- Google Cloud services write audit logs to help answer the questions, "Who did what, where, and when?"
- Cloud projects contain only the audit logs for resources that are directly within the project.
- Other entities, such as folders, organizations, and billing accounts, each contain the audit logs for the entity itself.
- Cloud Audit Logs maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity audit logs, Data Access audit logs and System Event audit logs
- Container Analysis writes Admin Activity audit logs, which record operations that modify the configuration or metadata of a resource.
- Only if explicitly enabled, Container Analysis writes Data Access audit logs.
- Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.
- Data Access audit logs do not record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Cloud.
- Container Analysis does not write System Event audit logs.
- Admin Activity audit logs are always enabled and can't be disabled.
- Data Access audit logs are disabled by default and are not written unless explicitly enabled (the exception is Data Access audit logs for BigQuery, which cannot be disabled).
- The Data Access audit logs configured can affect logs pricing in Cloud Logging.
- Cloud Identity and Access Management permissions and roles determine which audit logs can be viewed or exported.
- Logs reside in projects and in some other entities including organizations, folders, and billing accounts.
- If you are using audit logs from a non-project entity, such as an organization, then change the Project roles to suitable organization roles.
- Audit logs can be exported in the same way as any other kinds of logs.
- To keep audit logs for a longer period of time or to use more powerful search capabilities, export copies of audit logs to Cloud Storage, BigQuery, or Pub/Sub.
- Pub/Sub can be used to export to other applications and repositories.
- To manage audit logs across an entire organization, create aggregated export sinks that can export logs from any or all projects in the organization.
- If Data Access audit logs are over their logs allotments, export and exclude the Data Access audit logs from Logging.
- Cloud Logging does not charge for audit logs that cannot be disabled, including all Admin Activity audit logs.
- Cloud Logging charges for Data Access audit logs explicitly requested.