Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" within your Google Cloud resources. Show Your Google Cloud projects contain only the audit logs for resources that are directly within the Cloud project. Other Google Cloud resources, such as folders, organizations, and billing accounts, contain the audit logs for the entity itself. For a general overview of Cloud Audit Logs, see Cloud Audit Logs overview. For a deeper understanding of the audit log format, see Understand audit logs. Available audit logsThe following types of audit logs are available for App Engine:
For fuller descriptions of the audit log types, see . Audited operationsThe following summarizes which API operations correspond to each audit log type in App Engine: Audit logs categoryApp Engine operationsAdmin Activity audit logsapps.createapps.patch apps.repair apps.authorizedCertificates.create apps.authorizedCertificates.delete apps.authorizedCertificates.patch apps.domainMappings.create apps.domainMappings.delete apps.domainMappings.patch apps.firewall.ingressRules.batchUpdate apps.firewall.ingressRules.create apps.firewall.ingressRules.delete apps.firewall.ingressRules.patch apps.services.delete apps.services.patch apps.services.versions.create apps.services.versions.delete apps.services.versions.patch apps.services.versions.instances.debug apps.services.versions.instances.delete Audit log formatAudit log entries include the following objects:
For other fields in these objects, and how to interpret them, review Understand audit logs. Log nameCloud Audit Logs log names include resource identifiers indicating the Cloud project or other Google Cloud entity that owns the audit logs, and whether the log contains Admin Activity, Data Access, Policy Denied, or System Event audit logging data. The following are the audit log names, including variables for the resource identifiers: projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivity folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fdata_access folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fsystem_event folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fpolicy billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Factivity billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Fdata_access billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com%2Fpolicy organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivity organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fsystem_event organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2FpolicyNote: The part of the log name following gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" \ --project=PROJECT_ID6 must be URL-encoded. The forward-slash character, gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" \ --project=PROJECT_ID7, must be written as gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" \ --project=PROJECT_ID8. Service nameApp Engine audit logs use the service name gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" \ --project=PROJECT_ID9. For a list of all the Cloud Logging API service names and their corresponding monitored resource type, see . Resource typesApp Engine audit logs use the resource type gcloud logging read "logName : folders/FOLDER_ID/logs/cloudaudit.googleapis.com" \ --folder=FOLDER_ID0 for all audit logs. For a list of all the Cloud Logging monitored resource types and descriptive information, see . Enable audit loggingAdmin Activity audit logs are always enabled; you can't disable them. Permissions and rolesIAM permissions and roles determine your ability to access audit logs data in Google Cloud resources. When deciding which apply to your use case, consider the following:
For more information about the IAM permissions and roles that apply to audit logs data, see Access control with IAM. View logsTo query for audit logs, you need to know the , which includes the of the Cloud project, folder, billing account, or organization for which you want to view audit logging information. In your query, you can further specify other indexed gcloud logging read "logName : folders/FOLDER_ID/logs/cloudaudit.googleapis.com" \ --folder=FOLDER_ID9. For more information on querying, see Build queries in the Logs Explorer.You can view audit logs in Cloud Logging by using the Google Cloud console, the Google Cloud CLI, or the Logging API. In the Google Cloud console, you can use the Logs Explorer to retrieve your audit log entries for your Cloud project, folder, or organization: In the Google Cloud console, go to the Logging> Logs Explorer page. Go to Logs Explorer Select an existing Cloud project, folder, or organization. In the Query builder pane, do the following:
If you don't see these options, then there aren't any audit logs of that type available in the Cloud project, folder, or organization. If you're experiencing issues when trying to view logs in the Logs Explorer, see the information. For more information about querying by using the Logs Explorer, see Build queries in the Logs Explorer. gcloudThe Google Cloud CLI provides a command-line interface to the Logging API. Supply a valid resource identifier in each of the log names. For example, if your query includes a PROJECT_ID, then the project identifier you supply must refer to the currently selected Cloud project. To read your Cloud project-level audit log entries, run the following command: gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" \ --project=PROJECT_ID To read your folder-level audit log entries, run the following command: gcloud logging read "logName : folders/FOLDER_ID/logs/cloudaudit.googleapis.com" \ --folder=FOLDER_ID To read your organization-level audit log entries, run the following command: gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com" \ --organization=ORGANIZATION_ID To read your Cloud Billing account-level audit log entries, run the following command: gcloud logging read "logName : billingAccounts/BILLING_ACCOUNT_ID/logs/cloudaudit.googleapis.com" \ --billing-account=BILLING_ACCOUNT_ID Add the to your command to read logs that are more than 1 day old. For more information about using the gcloud CLI, see gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com" \ --organization=ORGANIZATION_ID1. APIWhen building your queries, supply a valid resource identifier in each of the log names. For example, if your query includes a PROJECT_ID, then the project identifier you supply must refer to the currently selected Cloud project. For example, to use the Logging API to view your project-level audit log entries, do the following:
Route audit logsYou can route audit logs to supported destinations in the same way that you can route other kinds of logs. Here are some reasons you might want to route your audit logs:
|