0

In Google Cloud Platform, is all audit logging enabled by default? I'm interested in Admin Activity logs (https://cloud.google.com/logging/docs/audit/#admin-activity), which "record when VM instances and App Engine applications are created" among other things.

However, I've tried creating a VM instance on my project's Compute Engine and checking the Stackdriver logs ("Audited Resource" category) - but nothing shows up. I don't think it's a permissions issue, as I have the permissions mentioned in documentation above and can see various older logs in the Audited Resource category. What gives?

T. Seeker
  • 3
  • 1

1 Answers1

0

Not all audit logging is enabled by default. As per the Data Access logs documentation

Data Access audit logs are disabled by default because they can be quite large. Enabling the logs might result in your project being charged for the additional logs usage.

To view the logs, you must have the IAM roles Logging/Logs Viewer for Admin Activity logs and Logging/Private Logs Viewer for Data Access logs.

You can check for abbreviated audit log entries in your project's Activity page in the GCP Console as follows: Home > Activity if you find the logs there and not in Stackdriver logging, that could mean that you are looking at older logs and need to click on the option to load newer logs.

Or simply use the filter option by doing the following:

  1. Go to the Stackdriver > Logging page in the GCP Console:
  2. On the top right size of the "Filter by label or text search" search bar, click on the dropdown arrow and select convert to advanced filter

  3. Use the following filters: 

    resource.type="gce_instance"
jsonPayload.event_subtype="compute.instances.insert"

  4. Click on "Submit Filter", you should be able to see logs related to VM instance creation.

Sunny J
  • 607
  • 3
  • 14