Model Armor는 감사 로그를 사용하여 관리 및 리소스 관리 활동을 기록합니다. 자세한 내용은 Model Armor 감사 로깅 개요를 참고하세요.
시작하기 전에
이 페이지의 남은 태스크를 수행하기 전에 먼저 다음 태스크를 수행하세요.
필수 권한 얻기
Model Armor의 로깅을 구성하는 데 필요한 권한을 얻으려면 관리자에게 Model Armor 템플릿에 대한 Model Armor 관리자 (roles/modelarmor.admin) IAM 역할을 부여해 달라고 요청하세요.
역할 부여에 대한 자세한 내용은 프로젝트, 폴더, 조직에 대한 액세스 관리를 참조하세요.
At the bottom of the Google Cloud console, a
Cloud Shell
session starts and displays a command-line prompt. Cloud Shell is a shell environment
with the Google Cloud CLI
already installed and with values already set for
your current project. It can take a few seconds for the session to initialize.
Cloud Logging의 로그 탐색기를 사용하여 Model Armor 로그에 액세스합니다.
자세한 내용은 로그 탐색기를 사용하여 로그 보기를 참조하세요.
서비스 이름 modelarmor.googleapis.com으로 필터링합니다. 템플릿에서 사용 설정한 작업과 관련된 항목을 찾습니다. 모든 서비스 이름과 모니터링 리소스 유형의 목록은 모니터링 리소스 및 서비스를 참고하세요.
Model Armor 로그 필터링
로그 라벨을 사용하여 삭제 작업 및 템플릿 로깅에 대한 Model Armor 로그를 필터링합니다.
특정 상호작용과 관련된 로그와 이벤트를 연결하려면 클라이언트 상관관계 ID가 필요합니다. 시스템 전반에서 특정 요청을 추적하기 위해 생성하는 고유 식별자(예: UUID)입니다. curl 헤더에서 클라이언트 상관 ID를 설정하려면 -H 옵션을 사용하여 요청에 맞춤 헤더를 포함하세요. 다음은 샘플 형식입니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-05(UTC)"],[],[],null,["This document describes how to configure Model Armor to log the\nfollowing operations:\n\n- Operations that create, update, or delete a template\n- Operations that sanitize a user prompt or model response\n\nModel Armor uses audit logs to record administrative and resource\nmanagement activities. For more information, see\n[Model Armor audit logging overview](/logging/docs/overview).\n\nBefore you begin\n\nComplete these tasks before you complete the remaining tasks on this page.\n\nObtain the required permissions\n\n\nTo get the permissions that\nyou need to configure logging for Model Armor,\n\nask your administrator to grant you the\n\n\n[Model Armor Admin](/iam/docs/roles-permissions/modelarmor#modelarmor.admin) (`roles/modelarmor.admin`)\nIAM role on the Model Armor template.\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nEnable APIs\n\nYou must enable Model Armor APIs before you can use Model Armor. \n\nConsole\n\n1.\n\n\n Enable the Model Armor API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=modelarmor.googleapis.com)\n\n \u003cbr /\u003e\n\n2. Select the project where you want to activate Model Armor.\n\ngcloud\n\nBefore you begin, follow these steps using the Google Cloud CLI with the\nModel Armor API:\n\n1.\n\n\n In the Google Cloud console, activate Cloud Shell.\n\n [Activate Cloud Shell](https://console.cloud.google.com/?cloudshell=true)\n\n\n At the bottom of the Google Cloud console, a\n [Cloud Shell](/shell/docs/how-cloud-shell-works)\n session starts and displays a command-line prompt. Cloud Shell is a shell environment\n with the Google Cloud CLI\n already installed and with values already set for\n your current project. It can take a few seconds for the session to initialize.\n\n \u003cbr /\u003e\n\n2. Run the following command to set the API endpoint for the\n Model Armor service.\n\n ```bash\n gcloud config set api_endpoint_overrides/modelarmor \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/\"\n ```\n\n Replace \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e with the region where you want to use Model Armor.\n\nRun the following command to enable Model Armor.\n\n\u003cbr /\u003e\n\n```bash\n gcloud services enable modelarmor.googleapis.com --project=PROJECT_ID\n \n```\n\n\u003cbr /\u003e\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of the project.\n\nConfigure logging in templates\n\nTemplates define the filters and thresholds for different safety and\nsecurity categories. When creating or updating a\n[Model Armor template](/security-command-center/docs/manage-model-armor-templates),\nyou can specify whether Model Armor logs certain operations.\nUse the following flags in the template metadata:\n\n- `log_template_operations`: A boolean value that enables logging of the create, update, read, and delete template operations.\n- `log_sanitize_operations`: A boolean value that enables logging of the sanitize\n operations. The logs include the prompt and response,\n Model Armor's evaluation results, and additional metadata fields.\n\nConsole\n\n1. In the Google Cloud console, go to the **Model Armor** page.\n\n\n [Go to Model Armor](https://console.cloud.google.com/security/modelarmor)\n\n \u003cbr /\u003e\n\n2. Verify that you are viewing the project that you activated\n Model Armor on.\n\n3. On the **Model Armor** page, click **Create Template** .\n For more information on creating templates, see\n [Create a Model Armor template](/security-command-center/docs/manage-model-armor-templates#create-ma-template).\n\n4. In the **Configure logging** section, select the operations for which you\n want to configure logging.\n\n5. Click **Create**.\n\nREST \n\n curl -X POST \\\n -d '{ \"filterConfig\": {}, \"templateMetadata\": { \"logTemplateOperations\": true, \"logSanitizeOperations\": true } }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates?template_id=\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project that the template belongs to.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of the template.\n- \u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e: the ID of the template.\n\nPython\n\n\nTo run this code, first [set up a Python development environment](/python/docs/setup)\nand [install the Model Armor Python SDK](/security-command-center/docs/reference/model-armor/client-libraries-install-python).\n\n\u003cbr /\u003e\n\n```python\n request = modelarmor_v1.CreateTemplateRequest(\n parent=\"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\",\n template_id=\"\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e\",\n template={\n \"name\": \"projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates/\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e\",\n \"filter_config\": {},\n \"template_metadata\": {\n \"log_template_operations\": True,\n \"log_sanitize_operations\": True\n }\n }\n )\n response = client.create_template(request=request)\n \n```\n\n\u003cbr /\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project that the template belongs to.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of the template.\n- \u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e: the ID of the template.\n\nView logs\n\nAccess Model Armor logs using Logs Explorer in Cloud Logging.\nFor more information, see\n[View logs by using the Logs Explorer](/logging/docs/view/logs-explorer-interface).\nFilter by the service name `modelarmor.googleapis.com`. Look for entries related\nto the operations that you enabled in your template. For a list of all the\nservice names and monitored resource types, see\n[Monitored resources and services](/logging/docs/api/v2/resource-list#resource-types).\n\nFilter Model Armor logs\n\nUse log labels for filtering the Model Armor logs for the\nsanitization operations and template logging.\n\nRun the following query in the Logs Explorer to filter the sanitization\noperations logs. \n\n jsonPayload.@type=\"type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry\"\n\nTo further refine the sanitization operation logs, you can specify a project ID,\nclient name, or correlation ID in the query.\n\n- Using a project ID:\n\n jsonPayload.@type=\"type.googleapis.com%2Fgoogle.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry\";project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n- Using a client name:\n\n jsonPayload.@type=\"type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry\"\n labels.\"modelarmor.googleapis.com/client_name\"=\"\u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e\"\n\n- Using a correlation ID:\n\n labels.\"modelarmor.googleapis.com/client_correlation_id\"=\"\u003cvar translate=\"no\"\u003eCORRELATION_ID\u003c/var\u003e\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the Google Cloud project ID.\n- \u003cvar translate=\"no\"\u003eCLIENT_NAME\u003c/var\u003e: the name of your client.\n- \u003cvar translate=\"no\"\u003eCORRELATION_ID\u003c/var\u003e: the unique identifier that you generate for a specific request.\n\nCorrelate logs and related events\n\nTo correlate logs and events related to that particular interaction, you will\nneed a client correlation ID. It is a unique identifier that you generate\n(for example, a UUID) to track a specific request across your system. To set a\nclient correlation ID in a curl header, use the `-H` option to include a custom\nheader in your request. Here's the sample format: \n\n curl -X POST -d '{\"userPromptData\": { \"text\": '\u003cvar translate=\"no\"\u003eUSER_PROMPT\u003c/var\u003e' } }' \\\n -H \"Content-Type: application/json\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"MA-Client-Correlation-Id: $uuid\" \\\n \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates/\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e:sanitizeUserPrompt\"\n\n curl -X POST \\\n -d '{\"modelResponseData\": { \"text\": '\u003cvar translate=\"no\"\u003eMODEL_RESPONSE\u003c/var\u003e' }, \"userPrompt\": '\u003cvar translate=\"no\"\u003eUSER_PROMPT\u003c/var\u003e' }' \\\n -H \"Content-Type: application/json\" \\\n -H \"MA-Client-Correlation-Id: $uuid\" \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n \"https://modelarmor.\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e.rep.googleapis.com/v1/projects/\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/locations/\u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e/templates/\u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e:sanitizeModelResponse\"\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the project that the template belongs to.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of the template.\n- \u003cvar translate=\"no\"\u003eTEMPLATE_ID\u003c/var\u003e: the ID of the template.\n- \u003cvar translate=\"no\"\u003eUSER_PROMPT\u003c/var\u003e: the prompt provided to the model.\n- \u003cvar translate=\"no\"\u003eMODEL_RESPONSE\u003c/var\u003e: the response received from the model."]]
