package google.events.cloud.audit.v1

Get desktop application:
View/edit binary Protocol Buffers messages

Common audit log format for Google Cloud Platform API operations. Copied from https://github.com/googleapis/googleapis/blob/master/google/cloud/audit/audit_log.proto, but changing service_data from Any to Struct.

Used in: LogEntryData

• string service_name = 7

  The name of the API service performing the operation. For example, `"datastore.googleapis.com"`.

• string method_name = 8

  The name of the service method or operation. For API calls, this should be the name of the API method. For example, "google.datastore.v1.Datastore.RunQuery" "google.logging.v1.LoggingService.DeleteLog"

• string resource_name = 11

  The resource or collection that is the target of the operation. The name is a scheme-less URI, not including the API service name. For example: "shelves/SHELF_ID/books" "shelves/SHELF_ID/books/BOOK_ID"

• optional ResourceLocation resource_location = 20

  The resource location information.

• optional protobuf.Struct resource_original_state = 19

  The resource's original state before mutation. Present only for operations which have successfully modified the targeted resource(s). In general, this field should contain all changed fields, except those that are already been included in `request`, `response`, `metadata` or `service_data` fields. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the `@type` property.

• int64 num_response_items = 12

  The number of items returned from a List or Query API method, if applicable.

• optional rpc.Status status = 2

  The status of the overall operation.

• optional AuthenticationInfo authentication_info = 3

  Authentication information.

• repeated AuthorizationInfo authorization_info = 9

  Authorization information. If there are multiple resources or permissions involved, then there is one AuthorizationInfo element for each {resource, permission} tuple.

• optional RequestMetadata request_metadata = 4

  Metadata about the operation.

• optional protobuf.Struct request = 16

  The operation request. This may not include all request parameters, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the `@type` property.

• optional protobuf.Struct response = 17

  The operation response. This may not include all response elements, such as those that are too large, privacy-sensitive, or duplicated elsewhere in the log record. It should never include user-generated data, such as file contents. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the `@type` property.

• optional protobuf.Struct metadata = 18

  Other service-specific data about the request, response, and other information associated with the current audited event.

• optional protobuf.Struct service_data = 15

  Deprecated: Use `metadata` field instead. Other service-specific data about the request, response, and other activities. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the `@type` property.

The CloudEvent raised when an audit log entry is written.

• optional LogEntryData data = 1

  The data associated with the event.

Authentication information for the operation.

Used in: AuditLog

• string principal_email = 1

  The email address of the authenticated user (or service account on behalf of third party principal) making the request. For third party identity callers, the `principal_subject` field is populated instead of this field. For privacy reasons, the principal email address is sometimes redacted. For more information, see [Caller identities in audit logs](https://cloud.google.com/logging/docs/audit#user-id).

• string authority_selector = 2

  The authority selector specified by the requestor, if any. It is not guaranteed that the principal was allowed to use this authority.

• optional protobuf.Struct third_party_principal = 4

  The third party identification (if any) of the authenticated user making the request. When the JSON object represented here has a proto equivalent, the proto name will be indicated in the `@type` property.

• string service_account_key_name = 5

  The name of the service account key used to create or exchange credentials for authenticating the service account making the request. This is a scheme-less URI full resource name. For example: "//iam.googleapis.com/projects/{PROJECT_ID}/serviceAccounts/{ACCOUNT}/keys/{key}"

• repeated ServiceAccountDelegationInfo service_account_delegation_info = 6

  Identity delegation history of an authenticated service account that makes the request. It contains information on the real authorities that try to access GCP resources by delegating on a service account. When multiple authorities present, they are guaranteed to be sorted based on the original ordering of the identity delegation events.

• string principal_subject = 8

  String representation of identity of requesting party. Populated for both first and third party identities.

Authorization information for the operation.

Used in: AuditLog

• string resource = 1

  The resource being accessed, as a REST-style string. For example: bigquery.googleapis.com/projects/PROJECTID/datasets/DATASETID

• string permission = 2

  The required IAM permission.

• bool granted = 3

  Whether or not authorization for `resource` and `permission` was granted.

• optional rpc.context.AttributeContext.Resource resource_attributes = 5

  Resource attributes used in IAM condition evaluation. This field contains resource attributes like resource type and resource name. To get the whole view of the attributes used in IAM condition evaluation, the user must also look into `AuditLogData.request_metadata.request_attributes`.

The data within all Cloud Audit Logs log entry events.

Used in: AuditLogWrittenEvent

• string log_name = 12

  The resource name of the log to which this log entry belongs.

• optional api.MonitoredResource resource = 8

  The monitored resource that produced this log entry. Example: a log entry that reports a database error would be associated with the monitored resource designating the particular database that reported the error.

• optional AuditLog proto_payload = 2

  The log entry payload, which is always an AuditLog for Cloud Audit Log events.

• string insert_id = 4

  A unique identifier for the log entry.

• map<string, string> labels = 11

  A set of user-defined (key, value) data that provides additional information about the log entry.

• optional LogEntryOperation operation = 15

  Information about an operation associated with the log entry, if applicable.

• optional protobuf.Timestamp timestamp = 9

  The time the event described by the log entry occurred.

• optional protobuf.Timestamp receive_timestamp = 24

  The time the log entry was received by Logging.

• LogSeverity severity = 10

  The severity of the log entry.

• string trace = 22

  Resource name of the trace associated with the log entry, if any. If it contains a relative resource name, the name is assumed to be relative to `//tracing.googleapis.com`. Example: `projects/my-projectid/traces/06796866738c859f2f19b7cfb3214824`

• string span_id = 27

  The span ID within the trace associated with the log entry, if any. For Trace spans, this is the same format that the Trace API v2 uses: a 16-character hexadecimal encoding of an 8-byte array, such as `000000000000004a`.

• optional LogSplit split = 35

  Information indicating this LogEntry is part of a sequence of multiple logs split from a single LogEntry.

Additional information about a potentially long-running operation with which a log entry is associated.

Used in: LogEntryData

• string id = 1

  An arbitrary operation identifier. Log entries with the same identifier are assumed to be part of the same operation.

• string producer = 2

  An arbitrary producer identifier. The combination of `id` and `producer` must be globally unique. Examples for `producer`: `"MyDivision.MyBigCompany.com"`, `"github.com/MyProject/MyApplication"`.

• bool first = 3

  True if this is the first log entry in the operation.

• bool last = 4

  True if this is the last log entry in the operation.

The severity of the event described in a log entry, expressed as one of the standard severity levels listed below. For your reference, the levels are assigned the listed numeric values. The effect of using numeric values other than those listed is undefined. Copied from https://github.com/googleapis/googleapis/blob/master/google/logging/type/log_severity.proto

Used in: LogEntryData

• DEFAULT = 0

  (0) The log entry has no assigned severity level.

• DEBUG = 100

  (100) Debug or trace information.

• INFO = 200

  (200) Routine information, such as ongoing status or performance.

• NOTICE = 300

  (300) Normal but significant events, such as start up, shut down, or a configuration change.

• WARNING = 400

  (400) Warning events might cause problems.

• ERROR = 500

  (500) Error events are likely to cause problems.

• CRITICAL = 600

  (600) Critical events cause more severe problems or outages.

• ALERT = 700

  (700) A person must take an action immediately.

• EMERGENCY = 800

  (800) One or more systems are unusable.

Additional information used to correlate multiple LogEntries. Used when a single LogEntry would exceed the Google Cloud Logging size limit and is split across multiple entries.

Used in: LogEntryData

• string uid = 1

  A globally unique identifier for all LogEntries in a sequence of split logs. All LogEntries with the same |LogSplit.uid| are assumed to be part of the same sequence of split logs.

• int32 index = 2

  The index of this LogEntry in the sequence of split logs. LogEntries are given |index| values 0, 1, ..., n-1 for a sequence of n entries.

• int32 total_splits = 3

  The total number of logs that the original LogEntry was split into.

Metadata about the request.

Used in: AuditLog

• string caller_ip = 1

  The IP address of the caller. For caller from internet, this will be public IPv4 or IPv6 address. For caller from a Compute Engine VM with external IP address, this will be the VM's external IP address. For caller from a Compute Engine VM without external IP address, if the VM is in the same organization (or project) as the accessed resource, `caller_ip` will be the VM's internal IPv4 address, otherwise the `caller_ip` will be redacted to "gce-internal-ip". See https://cloud.google.com/compute/docs/vpc/ for more information.

• string caller_supplied_user_agent = 2

  The user agent of the caller. This information is not authenticated and should be treated accordingly. For example: + `google-api-python-client/1.4.0`: The request was made by the Google API client for Python. + `Cloud SDK Command Line Tool apitools-client/1.0 gcloud/0.9.62`: The request was made by the Google Cloud SDK CLI (gcloud). + `AppEngine-Google; (+http://code.google.com/appengine; appid: s~my-project`: The request was made from the `my-project` App Engine app.

• string caller_network = 3

  The network of the caller. Set only if the network host project is part of the same GCP organization (or project) as the accessed resource. See https://cloud.google.com/compute/docs/vpc/ for more information. This is a scheme-less URI full resource name. For example: "//compute.googleapis.com/projects/PROJECT_ID/global/networks/NETWORK_ID"

• optional rpc.context.AttributeContext.Request request_attributes = 7

  Request attributes used in IAM condition evaluation. This field contains request attributes like request time and access levels associated with the request. To get the whole view of the attributes used in IAM condition evaluation, the user must also look into `AuditLog.authentication_info.resource_attributes`.

• optional rpc.context.AttributeContext.Peer destination_attributes = 8

  The destination of a network activity, such as accepting a TCP connection. In a multi hop network activity, the destination represents the receiver of the last hop. Only two fields are used in this message, Peer.port and Peer.ip. These fields are optionally populated by those services utilizing the IAM condition feature.

Location information about a resource.

Used in: AuditLog

• repeated string current_locations = 1

  The locations of a resource after the execution of the operation. Requests to create or delete a location based resource must populate the 'current_locations' field and not the 'original_locations' field. For example: "europe-west1-a" "us-east1" "nam3"

• repeated string original_locations = 2

  The locations of a resource prior to the execution of the operation. Requests that mutate the resource's location must populate both the 'original_locations' as well as the 'current_locations' fields. For example: "europe-west1-a" "us-east1" "nam3"

Identity delegation history of an authenticated service account.

Used in: AuthenticationInfo

• oneof Authority

  Entity that creates credentials for service account and assumes its identity for authentication.

  • ServiceAccountDelegationInfo.FirstPartyPrincipal first_party_principal = 1

    First party (Google) identity as the real authority.

  • ServiceAccountDelegationInfo.ThirdPartyPrincipal third_party_principal = 2

    Third party identity as the real authority.

First party identity principal.

Used in: ServiceAccountDelegationInfo

• string principal_email = 1

  The email address of a Google account.

• optional protobuf.Struct service_metadata = 2

  Metadata about the service that uses the service account.

Third party identity principal.

Used in: ServiceAccountDelegationInfo

• optional protobuf.Struct third_party_claims = 1

  Metadata about third party identity.