Container Registry

4. Logging

  • Google Cloud services write audit logs to help answer the questions, "Who did what, where, and when?" 
  • Cloud projects contain only the audit logs for resources that are directly within the project. 
  • Other entities, such as folders, organizations, and billing accounts, each contain the audit logs for the entity itself.
  • Cloud Audit Logs maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity audit logs, Data Access audit logs and System Event audit logs
  • Container Analysis writes Admin Activity audit logs, which record operations that modify the configuration or metadata of a resource. 
  • Only if explicitly enabled, Container Analysis writes Data Access audit logs. 
  • Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. 
  • Data Access audit logs do not record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Cloud.
  • Container Analysis does not write System Event audit logs.
  • Admin Activity audit logs are always enabled and can't be disabled.
  • Data Access audit logs are disabled by default and are not written unless explicitly enabled (the exception is Data Access audit logs for BigQuery, which cannot be disabled).
  • The Data Access audit logs configured can affect logs pricing in Cloud Logging. 
  • Cloud Identity and Access Management permissions and roles determine which audit logs can be viewed or exported. 
  • Logs reside in projects and in some other entities including organizations, folders, and billing accounts.  
  • If you are using audit logs from a non-project entity, such as an organization, then change the Project roles to suitable organization roles.
  • Audit logs can be exported in the same way as any other kinds of logs.
  • To keep audit logs for a longer period of time or to use more powerful search capabilities, export copies of audit logs to Cloud Storage, BigQuery, or Pub/Sub. 
  • Pub/Sub can be used to export to other applications and repositories.
  • To manage audit logs across an entire organization, create aggregated export sinks that can export logs from any or all projects in the organization.
  • If Data Access audit logs are over their logs allotments, export and exclude the Data Access audit logs from Logging. 
  • Cloud Logging does not charge for audit logs that cannot be disabled, including all Admin Activity audit logs. 
  • Cloud Logging charges for Data Access audit logs explicitly requested.