Cloud Audit Logging

Cloud Audit Logging maintains two audit logs for each project and organization: Admin Activity and Data Access. Google Cloud Platform services write audit log entries to these logs to help you answer the questions of "who did what, where, and when?" within your Google Cloud Platform projects.

For a list of Cloud Platform services that write audit logs, see Services writing audit logs. All Cloud Platform services will eventually write audit logs.

Admin Activity logs

Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. For example, the logs record when VM instances and App Engine applications are created and when permissions are changed. To view the logs, you must have the IAM roles Logging/Logs Viewer or Project/Viewer.

Admin Activity logs are always enabled. There is no charge for your Admin Activity audit logs. For more information, see Log allotments and overage charges.

Data Access logs

Data Access audit logs record API calls that create, modify, or read user-provided data. To view the logs, you must have the IAM roles Logging/Private Logs Viewer or Project/Owner.

Data Access audit logs are disabled by default because they can be quite large. Enabling the logs might result in your project being charged for the additional logs usage.

BigQuery Data Access logs are handled differently from other Data Access logs. BigQuery logs are enabled by default and cannot be disabled. They do not count against your logs allotment and cannot result in extra logs charges.

To enable and configure Data Access logs, see Configuring Data Access Logs.

For more information about logs allotments and charges, see Logs allotment and overage charges.

Viewing audit logs

You can view audit log entries in your project's Activity page, in the Logs Viewer, in the Stackdriver Logging API, and in the Cloud SDK. You can also export audit log entries to Cloud Storage, BigQuery, or Cloud Pub/Sub.

To view the logs, you must have the IAM roles Logging/Logs Viewer for Admin Activity logs and Logging/Private Logs Viewer for Data Access logs. For more information on Stackdriver Logging roles, see Access Control

Audit log entry structure

All audit log entries contain the name of an audit log, a resource, and a service. You can use these names to filter audit log entries:

  • Log name: Audit log entries belong to logs within projects and organizations. The log names are listed below:


    Within a project or organization, these log names are typically abbreviated Activity and Data Access.

  • Resource: Each audit log entry includes a resource of some type. For example, you can view audit log entries from a single Compute Engine VM instance or from all VM instances. For the list of resource types, see Monitored resource types.

  • Service: Services are individual products, such as Compute Engine, Cloud SQL, or Cloud Pub/Sub. Each service is identified by name: Compute Engine is, Cloud SQL is, and so forth.

    Resource types belongs to a single service, but a service can have several resource types. For a list of services and resources, see Mapping services to resources.

For more details, see Audit Log Datatypes.

Using the Activity page

You can view abbreviated audit log entries in your project's Activity page in the GCP Console. See the page, Home > Activity. Use Filter to select the entries you want to see. The actual audit log entries might contain more information than you see in the Activity page.

Go to the Activity page

Using the Logs Viewer

You can view the details of all audit log entries using the Logs Viewer in the GCP Console.

Go to the Logs Viewer page

To view audit logs in the Logs Viewer's basic viewing interface, use the menus to select a resource or resource type and then choose the log activity or data_access. For example, if you are looking for the Admin Activity audit logs for Cloud Storage buckets, then choose resource type GCS Bucket and log name activity.

In the Log Viewer's advanced filter interface, enter an advanced logs filter that chooses the audit log entries you want to see. Following are some examples:

  • Find all the audit log entries in your project:

    logName = ("projects/[PROJECT_ID]/logs/" OR
  • Find the Admin Activity logs for a single Compute Engine VM instance:

    resource.type = gce_instance AND
    resource.labels.instance_id = "[INSTANCE_ID]" AND
    logName  = "projects/[PROJECT_ID]/logs/"

To explore specific fields of an audit log entry, look at samples in the Logs Viewer or see Audit Log Datatypes.

For more information about log filters, see Advanced logs filters.

Using the API

To retrieve audit log entries, use the Stackdriver Logging API method entries.list. Pass a filter to the method to select your audit log entries.

Using the Cloud SDK

To read log entries, use the following Cloud SDK command:

gcloud logging read [FILTER]

Use [FILTER] to select the audit log entries you want. See the examples in the preceding section.

For more information on the Stackdriver Logging command-line interface, see gcloud logging.

Exporting audit logs

To export audit log entries outside of Stackdriver Logging, create a logs sink. Give the sink a filter that selects the audit log entries you want to export.

Audit log retention

Individual audit log entries are kept for a specified length of time and are then deleted. The Stackdriver Logging Quota Policy explains how long log entries are retained. You cannot otherwise delete or modify audit logs or their entries.

Audit log type Retention period
Admin activity audit logs 400 days (Premium Tier)
400 days (Basic Tier)
Data access audit logs 30 days (Premium Tier)
7 days (Basic Tier)

For more information about Stackdriver's Premium and Basic service tiers, see Stackdriver Pricing.

For longer retention, you can export audit log entries like any other Stackdriver Logging log entries and keep them for as long as you wish.

User identities in audit logs

Audit logs record the identity of the user performing logged actions. The identity is held in the AuthenticationInfo field of AuditLog objects.

In the following circumstances, the user identity is unavailable or is redacted:

  • All audit logs: For privacy reasons, the principal email address is redacted for all read-only operations that fail with a "permission denied" error.

  • App Engine: Identities are not collected from the legacy App Engine API.

  • BigQuery: Identities and caller IP addresses are currently redacted from the audit logs, unless at least one of the following conditions are met:

    • The user is a service account.
    • The user is a member of the authorized domain associated with the project.
    • The user has permission to run queries in the project and the action is an administrative action or a job.insert action.

Services producing audit logs

The following services write Admin Activity or Data Access audit logs. To enable Data Access logs, see Configuring Data Access Logs.

Services with audit logs Admin
App Engine GA n/a1
Application Identity Beta n/a1 Audits OAuth 2.0 client IDs and brands.
BigQuery GA GA2
Cloud Billing Beta n/a1
Cloud Dataflow GA n/a1
Cloud Dataproc GA GA
Cloud Deployment Manager GA GA
Cloud Functions Beta Beta
Cloud Identity and Access Management (IAM) GA GA Audits the Service Account API.
Cloud Identity-Aware Proxy (IAP) n/a3 GA
Cloud Key Management Service (KMS) GA GA
Cloud ML Engine Beta Beta
Cloud Resource Manager GA n/a1 Audits the Project API.
Cloud Spanner Beta n/a1
Cloud Storage GA GA Does not yet include request/response information.
Compute Engine GA GA
Compute Engine Serial Port Access GA n/a1
Container Builder GA GA
Kubernetes Engine Beta Beta
Genomics Beta Beta
Google Service Management GA n/a1
Stackdriver Debugger GA GA
Stackdriver Error Reporting GA GA
Stackdriver Logging GA GA
Stackdriver Monitoring GA GA

1: This service does not produce Data Access logs.
2: BigQuery data access logs are enabled by default and do not count against your logs allotment.
3: This service does not produce Admin Activity logs.

Send feedback about...

Stackdriver Logging