Explore

Cloud Audit Logs

Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources. Audit logs help you answer "who did what, where, and when?" within your Google Cloud resources with the same level of transparency as in on-premises environments. Enabling audit logs helps your security, auditing, and compliance entities monitor Google Cloud data and systems for possible vulnerabilities or external data misuse.

Required roles

To view audit logs, you must have the appropriate

Identity and Access Management (IAM)⁠

permissions and roles:

To get the permissions that you need to get read-only access to Admin Activity, Policy Denied, and System Event audit logs, ask your administrator to grant you the

Logs Viewer ⁠

(roles/logging.viewer) IAM role on your project.

If you have only the Logs Viewer role (roles/logging.viewer), then you cannot view Data Access audit logs that are in the _Default bucket.

To get the permissions that you need to get access to all logs in the _Required and _Default buckets, including Data Access logs, ask your administrator to grant you the

Private Logs Viewer ⁠

(roles/logging.privateLogViewer) IAM role on your project.

The Private Logs Viewer role (roles/logging.privateLogViewer) includes the permissions contained in the Logs Viewer role (roles/logging.viewer), and those necessary to read Data Access audit logs in the _Default bucket.

Types of audit logs

Cloud Audit Logs provides the following audit logs for each Google Cloud project, folder, and organization:

⁠

Admin Activity audit logs⁠

⁠

Data Access audit logs⁠

⁠

System Event audit logs⁠

⁠

Policy Denied audit logs⁠

⁠

Ref:

Cloud Audit Logs overview | Cloud Logging | Google Cloud⁠

⁠

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.