Using Managed Microsoft AD Audit Logs

This topic shows you how to enable and view Managed Microsoft AD Audit Logs. For information on Cloud Audit Logs, see Using Cloud Audit Logs for Managed Microsoft AD.

Enabling Managed Microsoft AD audit logging

You can enable Managed Microsoft AD audit logging during domain creation or by updating an existing domain.

At domain creation

To enable Managed Microsoft AD audit logging during domain creation, run the following gcloud tool command.

gcloud beta active-directory domains create DOMAIN_NAME --enable-audit-logs

Update existing domain

To update a domain to enable Managed Microsoft AD audit logging, run the following gcloud tool command.

gcloud beta active-directory domains update DOMAIN_NAME --enable-audit-logs

To limit what is logged, you can use logs exclusions.

Note that logs stored in your project are chargeable. Learn more about pricing for Cloud Logging.

Disabling Managed Microsoft AD audit logging

To disable Managed Microsoft AD audit logging, run the following gcloud tool command.

gcloud beta active-directory domains update DOMAIN_NAME --no-enable-audit-logs

Verifying logging status

To verify that logging is enabled or disabled, complete the following steps, run the following gcloud tool command.

gcloud beta active-directory domains describe DOMAIN_NAME

In the response, verify the value of the auditLogsEnabled field.

Viewing logs

Managed Microsoft AD Audit Logs are only available for domains that are enabled to collect logs.

To view Managed Microsoft AD Audit Logs, you must have the roles/logging.viewer Identity and Access Management (IAM) permission. Learn about granting permissions.

To view the Managed Microsoft AD Audit Logs for your domain, complete the following steps.

Logs Explorer

  1. Go to the Logs Explorer page in the Cloud Console.
    Go to the Logs Explorer page
  2. In the Query Builder, enter the following values.

    resource.type="microsoft_ad_domain"
    resource.labels.fqdn="DOMAIN_NAME"
    

    To filter by event IDs, add the following line to your advanced filter.

    jsonPayload.ID=EVENT_ID
    
  3. Select Run Filter.

Learn about the Logs Explorer.

Logs Viewer

  1. Go to the Logs Viewer page in the Cloud Console.
    Go to the Logs Viewer page
  2. In the filter textbox, click , and then select Convert to advanced filter.
  3. In the advanced filter textbox, enter the following values.

    resource.type="microsoft_ad_domain"
    resource.labels.fqdn="DOMAIN_NAME"
    

    To filter by event IDs, add the following line to your advanced filter.

    jsonPayload.ID=EVENT_ID
    
  4. Select Submit Filter.

Learn about the Logs Viewer.

gcloud

Run the following gcloud tool command.

gcloud logging read FILTER

Where FILTER is an expression to identify a set of log entries. To read log entries in folders, billing accounts, or organizations, add the --folder, --billing-account, or --organization flags.

To read all the logs for your domain, you can run the following command.

gcloud logging read "resource.type=microsoft_ad_domain AND resource.labels.fqdn=DOMAIN_NAME"

Learn about reading log entries with the gcloud tool and the gcloud logging read command.

Interpreting logs

Each log_entry contains the following fields.

  • The log_name is the event log where this event is logged.
  • The provider_name is the event provider that published this event.
  • The version is the version number for the event.
  • The event_id is identifier for this event.
  • The machine_name is the computer on which this event was logged.
  • The xml is the XML representation of the event. It conforms to the event schema.
  • The message is a human-readable representation of the event.

Exported event IDs

The following table shows the event IDs that are exported.

Table 1. Exported event IDs
Audit category Event IDs
Account logon security 4767, 4774, 4775, 4776, 4777
Account management security 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4730, 4731, 4732, 4733, 4734, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4758, 4764, 4765, 4766, 4780, 4781, 4782, 4793, 4798, 4799, 5376, 5377
DS access security 5136, 5137, 5138, 5139, 5141
Logon-logoff security 4624, 4625, 4634, 4647, 4648, 4672, 4675, 4964
Policy change security 4670, 4703, 4704, 4705, 4706, 4707, 4713, 4715, 4716, 4717, 4718, 4719, 4739, 4864, 4865, 4866, 4867, 4904, 4906, 4911, 4912
Privilege use security 4985
System security 4612, 4621

If you find any event IDs are missing and you do not see them listed in the Exported Event IDs table, you can use the Issue Tracker to file a bug. Use the component Public Trackers > Cloud Platform > Identity & Security > Managed Service for Microsoft AD.

Exporting logs

You can export Managed Microsoft AD audit logs to Pub/Sub, BigQuery, or Cloud Storage. Learn how to export logs to other Google Cloud services.

You can also export logs for compliance requirements, security and access analytics, and to external SIEMs such as Splunk, Elasticsearch, and Datadog.

Getting support

For support during Preview, you can send questions to google-cloud-managed-microsoft-ad-discuss@googlegroups.com or file a bug in the Issue Tracker.