Contains log entries for API calls or other administrative actions that modify the configuration or metadata of resources
We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs
Admin Activity audit logs are always written and we can’t configure or disable them
Data Access audit logs:
Contains API calls that read the configuration or metadata of resources, including user-driven API calls that create, modify, or read user-provided resource data
We must have the IAM roles Logging/Private Logs Viewer or Project/Owner to view these logs
We must explicitly enable Data Access audit logs to be written. They are disabled by default because they are large
System Event audit logs:
Contains log entries for administrative actions taken by Google Cloud that modify the configuration of resources
We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs
System Event audit logs are always written so we can’t configure or disable them
There is no additional charge for our System Event audit logs
Policy Denied audit logs:
Contains logs when a Google Cloud service denies access to a user or service account triggered by a security policy violation.
We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs.
Policy Denied audit logs are generated by default. Our cloud project is charged for the logs storage
Exporting Audit Logs
Log entries received by Logging can be exported to Cloud Storage buckets, BigQuery datasets, and Pub/Sub topics
To export audit log entries outside of Logging:
Create a logs sink
Give the sink a query that specifies the audit log types we want to export
If we want to export audit log entries for a Google Cloud organization, folder, or billing account, we should review Aggregated sinks
Pricing
All features of Cloud Logging are free to use, and the charge is only applicable for ingested log volume over the free allotment