Skip to the content.
GCP Associate Cloud Engineer (ACE)
Audit Logs
- Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources
- Cloud Audit Logs maintain three audit logs: Admin Activity logs, Data Access logs, and System Event logs
Log Types
- Admin Activity audit logs:
- Contains log entries for API calls or other administrative actions that modify the configuration or metadata of resources
- We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs
- Admin Activity audit logs are always written and we can’t configure or disable them
- Data Access audit logs:
- Contains API calls that read the configuration or metadata of resources, including user-driven API calls that create, modify, or read user-provided resource data
- We must have the IAM roles Logging/Private Logs Viewer or Project/Owner to view these logs
- We must explicitly enable Data Access audit logs to be written. They are disabled by default because they are large
- System Event audit logs:
- Contains log entries for administrative actions taken by Google Cloud that modify the configuration of resources
- We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs
- System Event audit logs are always written so we can’t configure or disable them
- There is no additional charge for our System Event audit logs
- Policy Denied audit logs:
- Contains logs when a Google Cloud service denies access to a user or service account triggered by a security policy violation.
- We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs.
- Policy Denied audit logs are generated by default. Our cloud project is charged for the logs storage
Exporting Audit Logs
- Log entries received by Logging can be exported to Cloud Storage buckets, BigQuery datasets, and Pub/Sub topics
- To export audit log entries outside of Logging:
- Create a logs sink
- Give the sink a query that specifies the audit log types we want to export
- If we want to export audit log entries for a Google Cloud organization, folder, or billing account, we should review Aggregated sinks
Pricing
- All features of Cloud Logging are free to use, and the charge is only applicable for ingested log volume over the free allotment