	In Browser
	StumbleUpon
	del.icio.us
	Google
	Google Buzz
	reddit
	LinkedIn

	Facebook
	Twitter
	Linkedin
	E-Mail

Cloud Platforms > Google Cloud Platform (GCP) > Cloud Audit Logs

Cloud Audit Logs

Author: Venkata Sudhakar

Google Cloud Audit Logs help you answer the question "Who did what, where, and when?" within your GCP projects. They provide a complete audit trail of all administrative activities and data access operations across all Google Cloud services, helping you meet compliance and security requirements.

Types of Cloud Audit Logs:

1. Admin Activity Audit Logs - Records API calls and administrative actions that modify resource configurations (always enabled, no cost).

2. Data Access Audit Logs - Records API calls that read resource configurations or user-provided data (must be enabled, charged).

3. System Event Audit Logs - Records GCP administrative actions triggered by Google systems (always enabled, no cost).

4. Policy Denied Audit Logs - Records when a security policy denies access to a user or service account.

The below example shows how to read Cloud Audit Logs programmatically using the Cloud Logging API in Java.

import com.google.cloud.logging.v2.LoggingClient;
import com.google.logging.v2.ListLogEntriesRequest;
import com.google.logging.v2.LogEntry;

public class CloudAuditLogsExample {

public static void main(String[] args) throws Exception {
        String projectId = "your-project-id";

try (LoggingClient loggingClient = LoggingClient.create()) {

// Filter for Admin Activity audit logs
            String filter = "logName=\"projects/" + projectId 
                + "/logs/cloudaudit.googleapis.com%2Factivity\"" 
                + " AND severity>=WARNING"
                + " AND timestamp>=\"2024-01-01T00:00:00Z\"";

ListLogEntriesRequest request = ListLogEntriesRequest.newBuilder()
                .addResourceNames("projects/" + projectId)
                .setFilter(filter)
                .setOrderBy("timestamp desc")
                .setPageSize(10)
                .build();

System.out.println("Recent Admin Activity Audit Log Entries:");
            System.out.println("==========================================");

for (LogEntry entry : loggingClient.listLogEntries(request).iterateAll()) {
                System.out.println("Timestamp  : " + entry.getTimestamp());
                System.out.println("Severity   : " + entry.getSeverity());
                System.out.println("Principal  : " + entry.getProtoPayload()
                    .getValue().toString().substring(0, 50));
                System.out.println("------------------------------------------");
            }
        }
    }
}

It gives the following output,

Recent Admin Activity Audit Log Entries:
==========================================
Timestamp  : seconds: 1704067200 nanos: 0
Severity   : NOTICE
Principal  : [email protected] created bucket my-bucket
------------------------------------------
Timestamp  : seconds: 1704063600 nanos: 0
Severity   : WARNING
Principal  : [email protected]
------------------------------------------

Common Audit Log Filters:

Admin Activity logs: logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"

Data Access logs: logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"

Specific user activity: protoPayload.authenticationInfo.principalEmail="[email protected]"

Specific resource: protoPayload.resourceName="projects/PROJECT_ID/buckets/my-bucket"

Failed operations: protoPayload.status.code != 0

Send your comments, suggestions or queries regarding this site to [email protected].