| Workload location | Organization only workloads |
| Audit log source |
|
| Audited operations |
|
API server
Log type: Control plane.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | user | For example, "user":{ "groups":["system:authenticated"], "username":"fop-platform-admin@example.com" } |
| Target (Fields and values that call the API) | objectRef | "objectRef":{ "resource":"aeadkeys", "apiGroup":"kms.gdc.goog", "apiVersion":"v1", "namespace":"kms-test1" } |
| Action (Fields containing the performed operation) | verb | For example,
|
| Event timestamp | requestReceivedTimestamp | For example,
|
| Source of action | sourceIPs | For example, "sourceIPs":[ "10.200.0.7" ] |
| Outcome | responseStatus | For example, "responseStatus": { "metadata": {}, "code": 200 } |
| Other fields | Not applicable | Not applicable |
Example log
{ "user":{ "groups":["system:authenticated"], "username":"fop-platform-admin@example.com" }, "auditID":"bec33328-b4ba-431e-96a2-9bbb77666478", "_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-wxw7t", "stage":"RequestReceived", "_gdch_cluster":"org-1-admin", "userAgent":"kubectl/v1.25.4 (linux/amd64) kubernetes/872a965", "kind":"Event", "level":"Metadata", "stageTimestamp":"2022-12-08T03:59:20.025703Z", "requestReceivedTimestamp":"2022-12-08T03:59:20.025703Z", "objectRef":{ "resource":"aeadkeys", "apiGroup":"kms.gdc.goog", "apiVersion":"v1", "namespace":"kms-test1" }, "sourceIPs":[ "10.200.0.7" ], "apiVersion":"audit.k8s.io/v1", "requestURI":"/apis/kms.gdc.goog/v1/namespaces/kms-test1/aeadkeys?fieldManager=kubectl-client-side-apply&fieldValidation=Strict", "verb":"create", "_gdch_service_name":"apiserver" } Istio
Log type: Data plane.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | username | For example,
|
| Target (Fields and values that call the API) | resource | "resource":{ "node_name":"sidecar~10.253.166.144~kms-backend-84f5c4f4c7-ncl4d.kms-system~kms-system.svc.cluster.local", "cluster_name":"kms-backend.kms-system", "zone_name":"europe-west4-b", "log_name":"otel_envoy_accesslog" } |
| Action (Fields containing the performed operation) | path | For example,
|
| Event timestamp | start_time | For example,
|
| Source of action | x_forwarded_for | For example,
|
| Outcome | response_code | For example,
|
| Other fields | Not applicable | Not applicable |
Example log
{ "response_code":"200", "response_code_details":"via_upstream", "response_flags":"-", "route_name":"default", "severity_number":0, "severity_text":"", "start_time":"2022-12-08T04:03:33.859Z", "_gdch_service_name":"istio", "upstream_host":"10.253.166.144:8080", "upstream_local_address":"127.0.0.6:54383", "user_agent":"grpc-go/1.49.0", "_gdch_service_tenant":"platform-obs", "username":"fop-platform-admin@example.com", "x_envoy_upstream_service_time":"104", "x_forwarded_for":"10.253.165.123", "x_goog_api_client":"-", "x_request_id":"c11cbf94-765d-440d-9d36-56654d93d834", "authority":"kms.org-1.zone1.google.gdch.test", "bytes_received":"32756", "body":{}, "upstream_transport_failure_reason":"-", "bytes_sent":"0", "downstream_local_address":"10.253.166.144:8080", "downstream_remote_address":"10.253.165.123:0", "duration":"318", "method":"POST", "observed_time_unix_nano":0, "protocol":"HTTP/2", "requested_server_name":"outbound_.8080_._.kms-backend.kms-system.svc.cluster.local", "_gdch_namespace":"istio-system", "path":"/goog.gdc.kms.v1.CryptoOperationsService/Encrypt", "connection_termination_details":"-", "time_unix_nano":1670472213859570944, "upstream_cluster":"inbound|8080||", "resource":{ "node_name":"sidecar~10.253.166.144~kms-backend-84f5c4f4c7-ncl4d.kms-system~kms-system.svc.cluster.local", "cluster_name":"kms-backend.kms-system", "zone_name":"europe-west4-b", "log_name":"otel_envoy_accesslog" }, "_gdch_cluster":"org-1-admin", "_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-cr9h7" } Server
Log type: Data plane.
| Fields in the log entry that contain audit information | ||
|---|---|---|
| Audit metadata | Audit field name | Value |
| User or service identity | message.user.identity | For example,
|
| Target (Fields and values that call the API) | _gdch_service_name |
|
| Action (Fields containing the performed operation) | message.action | For example,
|
| Event timestamp | time | For example,
|
| Source of action | _gdch_cluster | For example,
|
| Outcome | message.response | For example,
|
| Other fields | The message.description field contains the complete log message. | For more information, see the Example log. |
Example log
{ "pri":"46", "time":"2023-05-30T20:58:25Z", "host":"kms-backend-9dd54b666-jfp5v", "ident":"/kms_bin", "pid":"1", "msgid":"audit-log", "extradata":"-", "message":"{\"time\":\"2023-08-01T18:04:00.458810232Z\",\"auditID\":\"6f848640-8af1-4659-b9c9-a358d19bea5f\",\"user\":{\"identity\":\"fop-platform-admin@example.com\"},\"resource\":\"namespaces/testnamespace/aeadKeys/testcryptokey\",\"action\":\"/goog.gdc.kms.v1.CryptoOperationsService/Decrypt\",\"description\":\"{\"duration_ms\":202}\",\"userAgent\":\"grpc-go/1.55.0\",\"response\":\"OK\",\"_gdch_service\":\"kms\"}", "_gdch_org_name":"org-1", "_gdch_org_id":"org-1.zone1.google.gdch.test", "_gdch_cluster":"org-1-admin", "_gdch_fluentbit_pod":"anthos-audit-logs-forwarder-5lq2g", "_gdch_service_name":"kms-backend", "_gdch_tenant_id":"platform-obs" }