Understanding audit logs

This page describes audit log entries in detail: their structure, how to read them, and how to interpret them.

Cloud Audit Logging maintains three audit logs for each GCP project, folder, and organization:

  • System Event audit logs
  • Admin Activity audit logs
  • Data Access audit logs

For a general overview of Cloud Audit Logging, see Cloud Audit Logging.

Viewing audit logs

You have several options for viewing your audit log entries:

Basic Viewer

You can use the Logs Viewer basic interface in the GCP Console to retrieve your audit log entries. Do the following:

  1. Go to the Stackdriver Logging > Logs (Logs Viewer) page in the GCP Console:

    Go to the Logs Viewer page

  2. Select an existing GCP project at the top of the page, or create a new project.

  3. In the first drop-down menu, select the resource type whose audit logs you wish to see. You can select a specific resource or Global for all resources.

  4. In the second drop-down menu, select the log type you want to see: activity for Admin Activity audit logs,data_accessfor Data Access audit logs, and system_events for System Event logs.

    If you do not see any of those options, then there are no audit logs of that type available in the project.

Advanced Viewer

You can use the Logs Viewer advanced interface in the GCP Console to retrieve your audit log entries. Do the following:

  1. Go to the Stackdriver Logging > Logs (Logs Viewer) page in the GCP Console:

    Go to the Logs Viewer page

  2. Select an existing GCP project at the top of the page, or create a new project.

  3. In the first drop-down menu, select the resource type whose audit logs you wish to see. You can select a specific resource or Global for all resources.

  4. Click the drop-down arrow (▾) at the far right of the search-filter box and select Convert to advanced filter.

  5. Create a filter that further specifies the log entries you want to see. To retrieve all audit logs in your project, add the following filter. Supply a valid [PRODUCT_ID] in each of the log names.

      logName = ("projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"
          OR "projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fsystem_events"
          OR "projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access")
    

    For more details about filters, see Advanced logs filters.

API

To look at your audit log entries using the Stackdriver Logging API:

  1. Go to the Try this API section in the documentation for the entries.list method.

  2. Put the following into the Request body part of the Try this API form. Clicking on this prepopulated form automatically fills the request body, but you will need to supply a valid [PRODUCT_ID] in each of the log names.

      {
        "resourceNames": [
          "projects/[PROJECT_ID]"
        ],
        "pageSize": 5,
        "filter": "logName=(projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity OR projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fsystem_events OR projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access)"
      }
    
  3. Click Execute.

For more details about filters, see Advanced logs filters.

SDK

To read your log entries using the Cloud SDK, run the following command. Supply a valid [PRODUCT_ID] in each of the log names.

gcloud logging read "logName=(projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity OR projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fsystem_events OR projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access)

See Reading log entries for more information about using the Cloud SDK.

Format of audit log entries

An audit log entry is a type of Stackdriver Logging log entry. Like all Logging log entries, an audit log entry is stored in a LogEntry object. What distinguishes an audit log entry from other log entries is the protoPayload field. In audit log entries, the log entry's protoPayload field contains an AuditLog object that stores the audit logging data.

The AuditLog type defines a set of fields specific to to audit logging, such as serviceName and authenticationInfo. It also has an optional field, serviceData, that some Google Cloud Platform services use to list service-specific information in the audit log entry. See Service-specific audit data for a list of GCP services that use this field.

Sample audit log entry

This section uses a sample audit log entry to explain how to find the most important information in audit log entries.

The following sample is an Admin Activity audit log entry written by Resource Manager to record a change to an Cloud Identity and Access Management policy in a Google Cloud Platform project named my-gcp-project-id. For brevity, some parts of the log entry are omitted, and some fields are highlighted:

    {
      protoPayload: {
        @type: "type.googleapis.com/google.cloud.audit.AuditLog",
        status: {},
        authenticationInfo: {
          principalEmail: "user@example.com"
        },
        serviceName: "cloudresourcemanager.googleapis.com",
        methodName: "SetIamPolicy",
        authorizationInfo: [...],
        serviceData: {
          @type: "type.googleapis.com/google.iam.v1.logging.AuditData",
          policyDelta: { bindingDeltas: [
              action: "ADD",
              role: "roles/logging.privateLogViewer",
              member: "user:user@example.com"
          ], }
        },
        request: {
          resource: "my-gcp-project-id",
          policy: { bindings: [...], }
        },
        response: {
          bindings: [
            {
              role: "roles/logging.privateLogViewer",
              members: [ "user:user@example.com" ]
            }
          ],
        }
      },
      insertId: "53179D9A9B559.AD6ACC7.B40604EF",
      resource: {
        type: "project",
        labels: { project_id: "my-gcp-project-id" }
      },
      timestamp: "2016-04-27T16:24:56.135Z",
      severity: "NOTICE",
      logName: "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity",
    }

Here is the filter that was used to select the audit log entry sample above. It can be used in the Advanced Viewer, Stackdriver Logging API, or Cloud SDK. The project identifier is in the log's name, and the filter is fast because the logName field is indexed:

resource.type = "project"
logName = "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity"

If you are looking for audit logs from a single instance of a resource type, such as gce_instance, add an instance qualifier:

resource.type = "gce_instance"
resource.instance_id = "12345678901234567890"
logName = "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity"

Interpreting the sample audit log entry

In the audit log entry sample above, the protoPayload, insertId, resource, timestamp, severity and logName fields shown are part of the LogEntry object. The value of the protoPayload field is an AuditLog object. It encapsulates the audit logging data.

Looking at the audit log entry sample above, you might have some questions:

  • Is this an audit log entry? It is, which you can tell in two ways:

    • The protoPayload.@type field is type.googleapis.com/google.cloud.audit.AuditLog.

    • The logName field includes the domain cloudaudit.googleapis.com.

  • What service wrote the audit log? The log was written by the Resource Manager. This information is listed in the protoPayload.serviceName field of the audit log entry.

  • What operation is being audited? SetIamPolicy, as specified in the protoPayload.methodName field, is being audited. More information about the audited operation is in the AuditData object in protoPayload.serviceData.

  • What resource is being audited? A Google Cloud Platform project, my-gcp-project-id, is being audited. The resource field specifies the resource type project and the project identifier my-gcp-project-id. Find project in the monitored resource type list and you see that this is a "Google project."

For more information, see the LogEntry type, the AuditLog type, and the IAM AuditData type.

Large or long-running audit log entries

A single audited operation splits across multiple log entries if the operation runs asynchronously or if it generates a large AuditLog record. When there is more than one log entry for the same operation, the LogEntry object will contain an operation field and the entries for the same operation will have the same value for LogEntry.operation.id and LogEntry.operation.producer.

In the preceding audit log entry sample, the operation field is not present, meaning that all the audit information is contained in a single log entry.

Service-specific audit data

Some services extend the information stored in their AuditLog by placing a supplementary data structure in the audit log's serviceData field. The following table lists the services that use serviceData field and provides a link to their AuditData type.

Service Service data type
App Engine type.googleapis.com/google.appengine.v1.AuditData
App Engine (legacy) type.googleapis.com/google.appengine.legacy.AuditData
BigQuery type.googleapis.com/google.cloud.bigquery.logging.v1.AuditData
Cloud Identity and Access Management type.googleapis.com/google.iam.v1.logging.AuditData
¿Te sirvió esta página? Envíanos tu opinión:

Enviar comentarios sobre…

¿Necesitas ayuda? Visita nuestra página de asistencia.