askvity

How do I enable cloud audit logs?

Published in Cloud Logging 3 mins read

To enable Cloud Audit Logs, choose the LOG TYPES tab and select the Admin Read, Data Read, and Data Write checkboxes for the Google Cloud Platform (GCP) services you want to monitor.

Here's a more detailed breakdown:

Cloud Audit Logs help you maintain security, compliance, and governance by recording administrative operations and data access within your Google Cloud project. They exist for several Google Cloud services. To enable them, you generally need to configure the appropriate settings within the Google Cloud Console.

Here's a step-by-step guide:

  1. Access the Cloud Logging Console: Go to the Cloud Logging page in the Google Cloud Console. Ensure you are logged in with an account that has the necessary permissions (e.g., Project Owner or Logs Configuration writer).

  2. Navigate to Audit Logs: In the left-hand navigation menu, you may find a specific section related to "Audit Logs" or "Logs Configuration." The specific location can vary slightly depending on console updates.

  3. Select the LOG TYPES tab: Look for a tab specifically labeled "LOG TYPES."

  4. Choose the Log Types: This is where you enable the specific types of audit logs you require:

    • Admin Read: Records administrative operations that read configuration or metadata. Recommended.
    • Data Read: Records user access that reads data. Consider this carefully based on your logging requirements due to potential volume.
    • Data Write: Records user access that writes data. Consider this carefully based on your logging requirements due to potential volume.

    Check the corresponding checkboxes for each of these log types for all the supported Google Cloud Platform (GCP) services you want to audit.

Important Considerations:

  • Cost: Data Read and Data Write logs can generate a significant volume of logs, which can increase your Cloud Logging costs. Carefully evaluate which services and log types are essential for your auditing and compliance needs.
  • Permissions: Ensure your account has the necessary IAM permissions to modify logging configurations.
  • Service-Specific Logs: Some Google Cloud services may have service-specific audit logging options. Refer to the documentation for those specific services for more detailed instructions.
  • Log Storage: Cloud Audit Logs are typically stored in Cloud Logging. You can configure retention policies and export logs to other destinations like Cloud Storage or BigQuery for long-term archival and analysis.

By following these steps, you can effectively enable Cloud Audit Logs and gain valuable insights into the activities within your Google Cloud environment.

Related Articles