> For the complete documentation index, see [llms.txt](https://surecloud.gitbook.io/surecloud-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/cloud-audit-logs.md).

# cloud audit logs

SureCloud collects Cloud Audit Log entries from across your GCP organisation to provide a continuous audit trail of who did what, when, and on which resources. SureCloud ingests Admin Activity logs (always enabled) and Data Access logs (enabled per service) across all monitored projects. Audit log collection provides the evidence required to demonstrate that cloud administrative activity is captured and retained.

## Endpoints

| API Call                                                                            | Use Case                                                                             |
| ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
| `logging.entries.list` (filter: `logName:"cloudaudit.googleapis.com/activity"`)     | Collect Admin Activity audit log entries for all monitored projects                  |
| `logging.entries.list` (filter: `logName:"cloudaudit.googleapis.com/data_access"`)  | Collect Data Access audit log entries where enabled                                  |
| `logging.entries.list` (filter: `logName:"cloudaudit.googleapis.com/system_event"`) | Collect System Event log entries for GCP-initiated operations                        |
| `logging.projects.sinks.list`                                                       | Enumerate log sinks; verify audit logs are being exported to a long-term destination |

## Pagination

The Cloud Logging API uses `nextPageToken` for pagination. SureCloud passes the token in the `pageToken` field of successive `entries.list` requests until no token is returned.

```json
{
  "entries": [
    {
      "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
      "timestamp": "2025-06-01T10:00:00Z",
      "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", ... }
    }
  ],
  "nextPageToken": "EAE4AQoVCg..."
}
```

{% hint style="info" %}
Admin Activity logs are **always enabled** and cannot be disabled. Data Access logs must be enabled explicitly per service in **IAM & Admin → Audit Logs** for each project. SureCloud collects whatever log types are enabled; it will not retroactively collect logs for periods before a log type was enabled.
{% endhint %}

## Required permissions

| Role                   | Grants                                                                   |
| ---------------------- | ------------------------------------------------------------------------ |
| `roles/logging.viewer` | Read all non-`_Default` log buckets including audit logs across projects |

Assign at the organisation scope to enable collection across all projects without per-project configuration.

## Troubleshooting

<details>

<summary>Data Access logs are not appearing for Cloud Storage or BigQuery</summary>

Data Access logs are disabled by default and must be enabled per service. In **Google Cloud Console → IAM & Admin → Audit Logs**, select the service (e.g. `storage.googleapis.com`) and enable **DATA\_READ** and/or **DATA\_WRITE** log types. This must be done per project, or at the organisation level via an Organisation Policy.

Data Access logs for BigQuery are an exception — they are enabled by default and cannot be disabled.

</details>

<details>

<summary>Audit log collection shows a gap after a connectivity interruption</summary>

GCP retains logs in the `_Default` log bucket for **30 days**. If SureCloud's polling was interrupted for longer than 30 days, logs from the gap cannot be recovered from the Logging API.

To extend retention, configure a log sink to export audit logs to Cloud Storage (for long-term archival) or BigQuery (for analysis). In **Cloud Logging → Log Router**, create a sink with a filter for `logName:"cloudaudit.googleapis.com"` targeting a Cloud Storage bucket with a multi-year retention policy.

</details>

<details>

<summary>Log sinks are not appearing in SureCloud</summary>

Log sinks require the `logging.sinks.list` permission, included in `roles/logging.viewer`. Confirm the role is assigned at the organisation scope. If sinks are configured at the project level only, SureCloud will enumerate them per project as part of normal project-level collection.

</details>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/cloud-audit-logs.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.