Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to view log entries produced by Binary Authorization
for Google Distributed Cloud software. These entries can be used to
troubleshoot the system setup and use.
To enable Cloud Audit Logs, you must configure the cloudAuditLogging section
of your user cluster configuration file to properly forward log events. If your
GKE clusters on GDC are not configured to forward log entries, you
can view local audit logs
by using keyword searches. Entries in local logs are formatted as described in
this document.
This document describes how to use Cloud Audit Logs to query for log entries. You
can also query log entries through the Cloud Audit Logs API.
View Cloud Audit Logs entries
In the Google Cloud console, go to the Cloud Audit Logs page.
Select the Google Cloud project you configured in the cloudAuditLogging
section of your user cluster configuration file.
Enter a filter. You can find example filters for Binary Authorization for
Distributed Cloud log entries in the following sections.
Select the activity log:
Select the Log name combo box.
Enter externalaudit.googleapis.com in the text field.
Select the log named externalaudit.googleapis.com.
Click Add.
Make sure you select the time period when the events would have occurred.
Click Run Query.
View rejected Deployment log entries
To find Cloud Audit Logs entries for rejected Deployments, use the following
query:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
protoPayload.response.status="Failure"
View dry run log entries
To find Cloud Audit Logs entries related to Pod create or update with dry run
enabled, use the following query:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/dry-run"="true"
View breakglass log entries
To find Cloud Audit Logs entries related to Pod create or update with
breakglass enabled, use the following query:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
(labels."binaryauthorization.googleapis.com/break-glass"="true" OR
protoPayload.request.metadata.labels."image-policy.k8s.io/break-glass"="true")
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis guide explains how to view log entries generated by Binary Authorization for Google Distributed Cloud, which are valuable for system troubleshooting.\u003c/p\u003e\n"],["\u003cp\u003eYou must configure your Distributed Cloud user cluster to forward log entries to Cloud Audit Logs, but you can also view local audit logs if forwarding is not set up.\u003c/p\u003e\n"],["\u003cp\u003eCloud Audit Logs can be queried via the Google Cloud console or the Cloud Audit Logs API.\u003c/p\u003e\n"],["\u003cp\u003eSpecific queries are provided to find log entries for rejected deployments, dry run operations, and breakglass events, each using unique filters.\u003c/p\u003e\n"],["\u003cp\u003eTo successfully query the logs, ensure you select the correct Google Cloud project and the \u003ccode\u003eexternalaudit.googleapis.com\u003c/code\u003e log, as well as the appropriate time period when events occurred.\u003c/p\u003e\n"]]],[],null,["# View audit logs for Google Distributed Cloud\n\nThis document describes how to view log entries produced by Binary Authorization\nfor Google Distributed Cloud software. These entries can be used to\ntroubleshoot the system setup and use.\n|\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n| **Note:** To use this document, you must configure your Distributed Cloud user cluster to forward log entries to Cloud Audit Logs.\n\nTo enable Cloud Audit Logs, you must [configure the `cloudAuditLogging` section](/anthos/gke/docs/on-prem/how-to/user-cluster-configuration-file)\nof your user cluster configuration file to properly forward log events. If your\nGKE clusters on GDC are not configured to forward log entries, you\ncan [view local audit logs](/anthos/gke/docs/on-prem/how-to/audit-logging)\nby using keyword searches. Entries in local logs are formatted as described in\nthis document.\n\nThis document describes how to use Cloud Audit Logs to query for log entries. You\ncan also query log entries through the [Cloud Audit Logs API](/logging/docs/apis).\n\nView Cloud Audit Logs entries\n-----------------------------\n\n1. In the Google Cloud console, go to the **Cloud Audit Logs** page.\n\n [Go to Cloud Audit Logs](https://console.cloud.google.com/logs)\n2. Select the Google Cloud project you configured in the `cloudAuditLogging`\n section of your user cluster configuration file.\n\n3. Enter a filter. You can find example filters for Binary Authorization for\n Distributed Cloud log entries in the following sections.\n\n4. Select the activity log:\n\n 1. Select the **Log name** combo box.\n\n 2. Enter `externalaudit.googleapis.com` in the text field.\n\n 3. Select the log named `externalaudit.googleapis.com`.\n\n 4. Click **Add**.\n\n 5. Make sure you select the time period when the events would have occurred.\n\n5. Click **Run Query**.\n\nView rejected Deployment log entries\n------------------------------------\n\nTo find Cloud Audit Logs entries for rejected Deployments, use the following\nquery: \n\n resource.type=\"k8s_cluster\"\n (protoPayload.methodName=\"io.k8s.core.v1.pods.create\" OR\n protoPayload.methodName=\"io.k8s.core.v1.pods.update\")\n protoPayload.response.status=\"Failure\"\n\nView dry run log entries\n------------------------\n\nTo find Cloud Audit Logs entries related to Pod create or update with dry run\nenabled, use the following query: \n\n resource.type=\"k8s_cluster\"\n (protoPayload.methodName=\"io.k8s.core.v1.pods.create\" OR\n protoPayload.methodName=\"io.k8s.core.v1.pods.update\")\n labels.\"binaryauthorization.googleapis.com/dry-run\"=\"true\"\n\nView breakglass log entries\n---------------------------\n\nTo find Cloud Audit Logs entries related to Pod create or update with\nbreakglass enabled, use the following query: \n\n resource.type=\"k8s_cluster\"\n (protoPayload.methodName=\"io.k8s.core.v1.pods.create\" OR\n protoPayload.methodName=\"io.k8s.core.v1.pods.update\")\n (labels.\"binaryauthorization.googleapis.com/break-glass\"=\"true\" OR\n protoPayload.request.metadata.labels.\"image-policy.k8s.io/break-glass\"=\"true\")"]]
