1

I understand that audit logs includes by default Admin activities like 'delete' but I can't find any logs in the GCP logs registry related to created or deleted collections in my Firestore project.

I used the following query:

resource.type=("datastore_database" OR "datastore_index")
logName=( 
        "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"
        OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"
        OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event"
        OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy"
 )

Edited to fix projects path (thanks to Javier M)

joe-gardner
  • 37
  • 9
Troglo
  • 1,497
  • 17
  • 18
  • Looks like there is no audit logs for console actions, even for deleting a collection https://groups.google.com/g/firebase-talk/c/AiHxmsaTnkg/m/TIy67pbgAQAJ – Troglo Oct 21 '21 at 19:21
  • Looks like only a very restricted set of Firebase storage operations are audited: https://firebase.google.com/support/guides/cloud-audit-logging/firebase-storage?hl=en But looks like a bigger set of Firestore operations are audited, including DeleteOperation, but I can´t find any of them in the logs: https://cloud.google.com/firestore/docs/audit-logging?hl=en – Troglo Oct 22 '21 at 08:21

2 Answers2

1

Data access logs for Firestore are disabled by default. You need to explicitly enable them to receive logs.

On the other hand, you're querying logs wrongly as you're missing projects/ before PROJECT_ID, as explained here. Therefore, you should use:

logName=(
    "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"
    OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"
    OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event"
    OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy")

You could also query logs from methodName. For instance, everytime you create a new Collection or Field in Firestore, Write method will be used and logged. Thus, you could perform queries as:

protoPayload.methodName="google.firestore.v1.Firestore.Write"

Edit: Information about Delete operation logs as requested by @Troglo

You can see logs for every deletion done on Fields, Documents and Collections under the Write method, as it holds information on every write operation, such as delete. However, querying by methodName="google.firestore.v1.Firestore.Write" will output all write operations done so far.

Alternatively, you could use the request object to build a query as it holds information about Write fields, as update or delete. Therefore:

Deletion logs for any collection under your project

protoPayload.request.writes.delete:"projects/[PROJECT-ID]/databases/(default)/documents/"

Deletion logs for a specific collection

protoPayload.request.writes.delete:"projects/[PROJECT-ID]/databases/(default)/documents/[COLLECTION-ID]"

Notice the use of : ("has", matches any substring) instead of = (equal) to build queries. The first one has a lower performance compared to the latter.

Important:

Please bear in mind that, as per today (26 October, 2021), these Data Access audit logs are in preview. Please, check the conditions and stage description for more information.

Javier M
  • 194
  • 7
  • Thanks Javier. But in that document 'DeleteOperation' is listed as an ADMIN_WRITE action, that are enabled by default. Thanks for the query by methodName, looks useful. ANd for the projects/ path, I´m using it but deleted by error when replacing the PROJECT_ID, I´ll try to fix it in the question – Troglo Oct 22 '21 at 15:45
  • Hello @Troglo! I've added more information in the same answer (to keep track of any possible useful information for anyone reading this entry). Please, let me know if it clarifies your question. – Javier M Oct 25 '21 at 11:16
  • Your answer in very complete and useful for Data Access audit logs that are disabled by default. But my doubt is about DELETING a COLLECTION: In Firestore's official docs (cloud.google.com/firestore/docs/audit-logging?hl=en ) looks like some ADMIN operations are audited, including DeleteOperation, but I can't find any of them in my logs. Is required to enable DataAccess to log a DELETE COLLECTION operation? – Troglo Oct 26 '21 at 18:25
  • I've posted another answer trying to clarify your questions. Please take a look and let me know if everything is clear. – Javier M Oct 28 '21 at 08:38
  • Thanks Javier for both of your answers. The other answer specifically my main issue but this one has a lot of usefiul information for anyone working with Firestore´s logs. – Troglo Oct 28 '21 at 13:32
1

DeleteOperation Audit log

This method, seen under ADMIN WRITE audit logs, are related to long running operations, which are API calls that takes a long time to complete. Thus, the method will erase the long-running operation (meaning that the client is no longer interested on its result). It has nothing to do with deleting entries in a Cloud Firestore instance.

Delete Collection

You cannot see logs for Delete Collection simply because you can't delete a collection. Instead, you need to delete all the documents and sub documents you have under the Collection.

Therefore, what you'll see in the logs referring as delete will be for deleting a document and deleting a field. Once all documents are deleted, you can assume a Collection is deleted as well.

You can see a Collection as a namespace or as a container (which is how the documentation refers to it) for documents.

Javier M
  • 194
  • 7