Viewing cloud audit logs

Owned by Aaron Allsbrook
Last updated: Mar 04, 2024 by Jeff Slavin (Unlicensed)
3 min read

This page describes the audit logs created by ClearBlade IoT Core as part of Cloud Audit Logs.

Overview

Google Cloud services write audit logs to help you answer: who did what, where, and when? Your Cloud projects contain only the audit logs for resources directly within the project. Other entities, including folders, organizations, and billing accounts, include audit logs.

ClearBlade IoT Core writes and provides, by default, audit logs for admin activity, which include operations that modify the resource’s configuration or metadata. These include device settings, cloud-to-device configurations, and device registry settings.

ClearBlade IoT Core writes and doesn't provide, by default, audit logs for data access, which record API calls that read user-provided data.

Enabling audit logging

Admin Activity audit logs are enabled by default and can only be disabled through Cloud Logging exclusions.

Most Google Cloud Data Access audit logs are disabled by default. The exception is BigQuery Data Access audit logs, which are enabled by default and cannot be disabled; BigQuery Data Access logs do not count against your project's logging quota.

To enable your Data Access logs, see Configuring Data Access logs.

The Data Access logs you configure can affect your logs pricing in Google Cloud's operations suite. For more information, see this page’s Pricing section.

Audited operations

This table summarizes which API operations correspond to each audit log type in ClearBlade IoT Core:

Audit logs category

ClearBlade IoT Core operations

Audit logs category

ClearBlade IoT Core operations

Admin Activity logs

  • CreateDeviceRegistry

  • DeleteDeviceRegistry

  • UpdateDeviceRegistry

  • CreateDevice

  • DeleteDevice

  • UpdateDevice

  • ModifyCloudToDeviceConfig

  • SetIamPolicy

Data Access logs (ADMIN_READ)

  • GetDeviceRegistry

  • ListDeviceRegistries

  • GetDevice

  • ListDevices

  • GetIamPolicy

Data Access logs (DATA_READ)

None

Data Access logs (DATA_WRITE)

None

Data Access logs

Data Access audit logs have three categories: ADMIN_READ, DATA_READ, and DATA_WRITE. However, ClearBlade IoT Core only uses ADMIN_READ data access logs.

Data Access log type

Description

Availability

Data Access log type

Description

Availability

ADMIN_READ

Operations that read the resource’s configuration or metadata.

ClearBlade IoT Core doesn't provide ADMIN_READ logs by default.

You can configure audit information that isn't provided by default. For details, see Configuring Data Access logs.

Audit log format

Audit log entries, which can be viewed using the Logs Viewer, the API, or the SDK gcloud logging command, include these objects:

  • The log entry is an object of type LogEntry. Useful fields include:

    • logName contains the project identification and audit log type

    • resource contains the audited operation target

    • timestamp contains the audited operation time

    • protoPayload contains the audited information

  • The audit information is an AuditLog object in the protoPayload log entry field.

For other fields in these objects, samples of their contents, and sample queries on information in the objects, see Understanding audit logs.

Log names

Cloud audit log names indicate the project or entity that owns the audit logs and whether the log contains admin activity or data access information. For example, the following shows log names for a project's Admin Activity logs and an organization's Data Access logs.

projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access

The log name’s part following /logs/ must be URL-encoded. The forward-slash character, /, must be written as %2F.

Service names and resource types

ClearBlade IoT Core audit logs use the service name iot.clearblade.com.

ClearBlade IoT Core audit logs use the resource types cloudiot_device and cloudiot_device_registry for all audit logs.

Viewing logs

To view your project’s audit logs, go to the Admin Activity log summary or Logs Explorer.

Basic Viewer

Retrieve audit log entries

1. In the Logs Explorer basic interface’s first menu, select the resource type whose audit logs you wish to see. Select a specific resource or all of them.

2. In the second menu, select the log name you want to see: activity for Admin Activity audit logs and data_access for Data Access audit logs. If you don't see one or both options, then no audit logs of that type are available.

Advanced Viewer

1. Switch to the advanced filter interface in the Logs Explorer.

2. Create a filter that specifies your desired resource type(s) and log names.

Exporting audit logs

You can export audit logs the same way as other kinds of logs. For details about how to export your logs, see Exporting logs. Here are some exporting audit logs applications:

  • You can export your audit log copies to Cloud Storage, BigQuery, or Pub/Sub to keep them longer or use more powerful search capabilities. Using Pub/Sub, you can export to other applications, other repositories, and to third parties.

  • To manage your audit logs across an entire organization, you can create aggregated sinks that export logs from any or all projects.

  • If your enabled Data Access logs are pushing your projects over their logs allotments, you can export and exclude the Data Access logs from logging. For details, see Excluding logs.

Pricing

Cloud Logging charges you for Data Access logs that you explicitly request.

See Google Cloud's operations suite pricing for more log pricing information.

Exempt methods

These ClearBlade IoT Core API methods aren't logged in audit logs:

  • registries.testIamPermissions

  • registries.devices.configVersions.list

  • registries.devices.states.list