An Eventarc trigger declares your interest in a certain event or
set of events, allowing you to capture and act on specific events.
Eventarc triggers with type=google.cloud.audit.log.v1.written
send requests to a destination when an audit log is created that matches the
trigger's filter criteria. Matches are made on the following values from the
audit log entry:
To identify the exact event filters needed to create a trigger, generate the
event that you want to capture, and then view its corresponding
Cloud Audit Logs entry. Note that data from a log entry might be split and
distributed across several entries.
Ensure that you have enabled the data access audit log types for your service.
To see the full details of one log entry, click the expander arrow (▸)
at the start of the entry.
The protoPayload field distinguishes an audit log entry from other log entries.
In the following example, some parts of the log entry are omitted, and some
fields are highlighted:
The following information can be used to verify the contents of this
audit log entry:
The protoPayload.@type field is
type.googleapis.com/google.cloud.audit.AuditLog.
The logName field includes the domain cloudaudit.googleapis.com.
The protoPayload.serviceName field is the service that wrote the audit log.
The protoPayload.methodName field is the operation that is being audited.
The protoPayload.resourceName field is the resource that is being audited.
For more details on how to find information in an audit log
entry, see Understanding audit logs.
Retrieve event filter values
You can use the
gcloud eventarc audit-logs-provider
command to explore and list provider serviceName and methodName values for
the google.cloud.audit.log.v1.written event type.
Replace SERVICE_NAME with a serviceName value—for
example, bigquery.googleapis.com.
Eventarc trigger examples
The following example creates a trigger called cal-workflows-trigger for a
Workflows destination. The trigger filters for audit logs that are
written by bigquery.googleapis.com and for the operation identified as
google.cloud.bigquery.v2.JobService.InsertJob:
The following example creates a trigger called cal-run-trigger for a
Cloud Run destination. The trigger filters for audit logs that are
written by workflows.googleapis.com and for the operation identified as
google.cloud.workflows.v1.Workflows.GetWorkflow:
Cloud Logging splits audit log entries that are larger than
the usage limit and distributes the data contained
in the original audit log entry across several split entries. If a log entry
contains a split field, then the entry is the result of splitting a larger
original log entry. The split field is a LogSplit object that contains the
information needed to identify related split entries.
Each split entry has a protoPayload that includes the same serviceName,
methodName, and resourceName values to help filter the Cloud Audit Logs
events. Eventarc triggers deliver an event for each split entry.
When you have an audit log entry that is split into multiple log entries, you
can filter for any of the fields in the LogEntry. For example, if you need
the first entry in a series of split log entries, you can run the following
gcloud CLI command, using split.index=0 to indicate the position of
the first entry:
gcloudloggingread"split.index=0"
For more information, including how to recognize entries and sample queries, see
Split audit log entries.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eEventarc triggers capture and act on specific events by declaring interest in a certain event or set of events.\u003c/p\u003e\n"],["\u003cp\u003eTriggers with \u003ccode\u003etype=google.cloud.audit.log.v1.written\u003c/code\u003e target audit logs, sending requests to a destination when a matching audit log is created based on \u003ccode\u003eserviceName\u003c/code\u003e, \u003ccode\u003emethodName\u003c/code\u003e, and \u003ccode\u003eresourceName\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eTo create effective event filters, generate the desired event, view its audit log entry, and enable data access audit log types for the relevant service.\u003c/p\u003e\n"],["\u003cp\u003eYou can use the \u003ccode\u003egcloud eventarc audit-logs-provider\u003c/code\u003e command to list service and method names for the \u003ccode\u003egoogle.cloud.audit.log.v1.written\u003c/code\u003e event type to facilitate filter creation.\u003c/p\u003e\n"],["\u003cp\u003eCloud Logging may split audit log entries exceeding usage limits into multiple entries, each containing the same \u003ccode\u003eserviceName\u003c/code\u003e, \u003ccode\u003emethodName\u003c/code\u003e, and \u003ccode\u003eresourceName\u003c/code\u003e, with Eventarc sending an event for each split entry.\u003c/p\u003e\n"]]],[],null,["# Determine event filters for Cloud Audit Logs\n\n[Standard](/eventarc/standard/docs/overview)\n\nAn Eventarc trigger declares your interest in a certain event or\nset of events, allowing you to capture and act on specific events.\nEventarc triggers with `type=google.cloud.audit.log.v1.written`\nsend requests to a destination when an audit log is created that matches the\ntrigger's filter criteria. Matches are made on the following values from the\naudit log entry:\n\n- `serviceName`: the service that wrote the audit log\n- `methodName`: the operation that is being audited\n- `resourceName`: the resource that is being audited\n\nFor a list of Google Cloud services that provide audit logs, see\n[Google Cloud services with audit logs](/logging/docs/audit/services). You\ncan also [retrieve the event filter values](#list-providers) that apply to the\n`google.cloud.audit.log.v1.written` event type.\n\nIdentify event filters\n----------------------\n\nTo identify the exact event filters needed to create a trigger, generate the\nevent that you want to capture, and then view its corresponding\nCloud Audit Logs entry. Note that data from a log entry might be [split and\ndistributed across several entries](#split-auditlogs).\n\n1. Ensure that you have enabled the data access audit log types for your service.\n\n [Go to Audit Logs](https://console.cloud.google.com/iam-admin/audit)\n\n Note that any services that have auditing enabled by default are not listed.\n 1. In the main table on the **Audit Logs** page, select a Google Cloud\n service.\n\n 2. In the **Log Types** tab, select the **Admin Read** , **Data Read** , and\n **Data Write** checkboxes and then click **Save**.\n\n2. Perform the operation you want to create an event filter for and generate\n an audit log entry. For example, store a file in a Cloud Storage bucket.\n\n3. In the Google Cloud console, go to the **Logs Explorer**.\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n4. In the **Query builder** pane, build and run a query to filter the log\n entries and retrieve the results. For example:\n\n resource.type=\"gcs_bucket\" resource.labels.bucket_name=\"eventarc-bucket\"\n\n For more details on how to build queries to retrieve and refine logs, see\n [Build queries by using the Logging query language](/logging/docs/view/building-queries).\n5. To see the full details of one log entry, click the expander arrow (▸)\n at the start of the entry.\n\n The `protoPayload` field distinguishes an audit log entry from other log entries.\n In the following example, some parts of the log entry are omitted, and some\n fields are highlighted: \n\n ```json\n {\n protoPayload:{\n @type:\"type.googleapis.com/google.cloud.audit.AuditLog\",\n status:{},\n authenticationInfo:{},\n requestMetadata:{},\n serviceName:\"storage.googleapis.com\",\n methodName:\"storage.objects.create\",\n authorizationInfo:[],\n resourceName:\"projects/_/buckets/eventarc-bucket/objects/random.txt\",\n resourceLocation:{}\n },\n insertId:\"il9evleafpdk\",\n resource:{\n type:\"gcs_bucket\",\n labels:{\n project_id:\"cloud-run-test\",\n location:\"us-central1\",\n bucket_name:\"eventarc-bucket\"\n }\n },\n timestamp:\"2021-03-05T15:55:20.754688805Z\",\n severity:\"INFO\",\n logName:\"projects/cloud-run-test/logs/cloudaudit.googleapis.com%2Fdata_access\",\n receiveTimestamp:\"2021-03-05T15:55:20.884984611Z\"\n }\n ```\n\n \u003cbr /\u003e\n\n - The following information can be used to verify the contents of this\n audit log entry:\n\n - The `protoPayload.@type` field is\n `type.googleapis.com/google.cloud.audit.AuditLog`.\n\n - The `logName` field includes the domain `cloudaudit.googleapis.com`.\n\n - The `protoPayload.serviceName` field is the service that wrote the audit log.\n\n - The `protoPayload.methodName` field is the operation that is being audited.\n\n - The `protoPayload.resourceName` field is the resource that is being audited.\n\n For more details on how to find information in an audit log\n entry, see [Understanding audit logs](/logging/docs/audit/understanding-audit-logs).\n\nRetrieve event filter values\n----------------------------\n\nYou can use the\n[`gcloud eventarc audit-logs-provider`](/sdk/gcloud/reference/eventarc/audit-logs-provider)\ncommand to explore and list provider `serviceName` and `methodName` values for\nthe `google.cloud.audit.log.v1.written` event type.\n| **Note:** The `gcloud eventarc audit-logs-provider` command no longer retrieves the latest provider `serviceName` and `methodName` values. We recommend that you identify the event filter needed to create an Eventarc trigger. Or, for the list of Google Cloud services that provide audit logs, see [Google Cloud services with audit logs](/logging/docs/audit/services).\n\nTo list service names, run the following command: \n\n```bash\ngcloud eventarc audit-logs-provider service-names list\n```\n\nThis returns all `serviceName` attribute values for the\n`google.cloud.audit.log.v1.written` event type.\n\nTo list method names for a specific service, run the following command: \n\n```bash\ngcloud eventarc audit-logs-provider method-names list \\\n --service-name=SERVICE_NAME\n```\n\nReplace \u003cvar translate=\"no\"\u003eSERVICE_NAME\u003c/var\u003e with a `serviceName` value---for\nexample, `bigquery.googleapis.com`.\n\nEventarc trigger examples\n-------------------------\n\n| **Note:** Eventarc is available in [specific regions](/eventarc/docs/locations) and in the global region for Cloud Audit Logs triggers. Eventarc is not available in dual-region and multi-region locations. If you specify the global location, you will receive events from all locations for which the event filters match. For example, by creating a global Eventarc trigger, you can receive events from resources such as Cloud Storage buckets in the EU and US multi-regions. For more information, see [Understand Eventarc locations](/eventarc/docs/understand-locations).\n\nThe following example creates a trigger called `cal-workflows-trigger` for a\nWorkflows destination. The trigger filters for audit logs that are\nwritten by `bigquery.googleapis.com` and for the operation identified as\n`google.cloud.bigquery.v2.JobService.InsertJob`: \n\n```bash\ngcloud eventarc triggers create cal-workflows-trigger \\\n --location=us-central1 \\\n --destination-workflow=my-workflow \\\n --destination-workflow-location=europe-west4 \\\n --event-filters=\"type=google.cloud.audit.log.v1.written\" \\\n --event-filters=\"serviceName=bigquery.googleapis.com\" \\\n --event-filters=\"methodName=google.cloud.bigquery.v2.JobService.InsertJob\" \\\n --service-account=${TRIGGER_SA}@${PROJECT_ID}.iam.gserviceaccount.com\n```\n\nThe following example creates a trigger called `cal-run-trigger` for a\nCloud Run destination. The trigger filters for audit logs that are\nwritten by `workflows.googleapis.com` and for the operation identified as\n`google.cloud.workflows.v1.Workflows.GetWorkflow`: \n\n```bash\ngcloud eventarc triggers create cal-run-trigger \\\n --location=us-central1 \\\n --destination-run-service=helloworld-events \\\n --destination-run-region=us-central1 \\\n --event-filters=\"type=google.cloud.audit.log.v1.written\" \\\n --event-filters=\"serviceName=workflows.googleapis.com\" \\\n --event-filters=\"methodName=google.cloud.workflows.v1.Workflows.GetWorkflow\" \\\n --event-filters=\"resourceName=projects/_/locations/us-central1/workflows/test-workflow\" \\\n --service-account=${PROJECT_NUMBER}-compute@developer.gserviceaccount.com\n```\n\nOversized audit log entries\n---------------------------\n\nCloud Logging splits audit log entries that are larger than\n[the usage limit](/logging/quotas#log-limits) and distributes the data contained\nin the original audit log entry across several *split* entries. If a log entry\ncontains a `split` field, then the entry is the result of splitting a larger\noriginal log entry. The `split` field is a `LogSplit` object that contains the\ninformation needed to identify related split entries.\n\nEach split entry has a `protoPayload` that includes the same `serviceName`,\n`methodName`, and `resourceName` values to help filter the Cloud Audit Logs\nevents. Eventarc triggers deliver an event for each split entry.\n\nWhen you have an audit log entry that is split into multiple log entries, you\ncan filter for any of the fields in the `LogEntry`. For example, if you need\nthe first entry in a series of split log entries, you can run the following\ngcloud CLI command, using `split.index=0` to indicate the position of\nthe first entry: \n\n```bash\ngcloud logging read \"split.index=0\"\n```\n\nFor more information, including how to recognize entries and sample queries, see\n[Split audit log entries](/logging/docs/audit/split-logs).\n\nWhat's next\n-----------\n\n- [Learn how to create a trigger](/eventarc/standard/docs/event-providers-targets#triggers)."]]
