This topic shows you how to enable and view Managed Microsoft AD audit logs for a domain. For information about Cloud Audit Logs for Managed Microsoft AD, see Managed Microsoft AD audit logging.
Enable Managed Microsoft AD audit logs
You can enable Managed Microsoft AD audit logs during domain creation or by updating an existing domain.
At domain creation
To enable Managed Microsoft AD audit logs during domain creation, run the following gcloud CLI command.
gcloud active-directory domains create DOMAIN_NAME --enable-audit-logs
Update existing domain
To update a domain to enable Managed Microsoft AD audit logs, complete the following steps.
Console
- Go to the Managed Microsoft AD
page in the Google Cloud console.
Go to the Managed Microsoft AD page - On the Managed Microsoft AD page, in the list of instances, select the domain where you want to enable audit logs.
- On the domain details page, select View audit logs, and then select Configure logs from the dropdown.
- In the Configure audit logs pane, under Turn off/on logs, toggle logs to On.
gcloud
Run the following gcloud CLI command.
gcloud active-directory domains update DOMAIN_NAME --enable-audit-logs
To limit what is logged, you can use logs exclusions.
Note that logs stored in your project are chargeable. Learn more about pricing for Cloud Logging.
Disable Managed Microsoft AD audit logs
To disable Managed Microsoft AD audit logs, complete the following steps.
Console
- Go to the Managed Microsoft AD
page in the Google Cloud console.
Go to the Managed Microsoft AD page - On the Managed Microsoft AD page, in the list of instances, select the domain where you want to disable audit logs.
- On the domain details page, select View audit logs, and then select Configure logs from the dropdown.
- In the Configure audit logs pane, under Turn off/on logs, toggle logs to Off.
gcloud
Run the following gcloud CLI command.
gcloud active-directory domains update DOMAIN_NAME --no-enable-audit-logs
Verify logging status
To verify that logging is enabled or disabled, complete the following steps, run the following gcloud CLI command.
gcloud active-directory domains describe DOMAIN_NAME
In the response, verify the value of the auditLogsEnabled
field.
View logs
Managed Microsoft AD audit logs are only available for domains that are enabled to collect logs.
To view Managed Microsoft AD audit logs, you must have the
roles/logging.viewer
Identity and Access Management (IAM) permission. Learn about
granting permissions.
To view the Managed Microsoft AD audit logs for your domain, complete the following steps.
Logs Explorer
- Go to the
Logs Explorer
page in the Google Cloud console.
Go to the Logs Explorer page In the Query Builder, enter the following values.
resource.type="microsoft_ad_domain" resource.labels.fqdn="DOMAIN_NAME"
To filter by event IDs, add the following line to your advanced filter.
jsonPayload.ID=EVENT_ID
Select Run Filter.
Learn about the Logs Explorer.
Logs Explorer
- Go to the
Logs Explorer
page in the Google Cloud console.
Go to the Logs Explorer page - In the filter textbox, click , and then select Convert to advanced filter.
In the advanced filter textbox, enter the following values.
resource.type="microsoft_ad_domain" resource.labels.fqdn="DOMAIN_NAME"
To filter by event IDs, add the following line to your advanced filter.
jsonPayload.ID=EVENT_ID
Select Submit Filter.
Learn about the Logs Explorer.
gcloud
Run the following gcloud CLI command.
gcloud logging read FILTER
Where FILTER is an expression to identify a set of log entries.
To read log entries in folders, billing accounts, or organizations, add the
--folder
, --billing-account
, or --organization
flags.
To read all the logs for your domain, you can run the following command.
gcloud logging read "resource.type=microsoft_ad_domain AND resource.labels.fqdn=DOMAIN_NAME"
Learn about
reading log entries with the gcloud CLI
and the gcloud logging read
command.
Interpret logs
Each log_entry
contains the following fields.
- The
log_name
is the event log where this event is logged. - The
provider_name
is the event provider that published this event. - The
version
is the version number for the event. - The
event_id
is identifier for this event. - The
machine_name
is the computer on which this event was logged. - The
xml
is the XML representation of the event. It conforms to the event schema. - The
message
is a human-readable representation of the event.
Exported event IDs
The following table shows the event IDs that are exported.
Audit category | Event IDs |
---|---|
Account logon security | 4767, 4768, 4769, 4770, 4771, 4772, 4773, 4774, 4775, 4776, 4777 |
Account management security | 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4765, 4766, 4780, 4781, 4782, 4793, 4798, 4799, 5376, 5377 |
DS access security | 4662, 5136, 5137, 5138, 5139, 5141 |
Logon-logoff security | 4624, 4625, 4634, 4647, 4648, 4649, 4672, 4675, 4778, 4779, 4964 |
Object access security | 4661, 5145 |
Policy change security | 4670, 4703, 4704, 4705, 4706, 4707, 4713, 4715, 4716, 4717, 4718, 4719, 4739, 4864, 4865, 4866, 4867, 4904, 4906, 4911, 4912 |
Privilege use security | 4985 |
System security | 4612, 4621 |
NTLM authentication | 8004 |
If you find any event IDs are missing and you do not see them listed in the Exported Event IDs table, you can use the Issue Tracker to file a bug. Use the component Public Trackers > Cloud Platform > Identity & Security > Managed Service for Microsoft AD.
Export logs
You can export Managed Microsoft AD audit logs to Pub/Sub, BigQuery, or Cloud Storage. Learn how to export logs to other Google Cloud services.
You can also export logs for compliance requirements, security and access analytics, and to external
SIEMs such as Splunk and Datadog.