||Beta|
|Stackdriver Error Reporting||Beta|
To find an Admin Activity log in
the Logs Viewer, select the type of
resource being audited and then choose the log named
activity. For example, if
you are looking for the logs for a Google Cloud Storage bucket, you would choose
GCS Bucket and log name
activity for the Admin Activity log
For more details about audit log entries, see Audit Log Datatypes.
Data Access logs
Data Access logs contain log entries for API calls that create, modify, or read user-provided data managed by a service, such as data stored in a database service. Data Access logs are visible only by project owners and users with the Private Logs Viewer role. The following services presently generate Data Access logs:
|Services with Data Access logs||Release||Notes|
|BigQuery||GA||Data Access logs are enabled by default.|
As more services generate Data Access logs, those logs—unlike BigQuery— will not be enabled by default as they can have a much higher volume than Admin Activity logs. Data Access logs that are enabled by default do not count toward your logs allotment. However, if you enable Data Access logs that are not enabled by default, then those logs do count toward your logs allotment.
Data Access logs are named
cloudaudit.googleapis.com/data_access. The service
being audited is identified by the field
serviceName in the log entry's
payload. In the Logs Viewer, the audit log is named
data_access within the
service generating the logs.
See Audit Log Datatypes for an example audit log entry.
Searching audit logs
You can search for specific Admin Access or Data Access log entries using
advanced logs filters.
Following is a sample filter that selects Admin Activity log entries from the
Cloud Resource Manager. You can use filters like this in the
Logs Viewer, the
Stackdriver Logging API.
To search for Data Access log entries, change the name of the log from
resource.type = (organization OR project) AND logName = "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceData.policyDelta.bindingDeltas.member = "user:firstname.lastname@example.org"
Audit log retention
Individual audit log entries are kept for a specified length of time and are then deleted. The Stackdriver Logging Quota Policy explains how long log entries are retained. You cannot otherwise delete or modify audit logs or their entries.
For longer retention, you can export audit log entries like any other Stackdriver Logging log entries and keep them for as long as you wish.
User identities in audit logs
Audit logs record the email address of the user who performs logged actions in
AuthenticationInfo field of
AuditLog objects. In
the following circumstances user identity is unavailable or is redacted:
App Engine: Email addresses are not collected from the legacy App Engine API.
BigQuery: Email addresses and caller IP addresses are currently redacted from the audit logs unless at least one of the following conditions are met:
- The user is a service account.
- The user is a member of the authorized domain associated with the project.
- The user has permission to run queries in the project and the action is
an administrative action or a