This topic shows you how to enable and view Managed Microsoft AD Audit Logs. For information on Cloud Audit Logs, see Using Cloud Audit Logs for Managed Microsoft AD.
Enabling Managed Microsoft AD audit logging
You can enable Managed Microsoft AD audit logging during domain creation or by updating an existing domain.
At domain creation
To enable Managed Microsoft AD audit logging during domain creation, run the
following gcloud tool command.
gcloud beta active-directory domains create DOMAIN_NAME --enable-audit-logs
Update existing domain
To update a domain to enable Managed Microsoft AD audit logging, run the
following gcloud tool command.
gcloud beta active-directory domains update DOMAIN_NAME --enable-audit-logs
To limit what is logged, you can use logs exclusions.
Note that logs stored in your project are chargeable. Learn more about pricing for Cloud Logging.
Disabling Managed Microsoft AD audit logging
To disable Managed Microsoft AD audit logging, run the following
gcloud tool command.
gcloud beta active-directory domains update DOMAIN_NAME --no-enable-audit-logs
Verifying logging status
To verify that logging is enabled or disabled, complete the following steps, run
the following gcloud tool command.
gcloud beta active-directory domains describe DOMAIN_NAME
In the response, verify the value of the auditLogsEnabled field.
Viewing logs
Managed Microsoft AD Audit Logs are only available for domains that are enabled to collect logs.
To view Managed Microsoft AD Audit Logs, you must have the
roles/logging.viewer Identity and Access Management (IAM) permission. Learn about
granting permissions.
To view the Managed Microsoft AD Audit Logs for your domain, complete the following steps.
Logs Explorer
- Go to the
Logs Explorer
page in the Cloud Console.
Go to the Logs Explorer page In the Query Builder, enter the following values.
resource.type="microsoft_ad_domain" resource.labels.fqdn="DOMAIN_NAME"
To filter by event IDs, add the following line to your advanced filter.
jsonPayload.ID=EVENT_ID
Select Run Filter.
Learn about the Logs Explorer.
Logs Viewer
- Go to the
Logs Viewer
page in the Cloud Console.
Go to the Logs Viewer page - In the filter textbox, click , and then select Convert to advanced filter.
In the advanced filter textbox, enter the following values.
resource.type="microsoft_ad_domain" resource.labels.fqdn="DOMAIN_NAME"
To filter by event IDs, add the following line to your advanced filter.
jsonPayload.ID=EVENT_ID
Select Submit Filter.
Learn about the Logs Viewer.
gcloud
Run the following gcloud tool command.
gcloud logging read FILTER
Where FILTER is an expression to identify a set of log entries.
To read log entries in folders, billing accounts, or organizations, add the
--folder, --billing-account, or --organization flags.
To read all the logs for your domain, you can run the following command.
gcloud logging read "resource.type=microsoft_ad_domain AND resource.labels.fqdn=DOMAIN_NAME"
Learn about
reading log entries with the gcloud tool
and the gcloud logging read command.
Interpreting logs
Each log_entry contains the following fields.
- The
log_nameis the event log where this event is logged. - The
provider_nameis the event provider that published this event. - The
versionis the version number for the event. - The
event_idis identifier for this event. - The
machine_nameis the computer on which this event was logged. - The
xmlis the XML representation of the event. It conforms to the event schema. - The
messageis a human-readable representation of the event.
Exported event IDs
The following table shows the event IDs that are exported.
| Audit category | Event IDs |
|---|---|
| Account logon security | 4767, 4774, 4775, 4776, 4777 |
| Account management security | 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4765, 4766, 4780, 4781, 4782, 4793, 4798, 4799, 5376, 5377 |
| DS access security | 5136, 5137, 5138, 5139, 5141 |
| Logon-logoff security | 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4964 |
| Policy change security | 4670, 4703, 4704, 4705, 4706, 4707, 4713, 4715, 4716, 4717, 4718, 4719, 4739, 4864, 4865, 4866, 4867, 4904, 4906, 4911, 4912 |
| Privilege use security | 4985 |
| System security | 4612, 4621 |
If you find any event IDs are missing and you do not see them listed in the Exported Event IDs table, you can use the Issue Tracker to file a bug. Use the component Public Trackers > Cloud Platform > Identity & Security > Managed Service for Microsoft AD.
Exporting logs
You can export Managed Microsoft AD audit logs to Pub/Sub, BigQuery, or Cloud Storage. Learn how to export logs to other Google Cloud services.
You can also export logs for compliance requirements, security and access analytics, and to external SIEMs such as Splunk, Elasticsearch, and Datadog.
Getting support
For support during Preview, you can send questions to google-cloud-managed-microsoft-ad-discuss@googlegroups.com or file a bug in the Issue Tracker.