Overview of Cloud Audit Log Types
Start course

This course looks at how to use and manage cloud logging on the GCP platform and includes demos from GCP that you can follow along with.

We'll cover writing and listing log entries using gcloud, how you can use the API Explorer to list log entries, and how you can view logs and query log entries using Logs Explorer. We'll then move on to cloud audit logs including an overview of the different types of logs, as well as looking at audit log retention, and how you can view audit logs and export audit logs.

Learning Objectives

  • Write and list log entries with gcloud
  • List log entries using API explorer
  • View logs in the Logs Explorer
  • Learn how to view, export, and retain audit logs

Intended Audience

This course is intended for anyone who wants to learn how to use and manage cloud logging on the GCP platform.


To get the most out of this course, you should already have a basic understanding of GCP and know your way around the platform.


Hello, and welcome to Log Types. What I want to do here is just introduce you to the different types of cloud audit logs that you’ll find yourself working with.

There are four types of audit logs that you’ll work with. They include Admin Activity audit logs, Data Access audit logs, System Event audit logs, and Policy Denied audit logs.

These logs are used to track down who did what, where they did it, and when. It’s the classic who, what, when, and where.

Let’s first take a look at Admin Activity audit logs. Log entries for API calls and other administrative actions that result in the changes to the configuration or metadata of resources will be included in the Admin Activity audit logs. For example, when a user creates a VM instance, an audit log entry will be generated and posted to the Admin Activity audit log.

To view Admin Activity audit logs, you need to be assigned either the Logging/Logs Viewer IAM role, or Project/Viewer IAM role.

I should also mention that Admin Activity audit logs are always written. This isn’t a feature that you can configure or disable.

Data Access audit logs are logs that contain API calls that read the configuration of resources, or that read the metadata of resources. They also contain user-driven API calls that create, modify, or read user-provided resource data. 

It’s important to understand, however, that Data Access audit logs do not record data-access operations on any kind of publicly-shared resources or resources that can be accessed without logging into Google Cloud.

Viewing Data Access audit logs requires that you be assigned the IAM role of Logging/Private Logs Viewer OR Project/Owner.

I should also mention that Data Access audit logs are disabled by default. This is because these logs can get large quickly. That being the case, if you wish to leverage them, you have to specifically enable them. Now, when you do this, you may wind up being charged for the additional logs usage. 

System Event audit logs are used to house log entries for Google Cloud administrative actions that result in the modification of resource configuration. These audit logs are not created from direct user actions. Instead, they are generated by Google systems.

Viewing System Event audit logs requires either the Logging/Logs Viewer IAM role, or the Project/Viewer role.

Like the Admin Activity audit logs, System Event audit logs are always written. They cannot be configured, nor disabled.

The last log type that I want to touch on is the Policy Denied audit log. Policy Denied audit logs get recorded whenever a Google Cloud service denies access to a user or service account due to a violation of a security policy.

To view Policy Denied audit logs, you need to have been assigned the Logging/Logs Viewer IAM role, or the Project/Viewer IAM role.

Google Cloud generates Policy Denied audit logs by default – and Cloud projects are charged for the storage of these logs. That said, you can limit what is logged, and reduce those charges, by using Logs exclusions to exclude Policy Denied logs. When you do this, the Policy Denied audit logs are not ingested into Cloud Logging. 


About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.