Google Cloud Audit Logs Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Google Cloud Audit Logs sample message when you use the Google Cloud Pub/Sub protocol: list of objects retrieved
The following sample event message shows the retrieval of a list of objects that match the criteria that are provided. This retrieval is the result of an action that was taken by Google Cloud Storage.
{"insertId":"a1aaaaa11aaa","logName":"projects/clover-pciprod/logs/cloudaudit.googleapis. com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo" :{ "principalEmail":"user@test" }, "authorizationInfo":[{"granted":true,"permission":"storage.objects.list","resource":"projects /_/buckets/rivus-file-cache-clover-pciprod","resourceAttributes":{}}], "methodName":"storage.objects.list" , "requestMetadata" : { "callerIp":"10.135.0.42" ,"callerNetwork":"//compute.googleapis.com/projec ts/clover-vpc-pci/global/networks/__unknown__","callerSuppliedUserAgent":"Clover Google-API-Jav a-Client Google-HTTP-Java-Client/1.28.0 (gzip),gzip(gfe)","destinationAttributes":{},"requestAt tributes":{"auth":{},"time":"2020-04-08T23:35:14.487672816Z"}},"resourceLocation":{"currentLoca tions":["location"]},"resourceName":"projects/_/buckets/rivus-file-cache-clover-pciprod", "serviceName":"storage.googleapis.com" ,"status":{}}, "receiveTimestamp":"2020-04-08T23:35:15.981168264Z" ,"resource":{"labels": {"bucket_name":"rivus-file-cache-clover-pciprod","location":"location","project_id":"clover-pc iprod"},"type":"gcs_bucket"},"severity":"INFO","timestamp":"2020-04-08T23:35:14.483227095Z"}
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
MethodName |
Event Category |
serviceName |
Logsource Time |
receivedTimestamp |
Username |
authenticationInfo + principalEmail |
Source IP |
requestMetadata + callerIp |
Google Cloud Audit Logs sample message when you use the Google Cloud Pub/Sub protocol: object information modified
The following sample event message shows the modification of an object's information and is the result of an action that was taken by Google Cloud Storage.
{"insertId":"a1aaaaa11aaa","logName":"projects/clover-pciprod/logs/cloudaudit.googleapis. com%2Fdata_access","protoPayload":{"@type":"type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo":{ "principalEmail":"user@test" },"authorizationInfo": [{"granted":true,"permission":"storage.objects.update","resource":"projects/_/buckets/rivusfile- cache-clover-pciprod/objects/NORTH_ADJUSTMENT/2020/04/08/USER#A11AAA.11111111.111111.te st.example","resourceAttributes":{}}], "methodName":"storage.objects.update" ,"requestMetadata":{ "callerIp":"10.135.0.42" ,"callerNetwork":"//compute. googleapis.com/projects/clover-vpc-pci/global/networks/__unknown__","callerSuppliedUserAgent": "Clover Google-API-Java-Client Google-HTTP-Java-Client/1.28.0 (gzip),gzip(gfe)","destinationAt tributes":{},"requestAttributes":{"auth":{},"time":"2020-04-08T23:35:26.176068572Z"}},"resourc eLocation":{"currentLocations":["location"]},"resourceName":"projects/_/buckets/rivus-file-cac he-clover-pciprod/objects/NORTH_ADJUSTMENT/2020/04/08/USER#A11AAA.11111111.111111.test.example ", "serviceName":"storage.googleapis.com" ,"status":{}},"receiveTimestamp": "2020-04-08T23:35:27.212247517Z","resource":{"labels":{"bucket_name":"rivus-file-cache-cloverpciprod"," location":"location","project_id":"clover-pciprod"},"type":"gcs_bucket"},"severity": "INFO", "timestamp":"2020-04-08T23:35:26.171189525Z" }
JSA field name |
Highlighted payload field name |
---|---|
Event ID |
principalEmail |
Event Category |
methodName |
Logsource Time |
callerIp |
Username |
serviceName |
Source IP |
timestamp |