GCPcloud~5 mins

Audit logging in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Audit logging helps you keep track of who did what in your cloud projects. It records actions on your resources so you can check for mistakes or security issues.

When you want to see who changed a virtual machine or storage bucket in your project.

When you need to investigate why a service stopped working by checking recent actions.

When you want to keep a record of all access to sensitive data for compliance.

When you want to monitor if someone deleted or created resources without permission.

When you want to set alerts based on specific actions recorded in logs.

Commands

This command creates a sink to export audit logs about resource creation to a Cloud Storage bucket named 'my-audit-logs-bucket'. It filters logs to only include creation actions.

Terminal

gcloud logging sinks create my-audit-sink storage.googleapis.com/my-audit-logs-bucket --log-filter="resource.type=project AND protoPayload.methodName:Create"

Expected OutputExpected

Created sink [my-audit-sink].

→

--log-filter - Filters logs to export only specific audit events.

This command lists all logging sinks in your project so you can verify the sink was created.

Terminal

gcloud logging sinks list

Expected OutputExpected

NAME DESTINATION FILTER my-audit-sink storage.googleapis.com/my-audit-logs-bucket resource.type=project AND protoPayload.methodName:Create

This command lists the files in the Cloud Storage bucket where audit logs are exported, confirming logs are being saved.

Terminal

gsutil ls gs://my-audit-logs-bucket

Expected OutputExpected

gs://my-audit-logs-bucket/2024/06/01/00000000000000000000.json

Key Concept

If you remember nothing else from audit logging, remember: audit logs record who did what and when, helping you track changes and security events.

Common Mistakes

Not enabling audit logs in the Google Cloud project before creating sinks.

Without enabling audit logs, no logs are generated or exported, so sinks have no data.

Enable audit logging in the project settings or ensure default audit logs are active before creating sinks.

Using incorrect log filters that exclude important audit events.

Filters that are too narrow or wrong syntax cause missing logs in the export.

Test filters carefully and use simple filters first, then refine as needed.

Not granting the sink service account permission to write to the Cloud Storage bucket.

Without write permission, logs cannot be saved to the bucket, causing export failures.

Grant the sink's service account the 'Storage Object Creator' role on the bucket.

Summary

Create a logging sink to export audit logs to a storage bucket with a filter for specific actions.

List sinks to verify the sink creation and configuration.

Check the storage bucket to confirm audit logs are being exported and saved.