Version 1.8. This version is no longer supported. For information about how to upgrade to version 1.9, seeUpgrading Anthos on bare metalin the 1.9 documentation. For more information about supported and unsupported versions, see theVersion historypage in the latest documentation.
This document describes how to enable and use Cloud Audit Logs for
Google Distributed Cloud. Google Distributed Cloud usesKubernetes Audit Logging,
to keep a chronological record of calls made to a cluster's Kubernetes API
server. Audit logs are useful for investigating suspicious API requests and for
collecting statistics.
If Cloud Audit Logs is enabled, audit logs are written to
Cloud Audit Logs in your
Google Cloud project. Writing to Cloud Audit Logs has several benefits over writing to
disk, or even capturing logs in an on-premises logging system:
Audit logs for all GKE Enterprise clusters can be centralized.
Log entries written to Cloud Audit Logs are immutable.
Cloud Audit Logs entries are retained for 400 days.
Cloud Audit Logs feature is included in the price of GKE Enterprise.
You can configure Google Distributed Cloud to write logs to disk or to
Cloud Audit Logs.
Disk-based audit logging
By default, audit logs in Google Distributed Cloud are written to a persistent
disk so that cluster restarts and upgrades don't cause the logs to disappear.
Google Distributed Cloud retains up to 1 GB of audit log entries.
You can access the disk-based audit logs by logging into control plane Nodes.
The logs are located in the/var/log/apiserver/directory.
Cloud Audit Logs
If Cloud Audit Logs is enabled, then Admin Activity audit log entries from
all Kubernetes API servers are sent to Google Cloud. These log entries are
stored under the cluster's project name and location. To buffer and write
log entries to Cloud Audit Logs, Google Distributed Cloud deploys anaudit-proxyPod to the admin cluster. This Pod is also available as a sidecar
container on user clusters.
Limitations
Cloud Audit Logs for Google Distributed Cloud is a preview feature and has the following limitations:
Data access logging isn't supported.
Modifying the Kubernetes audit policy isn't supported.
Cloud Audit Logs isn't resilient to extended network outages. If the
log entries cannot be exported to Google Cloud, they are cached in a
10-GB disk buffer. If that buffer fills, then subsequent entries are dropped.
Cloud Audit Logs can be enabled when creating new 1.8.0 clusters only.
Enabling Cloud Audit Logs on existing clusters through upgrading isn't
supported for the feature preview.
Create a service account for Cloud Audit Logs
Before you can enable Cloud Logging and Cloud Monitoring with
Google Distributed Cloud, you must first configure the following:
Create a Cloud Monitoring Workspace within the Google Cloud project, if you
don't have one already.
This is done in the Google Cloud console. Click the following button and
follow the workflow.
Assign the following IAM roles to the service account used by the Stackdriver agents:
logging.logWriter
monitoring.metricWriter
stackdriver.resourceMetadata.writer
monitoring.dashboardEditor
Enable Cloud Audit Logs when creating a cluster
To use Cloud Audit Logs with Google Distributed Cloud, follow the regularcluster creationinstructions, but make the following edit to the cluster config file before
executing thebmctl create clustercommand:
Uncomment thedisableCloudAuditLoggingfield in the cluster config file
and ensure that it is set tofalseas shown in the following example:
...clusterOperations:# Cloud project for logs and metrics.projectID:`PROJECT_ID`# Cloud location for logs and metrics.location:us-central1# Enable Cloud Audit Logging if uncommented and set to false.disableCloudAuditLogging:false...
The rest of the cluster creation process is the same. For more information
and links to instructions, seeCreating clusters: overview.
Access Cloud Audit Logs
Console
In the Google Cloud console, go to theLogspage in theLoggingmenu.
ClickSubmit Filterto display all audit logs from Google Distributed Cloud
that were configured to log in to this project.
gcloud
List the first two log entries in your project's Admin Activity log that
apply to thek8s_clusterresource type:
gcloud logging read \
'logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity" \
AND resource.type="k8s_cluster" \
AND protoPayload.serviceName="anthosgke.googleapis.com" ' \
--limit 2 \
--freshness 300d
ReplacePROJECT_IDwith your project ID.
The output shows two log entries. Notice that for each log entry, thelogNamefield has the value projects/<var>PROJECT_ID</var>/logs/externalaudit.googleapis.com%2FactivityandprotoPayload.serviceNameis equal toanthosgke.googleapis.com.
Audit policy
Cloud Audit Logs behavior is determined by a statically-configured
Kubernetes audit logging policy. Changing this policy isn't supported currently,
but will be available in a future release.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCloud Audit Logs in Google Distributed Cloud centralizes audit logs for all GKE Enterprise clusters, offering immutability and a 400-day retention period, included in the GKE Enterprise price.\u003c/p\u003e\n"],["\u003cp\u003eEnabling Cloud Audit Logs requires creating a Cloud Monitoring Workspace, enabling specific APIs (Anthos Audit, Stackdriver, Monitoring, Logging), and assigning relevant IAM roles to the service account used by Stackdriver agents.\u003c/p\u003e\n"],["\u003cp\u003eWhen creating a new 1.8.0 cluster, Cloud Audit Logs can be enabled by setting the \u003ccode\u003edisableCloudAuditLogging\u003c/code\u003e field to \u003ccode\u003efalse\u003c/code\u003e in the cluster configuration file, although enabling it through upgrading existing clusters is not supported in this preview feature.\u003c/p\u003e\n"],["\u003cp\u003eCloud Audit Logs is a preview feature with limitations, including no support for data access logging, modification of the Kubernetes audit policy, and potential log entry loss during extended network outages if the 10-GB disk buffer is filled.\u003c/p\u003e\n"],["\u003cp\u003eYou can access Cloud Audit Logs via the Google Cloud console by filtering for \u003ccode\u003ek8s_cluster\u003c/code\u003e resources and \u003ccode\u003eexternalaudit.googleapis.com%2Factivity\u003c/code\u003e logs, or using the gcloud command-line tool with similar filters to view log entries.\u003c/p\u003e\n"]]],[],null,["# Enable audit logging\n\n\u003cbr /\u003e\n\n|\n| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nThis document describes how to enable and use Cloud Audit Logs for\nGoogle Distributed Cloud. Google Distributed Cloud uses\n[Kubernetes Audit Logging](https://kubernetes.io/docs/tasks/debug-application-cluster/audit/),\nto keep a chronological record of calls made to a cluster's Kubernetes API\nserver. Audit logs are useful for investigating suspicious API requests and for\ncollecting statistics.\n\nIf Cloud Audit Logs is enabled, audit logs are written to\nCloud Audit Logs in your\nGoogle Cloud project. Writing to Cloud Audit Logs has several benefits over writing to\ndisk, or even capturing logs in an on-premises logging system:\n\n- Audit logs for all GKE Enterprise clusters can be centralized.\n- Log entries written to Cloud Audit Logs are immutable.\n- Cloud Audit Logs entries are retained for 400 days.\n- Cloud Audit Logs feature is included in the price of GKE Enterprise.\n- You can configure Google Distributed Cloud to write logs to disk or to Cloud Audit Logs.\n\nDisk-based audit logging\n------------------------\n\nBy default, audit logs in Google Distributed Cloud are written to a persistent\ndisk so that cluster restarts and upgrades don't cause the logs to disappear.\nGoogle Distributed Cloud retains up to 1 GB of audit log entries.\n\nYou can access the disk-based audit logs by logging into control plane Nodes.\nThe logs are located in the `/var/log/apiserver/` directory.\n\nCloud Audit Logs\n----------------\n\nIf Cloud Audit Logs is enabled, then Admin Activity audit log entries from\nall Kubernetes API servers are sent to Google Cloud. These log entries are\nstored under the cluster's project name and location. To buffer and write\nlog entries to Cloud Audit Logs, Google Distributed Cloud deploys an\n`audit-proxy` Pod to the admin cluster. This Pod is also available as a sidecar\ncontainer on user clusters.\n\nLimitations\n-----------\n\nCloud Audit Logs for Google Distributed Cloud is a preview feature and has the following limitations:\n\n- Data access logging isn't supported.\n- Modifying the Kubernetes audit policy isn't supported.\n- Cloud Audit Logs isn't resilient to extended network outages. If the log entries cannot be exported to Google Cloud, they are cached in a 10-GB disk buffer. If that buffer fills, then subsequent entries are dropped.\n- Cloud Audit Logs can be enabled when creating new 1.8.0 clusters only. Enabling Cloud Audit Logs on existing clusters through upgrading isn't supported for the feature preview.\n\nCreate a service account for Cloud Audit Logs\n---------------------------------------------\n\nBefore you can enable Cloud Logging and Cloud Monitoring with\nGoogle Distributed Cloud, you must first configure the following:\n\n1. Create a Cloud Monitoring Workspace within the Google Cloud project, if you\n don't have one already.\n\n This is done in the Google Cloud console. Click the following button and\n follow the workflow.\n\n [Go to Monitoring](https://console.cloud.google.com/monitoring)\n2. Click the following buttons to enable the required APIs:\n\n [Enable the Anthos Audit API](https://console.cloud.google.com/apis/library/anthosaudit.googleapis.com)\n\n [Enable the Stackdriver API](https://console.cloud.google.com/apis/library/stackdriver.googleapis.com)\n\n [Enable the Monitoring API](https://console.cloud.google.com/apis/library/monitoring.googleapis.com)\n\n [Enable the Logging API](https://console.cloud.google.com/apis/library/logging.googleapis.com)\n3. Assign the following IAM roles to the service account used by the Stackdriver agents:\n\n - `logging.logWriter`\n - `monitoring.metricWriter`\n - `stackdriver.resourceMetadata.writer`\n - `monitoring.dashboardEditor`\n\nEnable Cloud Audit Logs when creating a cluster\n-----------------------------------------------\n\nTo use Cloud Audit Logs with Google Distributed Cloud, follow the regular\n[cluster creation](/anthos/clusters/docs/bare-metal/1.8/installing/creating-clusters/create-clusters-overview)\ninstructions, but make the following edit to the cluster config file before\nexecuting the `bmctl create cluster` command:\n\n1. Uncomment the `disableCloudAuditLogging` field in the cluster config file\n and ensure that it is set to `false` as shown in the following example:\n\n ...\n clusterOperations:\n # Cloud project for logs and metrics.\n projectID: `\u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003ePROJECT_ID\u003c/span\u003e\u003c/var\u003e`\n # Cloud location for logs and metrics.\n location: us-central1\n # Enable Cloud Audit Logging if uncommented and set to false.\n disableCloudAuditLogging: false\n ...\n\n The rest of the cluster creation process is the same. For more information\n and links to instructions, see\n [Creating clusters: overview](/anthos/clusters/docs/bare-metal/1.8/installing/creating-clusters/create-clusters-overview).\n\nAccess Cloud Audit Logs\n-----------------------\n\n### Console\n\n1. In the Google Cloud console, go to the **Logs** page in the\n **Logging** menu.\n\n [Go to the Logs page](https://console.cloud.google.com/logs/query)\n2. In the **Filter by label or text search** box, click the down arrow to open\n the drop-down menu.\n From the menu, choose **Convert to advanced filter**.\n\n3. Fill the text box with the following filter:\n\n ```\n resource.type=\"k8s_cluster\"\n logName=\"projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity\"\n protoPayload.serviceName=\"anthosgke.googleapis.com\"\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID.\n4. Click **Submit Filter** to display all audit logs from Google Distributed Cloud\n that were configured to log in to this project.\n\n### gcloud\n\nList the first two log entries in your project's Admin Activity log that\napply to the `k8s_cluster` resource type: \n\n```\ngcloud logging read \\\n 'logName=\"projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity\" \\\n AND resource.type=\"k8s_cluster\" \\\n AND protoPayload.serviceName=\"anthosgke.googleapis.com\" ' \\\n --limit 2 \\\n --freshness 300d\n```\n\nReplace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID.\n\nThe output shows two log entries. Notice that for each log entry, the\n`logName` field has the value \n\n`projects/\u003cvar\u003ePROJECT_ID\u003c/var\u003e/logs/externalaudit.googleapis.com%2Factivity`\nand `protoPayload.serviceName` is equal to `anthosgke.googleapis.com`.\n\nAudit policy\n------------\n\nCloud Audit Logs behavior is determined by a statically-configured\nKubernetes audit logging policy. Changing this policy isn't supported currently,\nbut will be available in a future release."]]
