Acessar os registros de auditoria do Google Distributed Cloud
Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Neste documento, descrevemos como acessar entradas de registro produzidas pela autorização binária para o software Google Distributed Cloud. Essas entradas podem ser usadas para resolver problemas de configuração e uso do sistema.
Para ativar os registros de auditoria do Cloud, é preciso configurar a seção cloudAuditLogging
do arquivo de configuração do cluster de usuário para encaminhar eventos de registro corretamente. Se os
clusters dos GDC não estiverem configurados para encaminhar entradas de registro,
será possível ver os registros de auditoria locais usando
pesquisas por palavras-chave. As entradas nos registros locais são formatadas conforme descrito neste documento.
Neste documento, descrevemos como usar os registros de auditoria do Cloud para consultar entradas de registro. Também
é possível consultar entradas de registro pela API Cloud Audit Logs.
Ver as entradas do registro de auditoria do Cloud
No Console do Google Cloud, acesse a página Registros de auditoria do Cloud.
Selecione o projeto do Google Cloud configurado na seção cloudAuditLogging
do arquivo de configuração do cluster de usuário.
Insira um filtro. Você pode encontrar exemplos de filtros de autorização binária para
entradas de registro do Distributed Cloud nas seções a seguir.
Selecione o registro de atividades:
Selecione a caixa de combinação Nome do registro.
Digite externalaudit.googleapis.com no campo de texto.
Selecione o registro denominado externalaudit.googleapis.com.
Clique em Adicionar.
Lembre-se de selecionar o período em que os eventos ocorreram.
Clique em Run.
Ver entradas de registro de implantação rejeitadas
Para encontrar as entradas de registros de auditoria do Cloud de implantações rejeitadas, use esta
consulta:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
protoPayload.response.status="Failure"
Ver entradas de registro de teste
Para encontrar entradas de registros de auditoria do Cloud relacionadas à criação ou atualização de pods com teste
ativado, use esta consulta:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
labels."binaryauthorization.googleapis.com/dry-run"="true"
Ver entradas de registro de implantação forçada
Para encontrar entradas de registros de auditoria do Cloud relacionadas à criação ou atualização de pods com
a implantação forçada ativada, use esta consulta:
resource.type="k8s_cluster"
(protoPayload.methodName="io.k8s.core.v1.pods.create" OR
protoPayload.methodName="io.k8s.core.v1.pods.update")
(labels."binaryauthorization.googleapis.com/break-glass"="true" OR
protoPayload.request.metadata.labels."image-policy.k8s.io/break-glass"="true")
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-28 UTC."],[[["\u003cp\u003eThis guide explains how to view log entries generated by Binary Authorization for Google Distributed Cloud, which are valuable for system troubleshooting.\u003c/p\u003e\n"],["\u003cp\u003eYou must configure your Distributed Cloud user cluster to forward log entries to Cloud Audit Logs, but you can also view local audit logs if forwarding is not set up.\u003c/p\u003e\n"],["\u003cp\u003eCloud Audit Logs can be queried via the Google Cloud console or the Cloud Audit Logs API.\u003c/p\u003e\n"],["\u003cp\u003eSpecific queries are provided to find log entries for rejected deployments, dry run operations, and breakglass events, each using unique filters.\u003c/p\u003e\n"],["\u003cp\u003eTo successfully query the logs, ensure you select the correct Google Cloud project and the \u003ccode\u003eexternalaudit.googleapis.com\u003c/code\u003e log, as well as the appropriate time period when events occurred.\u003c/p\u003e\n"]]],[],null,["# View audit logs for Google Distributed Cloud\n\nThis document describes how to view log entries produced by Binary Authorization\nfor Google Distributed Cloud software. These entries can be used to\ntroubleshoot the system setup and use.\n|\n| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n| **Note:** To use this document, you must configure your Distributed Cloud user cluster to forward log entries to Cloud Audit Logs.\n\nTo enable Cloud Audit Logs, you must [configure the `cloudAuditLogging` section](/anthos/gke/docs/on-prem/how-to/user-cluster-configuration-file)\nof your user cluster configuration file to properly forward log events. If your\nGKE clusters on GDC are not configured to forward log entries, you\ncan [view local audit logs](/anthos/gke/docs/on-prem/how-to/audit-logging)\nby using keyword searches. Entries in local logs are formatted as described in\nthis document.\n\nThis document describes how to use Cloud Audit Logs to query for log entries. You\ncan also query log entries through the [Cloud Audit Logs API](/logging/docs/apis).\n\nView Cloud Audit Logs entries\n-----------------------------\n\n1. In the Google Cloud console, go to the **Cloud Audit Logs** page.\n\n [Go to Cloud Audit Logs](https://console.cloud.google.com/logs)\n2. Select the Google Cloud project you configured in the `cloudAuditLogging`\n section of your user cluster configuration file.\n\n3. Enter a filter. You can find example filters for Binary Authorization for\n Distributed Cloud log entries in the following sections.\n\n4. Select the activity log:\n\n 1. Select the **Log name** combo box.\n\n 2. Enter `externalaudit.googleapis.com` in the text field.\n\n 3. Select the log named `externalaudit.googleapis.com`.\n\n 4. Click **Add**.\n\n 5. Make sure you select the time period when the events would have occurred.\n\n5. Click **Run Query**.\n\nView rejected Deployment log entries\n------------------------------------\n\nTo find Cloud Audit Logs entries for rejected Deployments, use the following\nquery: \n\n resource.type=\"k8s_cluster\"\n (protoPayload.methodName=\"io.k8s.core.v1.pods.create\" OR\n protoPayload.methodName=\"io.k8s.core.v1.pods.update\")\n protoPayload.response.status=\"Failure\"\n\nView dry run log entries\n------------------------\n\nTo find Cloud Audit Logs entries related to Pod create or update with dry run\nenabled, use the following query: \n\n resource.type=\"k8s_cluster\"\n (protoPayload.methodName=\"io.k8s.core.v1.pods.create\" OR\n protoPayload.methodName=\"io.k8s.core.v1.pods.update\")\n labels.\"binaryauthorization.googleapis.com/dry-run\"=\"true\"\n\nView breakglass log entries\n---------------------------\n\nTo find Cloud Audit Logs entries related to Pod create or update with\nbreakglass enabled, use the following query: \n\n resource.type=\"k8s_cluster\"\n (protoPayload.methodName=\"io.k8s.core.v1.pods.create\" OR\n protoPayload.methodName=\"io.k8s.core.v1.pods.update\")\n (labels.\"binaryauthorization.googleapis.com/break-glass\"=\"true\" OR\n protoPayload.request.metadata.labels.\"image-policy.k8s.io/break-glass\"=\"true\")"]]
