Overview

Monitoring GCP audit logs provides a better understanding of who is accessing a resource, how they are doing it, and whether or not the access was permitted.

There are four types of audit logs.

• System Event Audit Logs: Logged by default by GCP, System Event audit logs contain log entries for Google Cloud actions that modify the configuration of resources. System Event audit logs are generated by Google systems; they are not driven by direct user action.
• Admin Activity Audit Logs: Logged by default by GCP, admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.
• Data Access Audit Logs: Enabled separately per resource, Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs don’t record the data-access operations on resources that are publicly shared.
• Policy Denied audit Logs: Generated by default, cloud logging records Policy Denied audit logs when a Google Cloud service denies access to a user or service account because of a security policy violation.

You can forward these logs through a Pub/Sub topic using the Log collection instructions on the Google Cloud Platform integration page.

For more information, see Understanding audit logs or Best practices for monitoring GCP audit logs.

Need help? Contact Datadog support.