Viewing Audit Logs

This page provides supplemental information for using Cloud Audit Logging with Cloud ML Engine. Use Cloud Audit Logging to generate logs for API operations performed in Cloud Machine Learning Engine.

Audit logs are not the same as job logs. Job logs provide debugging information for training and prediction jobs. Audit logs help you determine who did what, where, and when. Specifically, audit logs track how your Cloud ML Engine resources are modified and accessed within your Google Cloud Platform projects for auditing purposes. For more information about Cloud Audit Logging general concepts and how-to guides, see Cloud Audit Logging.

Logged information

Cloud Audit Logging includes the following types of logs:

  • Admin activity logs: Contains log entries for operations that modify the configuration or metadata of a Cloud ML Engine resource. Admin activity logs include any API call that creates, deletes, updates or modifies a resource using a custom verb.

  • Data access logs: Contains log entries for operations that perform read-only operations that do not modify any data, such as get and list. Unlike audit logs for other services, Cloud ML Engine only has ADMIN_READ data access logs and does not generally offer DATA_READ and DATA_WRITE logs. This is because DATA_READ and DATA_WRITE logs are only used for services that store and manage user data such as Cloud Storage, Cloud Spanner, and Cloud SQL, which does not apply to Cloud ML Engine.

The following table summarizes which Cloud ML Engine operations fall into each log type:

Log entry type Sub-type Operations
Admin activity N/A
  • Creating jobs
  • Canceling jobs
  • Creating models
  • Updating models
  • Deleting models
  • Creating versions
  • Updating versions
  • Deleting versions
  • Setting default versions
  • Canceling operations
  • Setting/changing IAM policies
Data access ADMIN_READ
  • Listing jobs
  • Getting jobs
  • Listing models
  • Getting models
  • Listing versions
  • Getting versions
  • Listing operations
  • Getting service account information
  • Getting IAM policies

Cloud ML Engine logs use an AuditLog object and follows the same format as other Cloud Audit Logging logs. Logs contain information such as:

  • The user who made the request, including the email address of that user.
  • The resource name on which the request was made.
  • The outcome of the request.

Log settings

Admin activity logs are recorded by default. These logs do not count towards your log ingestion quota.

Data access logs are not recorded by default. These logs count towards your log ingestion quota. To learn how to enable logs for data access-type operations, see Configuring Data Access Logs.

Log access

The following users can view admin activity logs:

The following users can view data access logs:

  • Project owners.
  • Users with the Private Logs Viewer IAM role.
  • Users with the logging.privateLogEntries.list IAM permission.

For instructions on granting access, see Adding IAM members to a project.

Viewing logs

You can view a summary of the audit logs for your project in the Activity Stream in the Google Cloud Platform Console. To view a more detailed version of the logs, see the Logs Viewer.

The Logs Viewer basic viewing interface allows you to select and retrieve audit logs for specific projects. You can also use the Logs Viewer advanced filter interface to specify the resource type and log name. For more information, see Retrieving audit logs.

Exporting your logs

You can export copies of some or all of your logs to other applications, other repositories, or third parties. To export your logs, see Exporting logs.

To read your log entries through the API, see entries.list. To read your log entries using the SDK, see Reading log entries.

What's next

Send feedback about...

Cloud ML Engine for TensorFlow