Migrating from activity logs to audit logs
If you useactivity logs to view Compute Engineadmin activity and system events, read this guide to understand how to findsimilar log entries usingaudit logs instead.
Compute Engine activity logs are deprecated. You can identify activitylog entries based on their log name:
logName: "projects/PROJECT_ID/logs/compute.googleapis.com%2Factivity_log"
Compute Engine audit logs contain the same information that is availablethrough activity logs, and more. But audit logs present the informationdifferently compared toactivity logs. So you'll need to adjust your queries.
How to migrate from activity logs to audit logs
To use audit logs instead of activity logs, adjust yourqueries. Use the followingsteps.
Find your old queries. For example, you might have saved them in asaved search in theLogs Explorer or createda script using the API or SDK. For more information about how you canmonitor your resources, see theLoggingdocumentation.
Replace the activity log fields with appropriate audit log fields. Refer tothetable to see how the fields map to eachother.
For example, if your legacy activity log query looked for a field named
jsonPayload.resource.name, your new audit log query should look forprotoPayload.resourceNameinstead.Save and use your new audit log query. For example,create a saved search inCloud Logging or update your scripts.
Examples
Here are some examples of converted queries:
Querying for activity related to a specific resource
| Query example | |
|---|---|
| Legacy activity log | gcloud logging read jsonPayload.resource.name="VM_NAME" |
| Audit log | Use one of the following options
With option 1, the "has" ( |
Querying for recent admin activity log entries
| Query example | |
|---|---|
| Legacy activity log | gcloud logging read logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Factivity_log" |
| Audit log | gcloud logging read logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" |
Querying for recent instance creation log entries
| Query example | |
|---|---|
| Legacy activity log | gcloud logging read 'logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Factivity_log" AND jsonPayload.event_subtype="compute.instances.insert"' |
| Audit log | gcloud logging read 'logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.methodName:"compute.instances.insert"' |
Querying for the start of all instance creation operations
| Query example | |
|---|---|
| Legacy activity log | gcloud logging read 'jsonPayload.event_type="GCE_API_CALL" AND jsonPayload.event_subtype="compute.instances.insert"' |
| Audit log | gcloud logging read 'operation.first="true" AND protoPayload.methodName:"compute.instances.insert"' |
Querying for the completion of any operation
| Query example | |
|---|---|
| Legacy activity log | gcloud logging read jsonPayload.event_type="GCE_OPERATION_DONE" |
| Audit log | gcloud logging read operation.last="true" |
Differences between activity logs and audit logs
Read this section to learn how audit logs are structured differently fromactivity logs. Keep these differences in mind as you convert legacy activity logqueries into audit log queries. For example, in your queries, replace all legacyactivity log field names with the corresponding audit log field names.
While audit logging and activity logging both returnlog entry objects, they have the following differences:
- Different field names. See thefield name mapping table fordetails.
- Different field values, including:
- Differentlog names: Audit logs have log names that contain
cloudaudit.googleapis.com. - Differentpayloads: Audit logs return a
protoPayloadfieldinstead of ajsonPayload. - Fully qualifiedresource names: Audit logs returnresource names that include their path, for example:
projects/my-project/zones/us-east1-b/instances/my-instance-name. - Versionedmethod names: Audit logs return method namesthat include their version, for example,
v1.
- Differentlog names: Audit logs have log names that contain
Here is an example that shows differences in log names and payloads:
| Log entry example | |
|---|---|
| Legacy activity log | { insertId: "1x3bbhjg2wwvz1x"jsonPayload: { event_subtype: "compute.instances.stop" ... resource: { id: "12345678900123456789" name: "my-instance-name" type: "instance" zone: "us-east1-b" } ... } labels: {…}logName: "projects/my-project/logs/compute.googleapis.com%2Factivity_log" receiveTimestamp: "2019-08-26T12:22:44.602794616Z" ...} |
| Audit log | { insertId: "-w6o499e22fwk"logName: "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity"protoPayload: { ... methodName: "beta.compute.instances.stop" ... resourceName: "projects/my-project/zones/us-east1-b/instances/my-instance-name" } receiveTimestamp: "2019-08-26T12:22:46.881198276Z" ...} |
Mapping fields from activity logs to audit logs
Use the following tables to map activity log fields to corresponding audit logfields in your queries.
Fields
Use the following table to replace legacy activity log fields with auditlog fields in your updated queries.
For example, if your legacy activity log query contained afilter based onjsonPayload.resource.type, your new audit log query should filter onresource.type instead.
| Legacy activity log field | Audit log field |
|---|---|
insertId | insertId |
jsonPayload.actor.user | protoPayload.authenticationInfo.principalEmail |
jsonPayload.event_subtype | protoPayload.methodName |
jsonPayload.event_timestamp_us | timestamp |
jsonPayload.event_type="GCE_API_CALL" | operation.first="true" |
jsonPayload.event_type="GCE_OPERATION_DONE" | operation.last="true" |
jsonPayload.request | protoPayload.request |
jsonPayload.operation | operation |
jsonPayload.resource.id | resource.labels.instance_id |
jsonPayload.resource.name | protoPayload.resourceName |
jsonPayload.resource.type | resource.type |
jsonPayload.resource.zone | resource.labels.zone |
jsonPayload.trace_id | operation.id |
jsonPayload.user_agent | protoPayload.requestMetadata.callerSuppliedUserAgent |
labels.compute.googleapis.com/resource_id | resource.labels.[RESOURCE_TYPE]_id |
labels.compute.googleapis.com/resource_name | protoPayload.resourceName |
labels.compute.googleapis.com/resource_type | resource.type |
labels.compute.googleapis.com/resource_zone | One of:
|
logName | logName |
receiveTimestamp | receiveTimestamp |
resource.labels | resource.labels |
severity | severity |
timestamp | timestamp |
Field values
Use the following tables to map legacy activity log field values to audit logfield values. Compared to activity logs, audit logs have multiplelog name values and differentpayload values.Audit log entries also return fully qualified resource names and versionedmethod names.
Log names
To find an audit log entry, look for alogName that includescloudaudit.googleapis.com.
| Log name | Log contents | |
|---|---|---|
| Legacy activity log | projects/PROJECT_ID/logs/compute.googleapis.com%2Factivity_log | Admin activity and system events |
| Audit log | projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity | Admin activity |
projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event | System events | |
projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access | Data access |
Payloads
In each audit log entry, look for aprotoPayload instead of ajsonPayload.
| Payload type | Payload example | |
|---|---|---|
| Legacy activity log | jsonPayload | jsonPayload: { actor: {…}event_subtype: "compute.instances.start" event_timestamp_us: "1566404493487248" event_type: "GCE_API_CALL" ip_address: "" operation: {…} request: {…} resource: {…} trace_id: "operation-1566404491560-590a2f74b4705-a1ae0686-d896d772" user_agent: "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36" version: "1.2" } |
| Audit log | protoPayload | protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" authenticationInfo: {…}methodName: "v1.compute.instances.start" request: {…} requestMetadata: {…} resourceName: "projects/my-project/zones/us-central1-a/instances/alert" serviceName: "compute.googleapis.com" } |
To learn how these payloads relate to each other, and how to maplegacy activity log fields to audit log fields, readlog entry field mappings.
Resource names
In audit logs, API resource names (in theprotoPayload.resourceName field) arefully qualified, for example:
resourceName: "projects/PROJECT_ID/zones/ZONE/instances/VM_NAME"
You can still use partial names but you must fix your query to use the "has"operator (:) instead of the "equals" operator.
Use one of the following options in your audit log queries to filter on aspecific resource:
gcloud logging read protoPayload.resourceName:"VM_NAME"
gcloud logging read protoPayload.resourceName="projects/PROJECT_ID/zones/ZONE/instances/VM_NAME"
Method names
In audit logs, API method names (in theprotoPayload.methodName field) areprefixed with their version, like:v1.compute.instances.delete.
| Field | Value | Query example | |
|---|---|---|---|
| Legacy activity log | jsonPayload.event_subtype | RESOURCE.METHOD | jsonPayload.event_subtype=compute.instances.delete |
| Audit log | protoPayload.methodName | API_VERSION.RESOURCE.METHOD | protoPayload.methodName=v1.compute.instances.deleteor protoPayload.methodName=beta.compute.instances.deleteor protoPayload.methodName:compute.instances.delete |
You can still use unversioned method names in your audit log queries, but youmust fix your query to use the "has" operator (:) instead of the "equals"operator (=). For example:protoPayload.methodName:compute.instances.deletereturns all instance delete API calls, regardless of version. For moreinformation about operators, seecomparisions.
What's next
- Read thequick start for using logging tools.
- Learn more aboutviewing log entries.
- Learn about viewing logs withadvanced logging filters.
- Learn more about Compute EngineCloud Audit Logs.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.