This page provides supplemental information for using Cloud Audit Logs with Cloud Storage. Use Cloud Audit Logs to generate logs for API operations performed in Cloud Storage. To set up Cloud Audit Logs, see Configuring Data Access Logs.
Within Cloud Audit Logs, there are two types of logs:
Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.
Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs:
ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object.
DATA_READ: Entries for operations that read an object.
DATA_WRITE: Entries for operations that create or modify an object.
The following table summarizes which Cloud Storage operations fall into each log type:
|Log entry type||Sub-type||Operations|
1 Copying and composing are non-atomic: they each read and write data. As a result, they generate two log entries.
3: If an object ACL is set to public, audit logs are not generated for reads or writes to that object or its ACL.
Cloud Storage logs use an
AuditLog object and follow the same
format as other Cloud Audit Logs logs. Logs contain information such as:
- The user who made the request, including the email address of that user.
- The resource name on which the request was made.
- The outcome of the request.
- Optionally, detailed request and response information. For more information, see Detailed Audit Logging mode.
Logs pertaining to Cloud Storage operations are generated by the
Admin Activity logs are recorded by default. These logs do not count towards your log ingestion quota.
Data Access logs pertaining to Cloud Storage operations are not recorded by default. To learn how to enable logs for data access-type operations, see Configuring Data Access Logs. Note that unlike Admin Activity logs, Data Access logs count towards your log ingestion quota and can affect your Cloud Logging charges.
The following users can view Admin Activity logs:
- Project owners, editors, and viewers.
- Users with the Logs Viewer IAM role.
- Users with the
The following users can view Data Access logs:
- Project owners.
- Users with the Private Logs Viewer IAM role.
- Users with the
See Adding IAM members to a project for instructions on granting access.
Logs pertaining to Cloud Storage are categorized under the resource
For instructions on filtering logs in the Logs Viewer, see the Cloud Audit Logs guide.
Cloud Audit Logs uses standard log names for all audit logs. For information on the structure of log names, as well as examples of using log names as log result filters, see Viewing audit logs.
The following restrictions apply to Cloud Audit Logs with Cloud Storage:
- Cloud Audit Logs does not track access to public objects.
- Cloud Audit Logs does not track changes made by the Object Lifecycle Management feature.
- You cannot use authenticated browser downloads to access objects when Cloud Audit Logs Data Access logs are enabled on the bucket containing the objects.
- Try the Scenarios for exporting Cloud Logging tutorial.