Audit logging for Firebase AI Logic

This page describes the audit logs created byFirebase as part ofCloud Audit Logs.

Overview

Firebase services write audit logs to help you answer the questions, "Who didwhat, where, and when?". These areCloud Audit Logs, provided as part of theGoogle Cloud project connected to yourFirebase project.

Your Firebase projects each contain only the audit logs for resources thatare directly within the project.

For a general overview of Cloud Audit Logs, seeCloud Audit Logs overview. For a deeper understanding of the auditlog format, seeUnderstand audit logs.

Available audit logs

The following types of audit logs are available for Firebase AI Logic:

  • Admin Activity audit logs

    Includes "admin write" operations that write metadata or configuration information.

    You can't disable Admin Activity audit logs.

  • Data Access audit logs

    Includes "admin read" operations that read metadata or configuration information. Also includes "data read" and "data write" operations that read or write user-provided data.

    To receive Data Access audit logs, you must explicitly enable them.

For fuller descriptions of the audit log types, seeTypes of audit logs.

Audited operations

The following summarizes which API operations correspond to each audit logtype in Firebase AI Logic:

Permission typeMethods
ADMIN_READgoogle.firebase.vertexai.v1beta.ConfigService.GetConfig
ADMIN_WRITEgoogle.firebase.vertexai.v1beta.ConfigService.UpdateConfig

Audit log format

Audit log entries include the following objects:

  • The log entry itself, which is an object of typeLogEntry.Useful fields include the following:

    • ThelogName contains the resource ID and audit log type.
    • Theresource contains the target of the audited operation.
    • Thetimestamp contains the time of the audited operation.
    • TheprotoPayload contains the audited information.

  • The audit logging data, which is anAuditLog object held intheprotoPayload field of the log entry.

  • Optional service-specific audit information, which is a service-specificobject. For older integrations, this object is held in theserviceDatafield of theAuditLog object; newer integrations use themetadata field.

For other fields in these objects, and how to interpret them, reviewUnderstand audit logs.

Log name

Cloud Audit Logs resource names indicate the Firebase project or otherGoogle Cloud entity that owns the audit logs, and whether the log containsAdmin Activity, Data Access, Policy Denied, or System Event audit logging data.For example, the following shows log names for project-level Admin Activityaudit logs and an organization's Data Access audit logs. The variables denoteFirebase project and organization identifiers.

projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity
organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_access
Note: The part of the log name following/logs/ must be URL-encoded. Theforward-slash character,/, must be written as%2F.

Service name

Firebase AI Logic audit logs use the service namefirebasevertexai.googleapis.com.

For a full list of all the Cloud Logging API service names and their correspondingmonitored resource type, seeMap services to resources.

Resource types

Firebase AI Logic audit logs usethe resource typeaudited_resource for all audit logs.

For a list of all the Cloud Logging monitored resource types and descriptiveinformation, seeMonitored resource types.

Enable audit logging

Admin Activity audit logs are always enabled; you can't disable them.

Data Access audit logs are disabled by default and aren'twritten unless explicitly enabled (the exception is Data Access audit logs forBigQuery, which can't be disabled).

For instructions on enabling some or all of your Data Access audit logs, seeConfigure Data Access logs.

Permissions and roles

Cloud IAM permissions and roles determine your ability to access audit logsdata inGoogle Cloud resources.

When deciding whichLogging-specific permissions and roles apply toyour use case, consider the following:

  • The Logs Viewer role (roles/logging.viewer) gives you read-only access toAdmin Activity, Policy Denied, and System Event audit logs. If you have justthis role, you cannot view Data Access audit logs that are in the_Defaultbucket.

  • The Private Logs Viewer role(roles/logging.privateLogViewer) includes thepermissions contained inroles/logging.viewer, plus the ability to readData Access audit logs in the_Default bucket.

    Note that if these private logs are stored in user-defined buckets, then anyuser who has permissions to read logs in those buckets can read the privatelogs. For more information on log buckets, seeRouting and storage overview.

For more information on the Cloud IAM permissions and roles that applyto audit logs data, seeAccess control.

View logs

To find and view audit logs, you need to know the identifier of theFirebase project, folder, or organization for which you want to viewaudit logging information. You can further specify other indexedLogEntry fields, likeresource.type; for details, reviewFind log entries quickly.

The following are the audit log names; they include variables for theidentifiers of the Firebase project, folder, or organization:

projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivityprojects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_accessprojects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_eventprojects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicyfolders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivityfolders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fdata_accessfolders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fsystem_eventfolders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Fpolicyorganizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Factivityorganizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fdata_accessorganizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fsystem_eventorganizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com%2Fpolicy

You can view audit logs in Cloud Logging using theGoogle Cloud console, thegcloud command-line tool, or the Logging API.

Console

You can use the Logs Explorer in the Google Cloud consoleto retrieve your audit log entries for your Firebase project, folder,or organization:

  1. In the Google Cloud console, go to theLogging > Logs Explorer page.

    Go to the Logs Explorer page

    Note: If you're using theLegacy Logs Viewer page, switchto theLogs Explorer page.

  2. On theLogs Explorer page, select an existingFirebase project, folder or organization.

  3. In theQuery builder pane, do the following:

    If you don't see these options, then there aren't any audit logs ofthat type available in the Firebase project, folder, ororganization.

    For more details about querying using the Logs Explorer, seeBuild log queries.

gcloud

Thegcloud command-line tool provides a command-line interface to theCloud Logging API. Supply a validPROJECT_ID,FOLDER_ID,orORGANIZATION_ID in each of the log names.

To read your Firebase project-level audit log entries, runthe following command:

gcloud logging read "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com" --project=PROJECT_ID

To read your folder-level audit log entries, run the following command:

gcloud logging read "logName : folders/FOLDER_ID/logs/cloudaudit.googleapis.com" --folder=FOLDER_ID

To read your organization-level audit log entries, run the following command:

gcloud logging read "logName : organizations/ORGANIZATION_ID/logs/cloudaudit.googleapis.com" --organization=ORGANIZATION_ID

For more information about using thegcloud tool, seeRead log entries.

API

When building your queries, replace the variables with valid values,substitute the appropriate project-level, folder-level, ororganization-level audit log name or identifiers as listed in the audit lognames. For example, if your query includes aPROJECT_ID, then theproject identifier you supply must refer to the currently selectedFirebase project.

To use the Logging API to look at your audit log entries, do thefollowing:

  1. Go to theTry this API section in the documentation for theentries.listmethod.

  2. Put the following into theRequest body part of theTry thisAPI form. Clicking on thisprepopulated formautomatically fills the request body, but you need tosupply a validPROJECT_ID in each of the lognames.

    {  "resourceNames": [    "projects/PROJECT_ID"  ],  "pageSize": 5,  "filter": "logName : projects/PROJECT_ID/logs/cloudaudit.googleapis.com"}

  3. ClickExecute.

For more details about querying, seeLogging query language.

For an example of an audit log entry and how to find the most importantinformation in it, seeSample audit log entry.

Route audit logs

You canroute audit logs to supporteddestinations in the same way that you can route other kinds of logs. Here aresome reasons you might want to route your audit logs:

  • To keep audit logs for a longer period of time or to use more powerfulsearch capabilities, you can route copies of your audit logs toGoogle Cloud Storage, BigQuery, or Google Cloud Pub/Sub. UsingCloud Pub/Sub, you can route to other applications, otherrepositories, and to third parties.

  • To manage your audit logs across an entire organization, you can createaggregated sinks that canroute logs from any or all Firebase projects in the organization.

  • If your enabled Data Access audit logs are pushing yourFirebase projects over your log allotments, you can create sinks thatexclude the Data Access audit logs from Logging.

For instructions on routing logs, seeConfigure sinks.

Pricing

Admin Activity audit logs andSystem Event audit logs are no-cost.

Data Access audit logs andPolicy Denied audit logs are chargeable.

For more information about Cloud Logging pricing, seeGoogle Cloud's operations suite pricing: Cloud Logging.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-03 UTC.