Resource Manager Audit Logging Information

This page describes the audit logs created by Resource Manager as part of Cloud Audit Logging.


Google Cloud Platform services write audit logs to help you answer the questions, "Who did what, where, and when?" Your GCP projects each contain only the audit logs for resources that are directly within the project. Other entities, such as folders, organizations, and billing accounts, each contain the audit logs for the entity itself.

Resource Manager writes, and provides by default, audit logs for Admin Activity, which includes operations that modify the configuration or metadata of a resource.

Resource Manager writes, and does not provide by default, audit logs for Data Access, which record API calls that create, modify, or read user-provided data.

Data Access audit logs are divided into different categories:

  • Data Access (ADMIN_READ): Operations that read the configuration or metadata of a resource.

    Resource Manager provides Admin Read information by default.

  • Data Access (DATA_READ): Operations that read user-provided data from a resource.

    Resource Manager does not provide Data Read information by default.

  • Data Access (DATA_WRITE): Operations that write user-provided data to a resource.

    Resource Manager does not provide Data Write information by default.

Audit information that is not provided by default can be configured. For details, see Configuring Data Access Logs.

Audited operations

The following table summarizes which API operations correspond to each audit log type in Resource Manager:

Audit logs category Resource Manager operations
Admin Activity logs (ADMIN_WRITE)
  • UpdateContactInfo


  • cloudresourcemanager.v2beta1.folders.create
  • cloudresourcemanager.v2beta1.folders.delete
  • cloudresourcemanager.v2beta1.folders.move
  • cloudresourcemanager.v2beta1.folders.patch
  • cloudresourcemanager.v2beta1.folders.setIamPolicy
  • cloudresourcemanager.v2beta1.folders.undelete


  • cloudresourcemanager.v2.folders.create
  • cloudresourcemanager.v2.folders.delete
  • cloudresourcemanager.v2.folders.move
  • cloudresourcemanager.v2.folders.patch
  • cloudresourcemanager.v2.folders.setIamPolicy
  • cloudresourcemanager.v2.folders.undelete


  • cloudresourcemanager.v1beta1.organizations.setIamPolicy
  • cloudresourcemanager.v1beta1.organizations.update
  • cloudresourcemanager.v1beta1.projects.create
  • cloudresourcemanager.v1beta1.projects.delete
  • cloudresourcemanager.v1beta1.projects.setIamPolicy
  • cloudresourcemanager.v1beta1.projects.undelete
  • cloudresourcemanager.v1beta1.projects.update


  • cloudresourcemanager.v1.folders.clearOrgPolicy
  • cloudresourcemanager.v1.folders.setOrgPolicy
  • cloudresourcemanager.v1.organizations.clearOrgPolicy
  • cloudresourcemanager.v1.organizations.setIamPolicy
  • cloudresourcemanager.v1.organizations.setOrgPolicy
  • cloudresourcemanager.v1.projects.clearOrgPolicy
  • cloudresourcemanager.v1.projects.create
  • cloudresourcemanager.v1.projects.delete
  • cloudresourcemanager.v1.projects.setIamPolicy
  • cloudresourcemanager.v1.projects.setOrgPolicy
  • cloudresourcemanager.v1.projects.undelete
  • cloudresourcemanager.v1.projects.update
Data Access logs (ADMIN_READ)
  • GetContactInfo


  • cloudresourcemanager.v2beta1.folders.get
  • cloudresourcemanager.v2beta1.folders.getIamPolicy
  • cloudresourcemanager.v2beta1.folders.list


  • cloudresourcemanager.v2.folders.get
  • cloudresourcemanager.v2.folders.getIamPolicy
  • cloudresourcemanager.v2.folders.list


  • cloudresourcemanager.v1beta1.organizations.get
  • cloudresourcemanager.v1beta1.organizations.getIamPolicy
  • cloudresourcemanager.v1beta1.projects.get
  • cloudresourcemanager.v1beta1.projects.getIamPolicy


  • cloudresourcemanager.v1.folders.getEffectiveOrgPolicy
  • cloudresourcemanager.v1.folders.getOrgPolicy
  • cloudresourcemanager.v1.folders.listAvailableOrgPolicyConstraints
  • cloudresourcemanager.v1.folders.listOrgPolicies
  • cloudresourcemanager.v1.organizations.get
  • cloudresourcemanager.v1.organizations.getEffectiveOrgPolicy
  • cloudresourcemanager.v1.organizations.getIamPolicy
  • cloudresourcemanager.v1.organizations.getOrgPolicy
  • cloudresourcemanager.v1.organizations.listAvailableOrgPolicyConstraints
  • cloudresourcemanager.v1.organizations.listOrgPolicies
  • cloudresourcemanager.v1.projects.get
  • cloudresourcemanager.v1.projects.getEffectiveOrgPolicy
  • cloudresourcemanager.v1.projects.getIamPolicy
  • cloudresourcemanager.v1.projects.listAvailableOrgPolicyConstraints
  • cloudresourcemanager.v1.projects.listOrgPolicies

The GetContactInfo and UpdateContactInfo operations support the ContactInfo service for the EU General Data Protection Regulation (GDPR). These operations update and retrieve contact information for an EU Representative and a Data Protections Officer, which can be modified in the Google Cloud Platform Console on the GCP Privacy & Security page.

Audit log format

Audit log entries—which can be viewed in Stackdriver Logging using the Logs Viewer, the API, or the SDK gcloud logging command—include the following objects:

  • The log entry itself, which is an object of type LogEntry. Useful fields include the following:

    • logName contains the project identification and audit log type
    • resource contains the target of the audited operation
    • timeStamp contains the time of the audited operation
    • protoPayload contains the audited information
  • The audit information, which is an AuditLog object held in the protoPayload field of the log entry.

  • Optional service-specific audit information, which is a service-specific object held in the serviceData field of the AuditLog object. For details, see Service-specific audit data.

For other fields in these objects, sample contents of them, and sample queries on information in the objects, see Audit Log Datatypes.

Log name

Cloud Audit Logging log names indicate the project or other entity that owns the audit logs, and whether the log contains Admin Activity or Data Access information. For example, the following shows log names for a project's Admin Activity logs and an organization's Data Access logs.


Service name

Resource Manager audit logs use the service name

For more details on logging services, see Mapping services to resources.

Resource types

Resource Manager audit logs use the resource type project for all audit logs.

For a full list, see Monitored Resource Types.

Enabling audit logging

Admin Activity audit logs are enabled by default and cannot be disabled.

Most Data Access audit logs are disabled by default. The exception is Data Access audit logs for BigQuery, which are enabled by default and cannot be disabled; BigQuery Data Access logs do not count against your project's logging quota.

To enable some or all of your Data Access logs, see Configuring Data Access Logs.

The Data Access logs that you configure can affect your logs pricing in Stackdriver. See the Pricing section on this page.

Audit log permissions

Cloud Identity and Access Management permissions and roles determine which audit logs you can view or export. Logs reside in projects and in some other entities including organizations, folders, and billing accounts. For more information, see Understanding Roles.

To view Admin Activity logs, you must have one of the following Cloud IAM roles in the project that contains your audit logs:

To view Data Access logs, you must have one of the following roles in the project that contains your audit logs:

If you are using audit logs from a non-project entity, such as an organization, then change the Project roles to suitable organization roles.

Viewing logs

To view audit logs for one of your projects, do one of the following:

For more details, see the following options:

Basic Viewer

You can use the Logs Viewer basic interface to retrieve your audit log entries by doing the following:

  1. In the first menu, select the resource type whose audit logs you wish to see. Select a specific resource or all of them.
  2. In the second menu, select the log name you want to see: activity for Admin Activity audit logs and data_access for Data Access audit logs. If you do not see one or both of those options, then there are no audit logs of that type available.

Advanced Viewer

  1. Switch to the advanced filter interface in the Logs Viewer.
  2. Create a filter that specifies the resource type(s) and log names you want. For more information, see Retrieving audit logs.


To read your log entries through the Logging API, see entries.list.


To read your log entries using the Cloud SDK gcloud command-line tool, see Reading log entries.

Exporting audit logs

You can export audit logs in the same way you export other kinds of logs. For details about how to export your logs, see Exporting Logs. Here are some applications of exporting audit logs:

  • To keep audit logs for a longer period of time or to use more powerful search capabilities, you can export copies of your audit logs to Cloud Storage, BigQuery, or Cloud Pub/Sub. Using Cloud Pub/Sub, you can export to other applications, other repositories, and to third parties.

  • To manage your audit logs across an entire organization, you can create aggregated export sinks that can export logs from any or all projects in the organization.

  • If your enabled Data Access logs are pushing your projects over their logs allotments, you can export and exclude the Data Access logs from Logging. For details, see Excluding Logs.


Stackdriver Logging does not charge you for audit logs that are enabled by default, including all Admin Activity logs.

Stackdriver Logging charges you for Data Access logs that you explicitly request.

For more information on logs pricing, including audit logs pricing, see Stackdriver Pricing.

หน้านี้มีประโยชน์ไหม โปรดแสดงความคิดเห็น