Understanding audit logs

This page describes Cloud Audit Logs log entries in detail: their structure, how to read them, and how to interpret them.

Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization:

Admin Activity audit logs
Data Access audit logs
System Event audit logs
Policy Denied audit logs

For a general overview of Cloud Audit Logs, see Cloud Audit Logs.

Format of audit log entries

An audit log entry is a type of Cloud Logging log entry. Like all Logging log entries, an audit log entry is stored in a LogEntry object. What distinguishes an audit log entry from other log entries is the protoPayload field. In audit log entries, the log entry's protoPayload field contains an AuditLog object that stores the audit logging data.

In short, every audit log entry is characterized by the following information:

The project, folder, or organization that owns the log entry.
The resource to which the log entry applies. This information consists of a resource type from the Monitored resource list and additional values that denote a specific instance. For example, you can view audit log entries from a single Compute Engine VM instance or from all VM instances.
A timestamp.
A service: Services are individual Google Cloud products, such as Compute Engine, Cloud SQL, or Pub/Sub. Each service is identified by name: Compute Engine is compute.googleapis.com, Cloud SQL is cloudsql.googleapis.com, and so forth. This information is listed in the protoPayload.serviceName field of the audit log entry.

Resource types belongs to a single service, but a service can have several resource types. For a list of services and resources, go to Mapping services to resources.
A payload, which is the protoPayload type. The payload of each audit log entry is an object of type AuditLog, which defines a set of fields specific to Cloud Audit Logs, such as serviceName and authenticationInfo. It also has an optional field, serviceData, that some Google Cloud services use to list service-specific information in the audit log entry. See Service-specific audit data for a list of Google Cloud services that use this field.
A log name: Audit log entries belong to logs within projects, folders, and organizations. The log names are listed below:

   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity
   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access
   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy

   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivity
   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fdata_access
   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fpolicy

   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fpolicy

Within a project, folder, or organization, these log names are typically abbreviated activity, data_access, system_event, and policy.

Sample audit log entry

This section uses a sample audit log entry to explain how to find the most important information in audit log entries.

The following sample is an Admin Activity audit log entry written by Resource Manager to record a change to an Identity and Access Management (IAM) policy with PROJECT_ID my-gcp-project-id. For brevity, some parts of the log entry are omitted, and some fields are highlighted:

    {
      protoPayload: {
        @type: "type.googleapis.com/google.cloud.audit.AuditLog",
        status: {},
        authenticationInfo: {
          principalEmail: "user@example.com"
        },
        serviceName: "appengine.googleapis.com",
        methodName: "SetIamPolicy",
        authorizationInfo: [...],
        serviceData: {
          @type: "type.googleapis.com/google.appengine.legacy.AuditData",
          policyDelta: { bindingDeltas: [
              action: "ADD",
              role: "roles/logging.privateLogViewer",
              member: "user:user@example.com"
          ], }
        },
        request: {
          resource: "my-gcp-project-id",
          policy: { bindings: [...], }
        },
        response: {
          bindings: [
            {
              role: "roles/logging.privateLogViewer",
              members: [ "user:user@example.com" ]
            }
          ],
        }
      },
      insertId: "53179D9A9B559.AD6ACC7.B40604EF",
      resource: {
        type: "gae_app",
        labels: { project_id: "my-gcp-project-id" }
      },
      timestamp: "2019-05-27T16:24:56.135Z",
      severity: "NOTICE",
      logName: "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity",
    }

Here is the query that was used to select the audit log entry sample above. It can be used in the Logs Explorer, Logging API, or Cloud SDK. The project identifier is in the log's name, and the query is fast because the logName field is indexed:

    resource.type = "gae_app"
    logName = "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"

If you are looking for audit logs from a single instance of a resource type, such as gce_instance, add an instance qualifier:

    resource.type = "gce_instance"
    resource.instance_id = "INSTANCE_ID"
    logName = "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"

Interpreting the sample audit log entry

In the audit log entry sample above, the protoPayload, insertId, resource, timestamp, severity and logName fields shown are part of the LogEntry object. The value of the protoPayload field is an AuditLog object. It encapsulates the audit logging data.

Looking at the audit log entry sample above, you might have some questions:

Is this an audit log entry? It is, which you can tell in two ways:
- The protoPayload.@type field is type.googleapis.com/google.cloud.audit.AuditLog.
- The logName field includes the domain cloudaudit.googleapis.com.
What service wrote the audit log? The log was written by App Engine. This information is listed in the protoPayload.serviceName field of the audit log entry.
What operation is being audited? SetIamPolicy, as specified in the protoPayload.methodName field, is being audited. More information about the audited operation is in the AuditData object in protoPayload.serviceData.
What resource is being audited? An application running in App Engine, associated with a Google Cloud project my-gcp-project-id, is being audited. You can determine this from the resource field, which specifies the resource type gae_app and the project identifier my-gcp-project-id. In this example, you would find details on the resource type in the monitored resource type list.

For more information, see the LogEntry type, the AuditLog type, and the IAM AuditData type.

Large or long-running audit log entries

A single audited operation splits across multiple log entries if the operation runs asynchronously or if it generates a large AuditLog record. When there is more than one log entry for the same operation, the LogEntry object will contain an operation field and the entries for the same operation will have the same value for LogEntry.operation.id and LogEntry.operation.producer.

In the preceding audit log entry sample, the operation field is not present, meaning that all the audit information is contained in a single log entry.

Service-specific audit data

Some services extend the information stored in their AuditLog by placing a supplementary data structure in the audit log's serviceData field. The following table lists the services that use serviceData field and provides a link to their AuditData type.

Service	Service data type
App Engine	`type.googleapis.com/google.appengine.v1.AuditData`
App Engine (legacy)	`type.googleapis.com/google.appengine.legacy.AuditData`
BigQuery	`type.googleapis.com/google.cloud.bigquery.logging.v1.AuditData`
IAM	`type.googleapis.com/google.iam.v1.logging.AuditData`

Viewing audit logs

To find and view audit logs, you need to know the identifier of the Cloud project, folder, or organization for which you want to view audit logging information. You can further specify other indexed LogEntry fields, like resource.type; for details, review Finding log entries quickly.

The following are the audit log names; they include variables for the identifiers of the Cloud project, folder, or organization:

   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity
   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access
   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
   projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy

   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivity
   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fdata_access
   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
   folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fpolicy

   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fsystem_event
   organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fpolicy

You have several options for viewing your audit log entries.

Console

You can use the Logs Explorer in the Cloud Console to retrieve your audit log entries for your Cloud project:

In the Cloud Console, go to the Logging > Logs Explorer page.

Go to the Logs Explorer page

Note: If you are using the Legacy Logs Viewer page, switch to the Logs Explorer page.
On the Logs Explorer page, select an existing Cloud project.
In the Query builder pane, do the following:
- In Resource, select the Google Cloud resource type whose audit logs you want to see.
- In Log name, select the audit log type that you want to see:
  - For Admin Activity audit logs, select activity.
  - For Data Access audit logs, select data_access.
  - For System Event audit logs, select system_event.
  - For Policy Denied audit logs, select policy.
If you don't see these options, then there aren't any audit logs of that type available in the Cloud project.

For more details about querying using the new Logs Explorer, see Building log queries.

gcloud

The gcloud command-line tool provides a command-line interface to the Cloud Logging API. Supply a valid PROJECT_ID, FOLDER_ID, or ORGANIZATION_ID in each of the log names.

To read your Google Cloud project-level audit log entries, run the following command:

gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" --project=PROJECT_ID

To read your folder-level audit log entries, run the following command:

gcloud logging read "logName : folders/FOLDER_ID/logs/cloudaudit.googleapis.com" --folder=FOLDER_ID

To read your organization-level audit log entries, run the following command:

gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com" --organization=ORGANIZATION_ID

For more information about using the gcloud tool, see Reading log entries.

API

When building your queries, replace the variables with valid values, substitute the appropriate project-level, folder-level, or organization-level audit log name or identifiers as listed in the audit log names. For example, if your query includes a PROJECT_ID, then the project identifier you supply must refer to the currently selected Cloud project.

To use the Logging API to look at your audit log entries, do the following:

Go to the Try this API section in the documentation for the entries.list method.
Put the following into the Request body part of the Try this API form. Clicking on this prepopulated form automatically fills the request body, but you need to supply a valid PROJECT_ID in each of the log names.
```
{
  "resourceNames": [
    "projects/PROJECT_ID"
  ],
  "pageSize": 5,
  "filter": "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com"
}
```
Click Execute.

For more details about querying, see Logging query language.

For an example of an audit log entry and how to find the most important information in it, see Sample audit log entry.