Set up audit logging for a domain

This topic shows you how to enable and view Managed Microsoft AD audit logs for a domain. For information about Cloud Audit Logs for Managed Microsoft AD, see Managed Microsoft AD audit logging.

Enable Managed Microsoft AD audit logs

You can enable Managed Microsoft AD audit logs during domain creation or by updating an existing domain.

At domain creation

To enable Managed Microsoft AD audit logs during domain creation, run the following gcloud CLI command.

gcloud active-directory domains create DOMAIN_NAME --enable-audit-logs

Update existing domain

To update a domain to enable Managed Microsoft AD audit logs, complete the following steps.

Console

  1. Go to the Managed Microsoft AD page in the Google Cloud console.
    Go to the Managed Microsoft AD page
  2. On the Managed Microsoft AD page, in the list of instances, select the domain where you want to enable audit logs.
  3. On the domain details page, select View audit logs, and then select Configure logs from the dropdown.
  4. In the Configure audit logs pane, under Turn off/on logs, toggle logs to On.

gcloud

Run the following gcloud CLI command.

gcloud active-directory domains update DOMAIN_NAME --enable-audit-logs

To limit what is logged, you can use logs exclusions.

Note that logs stored in your project are chargeable. Learn more about pricing for Cloud Logging.

Disable Managed Microsoft AD audit logs

To disable Managed Microsoft AD audit logs, complete the following steps.

Console

  1. Go to the Managed Microsoft AD page in the Google Cloud console.
    Go to the Managed Microsoft AD page
  2. On the Managed Microsoft AD page, in the list of instances, select the domain where you want to disable audit logs.
  3. On the domain details page, select View audit logs, and then select Configure logs from the dropdown.
  4. In the Configure audit logs pane, under Turn off/on logs, toggle logs to Off.

gcloud

Run the following gcloud CLI command.

gcloud active-directory domains update DOMAIN_NAME --no-enable-audit-logs

Verify logging status

To verify that logging is enabled or disabled, complete the following steps, run the following gcloud CLI command.

gcloud active-directory domains describe DOMAIN_NAME

In the response, verify the value of the auditLogsEnabled field.

View logs

Managed Microsoft AD audit logs are only available for domains that are enabled to collect logs.

To view Managed Microsoft AD audit logs, you must have the roles/logging.viewer Identity and Access Management (IAM) permission. Learn about granting permissions.

To view the Managed Microsoft AD audit logs for your domain, complete the following steps.

Logs Explorer

  1. Go to the Logs Explorer page in the Google Cloud console.
    Go to the Logs Explorer page
  2. In the Query Builder, enter the following values.

    resource.type="microsoft_ad_domain"
    resource.labels.fqdn="DOMAIN_NAME"
    

    To filter by event IDs, add the following line to your advanced filter.

    jsonPayload.ID=EVENT_ID
    
  3. Select Run Filter.

Learn about the Logs Explorer.

Logs Explorer

  1. Go to the Logs Explorer page in the Google Cloud console.
    Go to the Logs Explorer page
  2. In the filter textbox, click , and then select Convert to advanced filter.
  3. In the advanced filter textbox, enter the following values.

    resource.type="microsoft_ad_domain"
    resource.labels.fqdn="DOMAIN_NAME"
    

    To filter by event IDs, add the following line to your advanced filter.

    jsonPayload.ID=EVENT_ID
    
  4. Select Submit Filter.

Learn about the Logs Explorer.

gcloud

Run the following gcloud CLI command.

gcloud logging read FILTER

Where FILTER is an expression to identify a set of log entries. To read log entries in folders, billing accounts, or organizations, add the --folder, --billing-account, or --organization flags.

To read all the logs for your domain, you can run the following command.

gcloud logging read "resource.type=microsoft_ad_domain AND resource.labels.fqdn=DOMAIN_NAME"

Learn about reading log entries with the gcloud CLI and the gcloud logging read command.

Interpret logs

Each log_entry contains the following fields.

  • The log_name is the event log where this event is logged.
  • The provider_name is the event provider that published this event.
  • The version is the version number for the event.
  • The event_id is identifier for this event.
  • The machine_name is the computer on which this event was logged.
  • The xml is the XML representation of the event. It conforms to the event schema.
  • The message is a human-readable representation of the event.

Exported event IDs

The following table shows the event IDs that are exported.

Table 1. Exported event IDs
Audit category Event IDs
Account logon security 4767, 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4775, 4776, 4777
Account management security 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4765, 4766, 4780, 4781, 4782, 4793, 4798, 4799, 5376, 5377
DS access security 4662, 5136, 5137, 5138, 5139, 5141
Logon-logoff security 4624, 4625, 4634, 4647, 4648, 4649, 4672, 4675, 4778, 4779, 4964
Object access security 4661, 5145
Policy change security 4670, 4703, 4704, 4705, 4706, 4707, 4713, 4715, 4716, 4717, 4718, 4719, 4739, 4864, 4865, 4866, 4867, 4904, 4906, 4911, 4912
Privilege use security 4985
System security 4612, 4621
NTLM authentication 8004

If you find any event IDs are missing and you do not see them listed in the Exported Event IDs table, you can use the Issue Tracker to file a bug. Use the component Public Trackers > Cloud Platform > Identity & Security > Managed Service for Microsoft AD.

Export logs

You can export Managed Microsoft AD audit logs to Pub/Sub, BigQuery, or Cloud Storage. Learn how to export logs to other Google Cloud services.

You can also export logs for compliance requirements, security and access analytics, and to external

SIEMs such as Splunk and Datadog.