Cloud Audit Logging with Cloud Storage

This page provides supplemental information for using Cloud Audit Logging with Cloud Storage. Use Cloud Audit Logging to generate logs for API operations performed in Cloud Storage. To set up Cloud Audit Logging, see Configuring Data Access Logs.

Logged information

Within Cloud Audit Logging, there are two types of logs:

Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.
Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs:
- ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object.
- DATA_READ: Entries for operations that read an object.
- DATA_WRITE: Entries for operations that create or modify an object.

The following table summarizes which Cloud Storage operations fall into each log type:

Log entry type	Sub-type	Operations
Admin Activity		Creating buckets Deleting buckets Setting/changing IAM policies Setting/changing object ACLs Updating bucket metadata
Data Access	`ADMIN_READ`	Getting bucket metadata Getting IAM policies Getting object ACLs Listing buckets
	`DATA_READ`	Getting object data Getting object metadata Listing objects Copying/composing objects¹
	`DATA_WRITE`	Creating objects Deleting objects² Updating non-ACL object metadata² Copying/composing objects¹

¹ Copying and composing are non-atomic: they each read and write data. As a result, they generate two log entries.

² Cloud Audit Logging does not log actions taken by the Object Lifecycle Management feature. For alternatives that track these actions, see Options for tracking Lifecycle actions.

Cloud Storage logs use an AuditLog object and follow the same format as other Cloud Audit Logging logs. Logs contain information such as:

The user who made the request, including the email address of that user.
The resource name on which the request was made.
The outcome of the request.

Log settings

Logs pertaining to Cloud Storage operations are generated by the service storage.googleapis.com.

Admin Activity logs are recorded by default. These logs do not count towards your log ingestion quota.

Data Access logs pertaining to Cloud Storage operations are not recorded by default. To learn how to enable logs for data access-type operations, see Configuring Data Access Logs. Note that unlike Admin Activity logs, Data Access logs count towards your log ingestion quota and can affect your logging charges in Stackdriver.

Log access

The following users can view Admin Activity logs:

Project owners, editors, and viewers.
Users with the Logs Viewer IAM role.
Users with the logging.logEntries.list IAM permission.

The following users can view Data Access logs:

Project owners.
Users with the Private Logs Viewer IAM role.
Users with the logging.privateLogEntries.list IAM permission.

See Adding IAM members to a project for instructions on granting access.

Viewing logs

Logs pertaining to Cloud Storage are categorized under the resource type GCS bucket.

You can view a summary of the audit logs for your project in the Activity Stream in the Google Cloud Platform Console. A more detailed version of the logs can found in the Logs Viewer.

For instructions on filtering logs in the Logs Viewer, see the Cloud Audit Logging guide.

Log naming

Cloud Audit Logging uses standard log names for all audit logs. For information on the structure of log names, as well as examples of using log names as log result filters, see Viewing audit logs.

Restrictions

The following restrictions apply to Cloud Audit Logging with Cloud Storage:

Cloud Audit Logging does not track access to public objects.
Cloud Audit Logging does not track changes made by the Object Lifecycle Management feature.
You cannot use authenticated browser downloads to access objects when Cloud Audit Logging Data Access logs are enabled on the bucket containing the objects.

What's next

Try the Exporting Stackdriver Logging tutorial.

¿Te sirvió esta página? Envíanos tu opinión:

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Última actualización: Abril 18, 2019