Viewing cloud audit logs
This page describes the audit logs created by ClearBlade IoT Core as part of Cloud Audit Logs.
Overview
Google Cloud services write audit logs to help you answer: who did what, where, and when? Your Cloud projects contain only the audit logs for resources directly within the project. Other entities, including folders, organizations, and billing accounts, include audit logs.
ClearBlade IoT Core writes and provides, by default, audit logs for admin activity, which include operations that modify the resource’s configuration or metadata. These include device settings, cloud-to-device configurations, and device registry settings.
ClearBlade IoT Core writes and doesn't provide, by default, audit logs for data access, which record API calls that read user-provided data.
Enabling audit logging
Admin Activity audit logs are enabled by default and can only be disabled through Cloud Logging exclusions.
Most Google Cloud Data Access audit logs are disabled by default. The exception is BigQuery Data Access audit logs, which are enabled by default and cannot be disabled; BigQuery Data Access logs do not count against your project's logging quota.
To enable your Data Access logs, see Configuring Data Access logs.
The Data Access logs you configure can affect your logs pricing in Google Cloud's operations suite. For more information, see this page’s Pricing section.
Audited operations
This table summarizes which API operations correspond to each audit log type in ClearBlade IoT Core:
Audit logs category | ClearBlade IoT Core operations |
---|---|
Admin Activity logs |
|
Data Access logs ( |
|
Data Access logs ( | None |
Data Access logs ( | None |
Data Access logs
Data Access audit logs have three categories: ADMIN_READ
, DATA_READ
, and DATA_WRITE
. However, ClearBlade IoT Core only uses ADMIN_READ
data access logs.
Data Access log type | Description | Availability |
---|---|---|
| Operations that read the resource’s configuration or metadata. | ClearBlade IoT Core doesn't provide |
You can configure audit information that isn't provided by default. For details, see Configuring Data Access logs.
Audit log format
Audit log entries, which can be viewed using the Logs Viewer, the API, or the SDK gcloud logging
command, include these objects:
The log entry is an object of type
LogEntry
. Useful fields include:logName
contains the project identification and audit log typeresource
contains the audited operation targettimestamp
contains the audited operation timeprotoPayload
contains the audited information
The audit information is an
AuditLog
object in theprotoPayload
log entry field.
For other fields in these objects, samples of their contents, and sample queries on information in the objects, see Understanding audit logs.
Log names
Cloud audit log names indicate the project or entity that owns the audit logs and whether the log contains admin activity or data access information. For example, the following shows log names for a project's Admin Activity logs and an organization's Data Access logs.
projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity
organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
The log name’s part following /logs/
must be URL-encoded. The forward-slash character, /
, must be written as %2F
.
Service names and resource types
ClearBlade IoT Core audit logs use the service name iot.clearblade.com
.
ClearBlade IoT Core audit logs use the resource types cloudiot_device
and cloudiot_device_registry
for all audit logs.
Viewing logs
To view your project’s audit logs, go to the Admin Activity log summary or Logs Explorer.
Basic Viewer
Retrieve audit log entries
1. In the Logs Explorer basic interface’s first menu, select the resource type whose audit logs you wish to see. Select a specific resource or all of them.
2. In the second menu, select the log name you want to see: activity
for Admin Activity audit logs and data_access
for Data Access audit logs. If you don't see one or both options, then no audit logs of that type are available.
Advanced Viewer
1. Switch to the advanced filter interface in the Logs Explorer.
2. Create a filter that specifies your desired resource type(s) and log names.
Exporting audit logs
You can export audit logs the same way as other kinds of logs. For details about how to export your logs, see Exporting logs. Here are some exporting audit logs applications:
You can export your audit log copies to Cloud Storage, BigQuery, or Pub/Sub to keep them longer or use more powerful search capabilities. Using Pub/Sub, you can export to other applications, other repositories, and to third parties.
To manage your audit logs across an entire organization, you can create aggregated sinks that export logs from any or all projects.
If your enabled Data Access logs are pushing your projects over their logs allotments, you can export and exclude the Data Access logs from logging. For details, see Excluding logs.
Pricing
Cloud Logging charges you for Data Access logs that you explicitly request.
See Google Cloud's operations suite pricing for more log pricing information.
Exempt methods
These ClearBlade IoT Core API methods aren't logged in audit logs:
registries.testIamPermissions
registries.devices.configVersions.list
registries.devices.states.list