0
0
GCPcloud~10 mins

Audit logging in GCP - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Audit logging
User or Service Action
Request sent to GCP API
Audit Log Generated
Log Entry Stored in Cloud Logging
Admin or System Reviews Logs
Alerts or Reports Created if Needed
This flow shows how user or service actions in GCP generate audit logs that are stored and reviewed for security and compliance.
Execution Sample
GCP
gcloud logging read "resource.type=gce_instance AND protoPayload.methodName=\"google.compute.instances.insert\"" --limit 3
This command reads the last 3 audit log entries for VM instance creation in a GCP project.
Process Table
StepActionCommand/OperationResult/Output
1User creates VM instancegcloud compute instances create my-vmRequest sent to GCP API
2GCP generates audit logInternal systemAudit log entry created with methodName google.compute.instances.insert
3Store log entryCloud Logging serviceLog entry saved in project logs
4Read audit logsgcloud logging read "resource.type=gce_instance AND protoPayload.methodName=\"google.compute.instances.insert\"" --limit 3Displays last 3 VM creation audit log entries
5Review logsAdmin views logs in Cloud Console or CLILogs show who created VM, when, and request details
6ExitNo more logs to readCommand ends
💡 No more matching audit log entries to display, command completes
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
Audit Log EntryNoneNoneCreated with VM creation detailsStored in Cloud LoggingRetrieved by gcloud logging readDisplayed to user
Key Moments - 3 Insights
Why don't I see audit logs immediately after creating a resource?
Audit logs may take a few seconds to appear after the action (see Step 2 and 3 in execution_table). The system needs time to generate and store the log entry.
How do I filter audit logs for specific actions?
Use filters like protoPayload.methodName in the gcloud logging read command (Step 4). This targets logs for specific API calls.
Can audit logs show who performed an action?
Yes, audit logs include the identity of the user or service account that made the request (Step 5). This helps track accountability.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the audit log entry created?
AStep 2
BStep 4
CStep 1
DStep 5
💡 Hint
Check the 'Result/Output' column in Step 2 for when the audit log is generated.
According to variable_tracker, what is the state of the Audit Log Entry after Step 3?
ANone
BStored in Cloud Logging
CCreated with VM creation details
DRetrieved by gcloud logging read
💡 Hint
Look at the 'After Step 3' column for the Audit Log Entry variable.
If you want to see audit logs for deleting a VM instead of creating, which part of the command changes?
AChange --limit 3 to --limit 5
BChange resource.type=project to resource.type=vm_instance
CChange protoPayload.methodName to google.compute.instances.delete
DChange gcloud logging read to gcloud compute instances delete
💡 Hint
Refer to Step 4 command filter for protoPayload.methodName usage.
Concept Snapshot
Audit logging in GCP records user and service actions.
Logs are generated after API calls and stored in Cloud Logging.
Use gcloud logging read with filters to view audit logs.
Audit logs include who did what and when.
Logs help with security, compliance, and troubleshooting.
Full Transcript
Audit logging in Google Cloud Platform tracks actions by users and services. When you perform an action like creating a VM, GCP generates an audit log entry recording details of that action. This log is stored in Cloud Logging. You can use the gcloud logging read command with filters to find specific audit logs, such as those for VM creation. Audit logs show who performed the action, when it happened, and other request details. This helps administrators monitor activity and maintain security. Logs may take a few seconds to appear after the action. Filtering logs by methodName helps focus on particular operations.