Reputation: 4994
Which user or service account was used to delete Stackdriver logs?
I am trying to keep as many logs for as long as possible in StackDriver tool. I understand that the logs can be created, deleted and read (using client libraries or gcloud CLI).
"Audit logs" are not a concern in my case as they can not be deleted but what about other logs?
E.g : syslog from a Compute Instance VM or container.
Is there a way to know which User account or Service account was used to delete logs from Stackdriver? Deletion in StackDriver get logged?
Upvotes: 0
Views: 389
Answers (1)
Reputation: 880
Log retention periods in Stackdriver Logging is documented in https://cloud.google.com/logging/quotas#logs_retention_periods
As of August 2019:
- Admin activity, AXT, and system event logs are retained for 400 days
- Data access audit logs and all other logs are retained for default of 30 days
In Stackdriver, individual log entries are grouped in a "Log", which are named with LogName. Logs can be deleted using the DeleteLog API or using the equivalent gcloud logging logs delete CLI command.
To check who deleted the log, you can check the admin activity audit logs with a filter like:
resource.type=logging_log AND
logName:cloudaudit.googleapis.com%2Factivity AND
protoPayload.methodName=google.logging.v2.LoggingServiceV2.DeleteLog
The protoPayload.authenticationInfo.principalEmail field will contain the user account or service account used to call the API.
Upvotes: 2
Related Questions
- log indicating the project delete operation in Google Cloud
- GCP Logging: who created service account?
- Log retention in Stackdriver GCP
- Disable Stackdriver logging GCP
- How to export previous logs in Stackdriver
- iam role permission for stackdriver console log view
- Viewing all logs in stackdriver
- Restrict IAM service account to a particular Google Stackdriver Log
- Can't the audit logs be deleted from Google Cloud Platform Stackdriver logs?
- How to clear Stackdriver logs in Google Cloud Platform?