Console
    Start free

    Access Gemini Enterprise usage audit logs with Cloud Logging

    This page describes how to set up and access usage audit logs for Gemini Enterprise.

    Key concepts

    This section introduces key concepts related to observability in Gemini Enterprise.

    Concept Description
    Usage audit logs Usage audit logs are records of administrative activities and accesses within your Google Cloud resources. They provide detailed information about who performed what action, when, and from where. These logs are essential for security auditing, compliance, and understanding how your resources are being used.

    Before you begin

    Before configuring audit logs, ensure that you have the following:

    • Turn on the observability settings. For more information, see Turn on observability settings .
    • To turn on the audit logging, you must have the Discovery Engine Admin IAM role ( roles/discoveryengine.admin ).
    • To access Cloud Logging, you must have the Logs Viewer IAM role ( roles/logging.viewer ).
    • Ensure you have created a Gemini Enterprise app. To create one, see Create an app .

    Logged information

    The following table summarizes the usage data logged by Gemini Enterprise:

    Service path
    Logged data
    SearchService.Search

    Logs the data on the sources used for grounding or as LLM input.

    Request:
    • query
    • user_info

    Response:
    • attribution_token
    • results.id
    AssistantService.Assist

    Logs the request and response from the Gemini Enterprise assistant.

    Request:
    • name
    • query.text
    • query.parts

    Response:
    • assist_token
    • answer.name
    • answer.state
    • answer.replies.grounded_content.text
    • answer.replies.grounded_content.text_grounding_metadata.segments
    • answer.replies.grounded_content.text_grounding_metadata.references
    • answer.skipped_reasons
    AssistantService.StreamAssist
    Request:
    • name
    • query.text
    • query.parts
    • agents_spec

    Response:
    • assist_token
    • answer.name
    • answer.state
    • answer.replies.grounded_content.text
    • answer.replies.grounded_content.text_grounding_metadata.segments
    • answer.replies.grounded_content.text_grounding_metadata.references
    • answer.skipped_reasons
    ConversationSearchService.AnswerQuery
    Request:
    • serving_config
    • query.query_id
    • query.text
    • session
    • user_pseudo_id
    • end_user_spec
    • answer_generation_spec.model_spec.model_version
    • answer_generation_spec.prompt_spec.preamble
    • answer_generation_spec.include_citations
    • answer_generation_spec.answer_language_code
    • answer_generation_spec.ignore_adversarial_query
    • answer_generation_spec.ignore_non_answer_seeking_query
    • answer_generation_spec.ignore_jail_breaking_query

    Response:
    • answer
    • answer_query_token
    EngineService.CreateEngine
    Request:
    • engine_id
    • engine.name
    • engine.create_time
    • engine.display_name
    • engine.update_time
    • engine.data_store_ids
    • engine.data_stores

    Response:
    • engine_id
    • engine.name
    • engine.create_time
    • engine.display_name
    • engine.update_time
    • engine.data_store_ids
    • engine.data_stores
    EngineService.UpdateEngine
    Request:
    • engine.name
    • engine.create_time
    • engine.display_name
    • engine.update_time
    • engine.data_store_ids
    • engine.data_stores
    • update_mask

    Response:
    • engine.name
    • engine.create_time
    • engine.display_name
    • engine.update_time
    • engine.data_store_ids
    • engine.data_stores
    AgentService.SetIamPolicy
    Request:
    • policy.bindings.roles
    • policy.bindings.members

    Response:
    • policy.bindings.roles
    • policy.bindings.members
    AgentService.CreateAgent
    Request:
    • parent
    • agent_id
    • agent.name
    • agent.display_name
    • agent.create_time
    • agent.update_time
    • agent.definition_case

    Response:
    • agent.name
    • agent.display_name
    • agent.create_time
    • agent.update_time
    • agent.definition_case
    AgentService.UpdateAgent
    Request:
    • agent.name
    • agent.display_name
    • agent.create_time
    • agent.update_time
    • agent.definition_case
    • update_mask

    Response:
    • agent.name
    • agent.display_name
    • agent.create_time
    • agent.update_time
    • agent.definition_case
    AgentService.CreateAgentRequest
    Request:
    • parent
    • agent_id
    • agent.name
    • agent.display_name
    • agent.create_time
    • agent.update_time
    • agent.definition_case

    Response:
    • agent.name
    • agent.display_name
    • agent.create_time
    • agent.update_time
    • agent.definition_case
    GroundedGenerationService.GenerateGroundedContent
    Request:
    • contents
    • location
    • generation_spec
    • system_instruction
    • safety_settings
    • user_labels
    • grounding_spec.explicit_search_queries
    • grounding_spec.grounding_sources

    Response:
    • content
    • grounding_metadata
    • grounding_score
    DataConnectorService.UpdateDataConnector
    Request:
    • data_connector.name
    • data_connector.create_time
    • data_connector.update_time
    • data_connector.data_source
    • data_connector.refresh_interval
    • data_connector.bap_config

    Response:
    • data_connector.name
    • data_connector.create_time
    • data_connector.update_time
    • data_connector.data_source
    • data_connector.refresh_interval
    • data_connector.bap_config
    AssistantService.AddContextFile
    Request:
    • name
    • file_name

    Response:
    • session
    • file_id
    AssistantService.UploadSessionFile
    Request:
    • name
    • blob.filename

    Response:
    • file_id

    Access usage audit logs

    To access and view all Gemini Enterprise usage audit logs, follow these steps:

    1. In the Google Cloud console, go to the Logs Explorerpage.

      Go to Logs Explorer

    2. Select the Google Cloud project for which you enabled audit logging.

    3. To show only Gemini Enterprise logs, enter the following query in the query editor field, and click Run Query:

         
 logName 
 = 
 "projects/ PROJECT_ID 
/logs/discoveryengine.googleapis.com%2Fgemini_enterprise_user_activity" 
  
 OR 
  
 logName 
 =~ 
 "projects/ PROJECT_ID 
/logs/discoveryengine.googleapis.com%2Fgen_ai.*"

      Replace the following:

      • PROJECT_ID : the ID of your project.

    Control access to logs

    You can control access to the logs in Cloud Logging. For detailed guidance on access control methods, including using IAM conditions for fine-grained access, see Access control with IAM .

    Default access control

    By default, Gemini Enterprise sends Cloud Logging data to the _Default bucket. The following IAM roles control access to this bucket:

    Fine-grained access control

    If your project contains logs with varying sensitivity levels, you can use several Google Cloud and Cloud Logging tools to configure more fine-grained access control.

    You can configure fine-grained access control using the following options:

    Option Description
    IAM conditions Set up fine-grained access control using IAM conditions. For more information, see Logging roles .
    Log views Use log views to limit user access to a subset of logs within a log bucket. For more information, see Configure log views on a log bucket .
    Log sinks Use log sinks to route sensitive logs to a separate project with more restrictive IAM access. For more information, see Route logs to supported destinations .
    Tags Use tags to manage IAM access to individual log buckets within a project. For more information, see Use tags to manage access to log buckets .
    Field-level access control Use field-level access control to hide or restrict access to specific fields within log entries. For more information, see Configure field-level access .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: