Cloud Audit Logging maintains two audit logs for each project and organization: Admin Activity and Data Access. Google Cloud Platform services write audit log entries to these logs to help you answer the questions of "who did what, where, and when?" within your Google Cloud Platform projects.
For a list of Cloud Platform services that write audit logs, see Services writing audit logs. All Cloud Platform services will eventually write audit logs.
Admin Activity logs
Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. For example, the logs record when VM instances and App Engine applications are created and when permissions are changed. To view the logs, you must have the IAM roles Logging/Logs Viewer or Project/Viewer.
Admin Activity logs are always enabled. There is no charge for your Admin Activity audit logs. For more information, see Log allotments and overage charges.
Data Access logs
Data Access audit logs record API calls that create, modify, or read user-provided data. To view the logs, you must have the IAM roles Logging/Private Logs Viewer or Project/Owner.
Data Access audit logs are disabled by default because they can be quite large. Enabling the logs might result in your project being charged for the additional logs usage.
BigQuery Data Access logs are handled differently from other Data Access logs. BigQuery logs are enabled by default and cannot be disabled. They do not count against your logs allotment and cannot result in extra logs charges.
To enable and configure Data Access logs, see Configuring Data Access Logs.
For more information about logs allotments and charges, see Logs allotment and overage charges.
Viewing audit logs
You can view audit log entries in your project's Activity page, in the Logs Viewer, in the Stackdriver Logging API, and in the Cloud SDK. You can also export audit log entries to Cloud Storage, BigQuery, or Cloud Pub/Sub.
To view the logs, you must have the IAM roles Logging/Logs Viewer for Admin Activity logs and Logging/Private Logs Viewer for Data Access logs. For more information on Stackdriver Logging roles, see Access Control
Audit log entry structure
All audit log entries contain the name of an audit log, a resource, and a service. You can use these names to filter audit log entries:
Log name: Audit log entries belong to logs within projects and organizations. The log names are listed below:
projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access organizations/[ORGANIZATION_ID]/logs/cloudaudit.googleapis.com%2Factivity organizations/[ORGANIZATION_ID]/logs/cloudaudit.googleapis.com%2Fdata_access
Within a project or organization, these log names are typically abbreviated Activity and Data Access.
Resource: Each audit log entry includes a resource of some type. For example, you can view audit log entries from a single Compute Engine VM instance or from all VM instances. For the list of resource types, see Monitored resource types.
Service: Services are individual products, such as Compute Engine, Cloud SQL, or Cloud Pub/Sub. Each service is identified by name: Compute Engine is
compute.googleapis.com, Cloud SQL is
cloudsql.googleapis.com, and so forth.
Resource types belongs to a single service, but a service can have several resource types. For a list of services and resources, see Mapping services to resources.
For more details, see Audit Log Datatypes.
Using the Activity page
You can view abbreviated audit log entries in your project's Activity page in the GCP Console. See the page, Home > Activity. Use Filter to select the entries you want to see. The actual audit log entries might contain more information than you see in the Activity page.
Using the Logs Viewer
You can view the details of all audit log entries using the Logs Viewer in the GCP Console.
To view audit logs in the Logs Viewer's basic viewing interface, use the menus
to select a resource or resource type and then choose the log
data_access. For example, if you are looking for the Admin Activity audit logs
for Cloud Storage buckets, then choose resource type
GCS Bucket and log name
In the Log Viewer's advanced filter interface, enter an advanced logs filter that chooses the audit log entries you want to see. Following are some examples:
Find all the audit log entries in your project:
logName = ("projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity" OR "projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access")
Find the Admin Activity logs for a single Compute Engine VM instance:
resource.type = gce_instance AND resource.labels.instance_id = "[INSTANCE_ID]" AND logName = "projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
To explore specific fields of an audit log entry, look at samples in the Logs Viewer or see Audit Log Datatypes.
For more information about log filters, see Advanced logs filters.
Using the API
To retrieve audit log entries, use the Stackdriver Logging API method entries.list. Pass a filter to the method to select your audit log entries.
Using the Cloud SDK
To read log entries, use the following Cloud SDK command:
gcloud logging read [FILTER]
Use [FILTER] to select the audit log entries you want. See the examples in the preceding section.
For more information on the Stackdriver Logging command-line interface, see gcloud logging.
Exporting audit logs
To export audit log entries outside of Stackdriver Logging, create a logs sink. Give the sink a filter that selects the audit log entries you want to export.
Audit log retention
Individual audit log entries are kept for a specified length of time and are then deleted. The Stackdriver Logging Quota Policy explains how long log entries are retained. You cannot otherwise delete or modify audit logs or their entries.
|Audit log type||Retention period|
|Admin activity audit logs||400 days (Premium Tier)
400 days (Basic Tier)
|Data access audit logs||30 days (Premium Tier)
7 days (Basic Tier)
For more information about Stackdriver's Premium and Basic service tiers, see Stackdriver Pricing.
For longer retention, you can export audit log entries like any other Stackdriver Logging log entries and keep them for as long as you wish.
User identities in audit logs
Audit logs record the identity of the user performing logged actions.
The identity is held in the
AuthenticationInfo field of
In the following circumstances, the user identity is unavailable or is redacted:
All audit logs: For privacy reasons, the principal email address is redacted for all read-only operations that fail with a "permission denied" error.
App Engine: Identities are not collected from the legacy App Engine API.
BigQuery: Identities and caller IP addresses are currently redacted from the audit logs, unless at least one of the following conditions are met:
- The user is a service account.
- The user is a member of the authorized domain associated with the project.
- The user has permission to run queries in the project and the action is
an administrative action or a
Services producing audit logs
The following services write Admin Activity or Data Access audit logs. To enable Data Access logs, see Configuring Data Access Logs.
|Services with audit logs||Admin
|Application Identity||Beta||n/a1||Audits OAuth 2.0 client IDs and brands.|
|Cloud Deployment Manager||GA||GA|
|Cloud Identity and Access Management (IAM)||GA||GA||Audits the Service Account API.|
|Cloud Identity-Aware Proxy (IAP)||n/a3||GA|
|Cloud Key Management Service (KMS)||GA||GA|
|Cloud ML Engine||Beta||Beta|
|Cloud Resource Manager||GA||n/a1||Audits the Project API.|
|Cloud Storage||GA||GA||Does not yet include request/response information.|
|Compute Engine Serial Port Access||GA||n/a1|
|Google Service Management||GA||n/a1|
|Stackdriver Error Reporting||GA||GA|
1: This service does not produce Data Access logs.
2: BigQuery data access logs are enabled by default and do not count against your logs allotment.
3: This service does not produce Admin Activity logs.