Configure logging for Model Armor

This document describes how to configure Model Armor to log the following operations:

• Operations that create, update, or delete a template
• Operations that sanitize a user prompt or model response

Model Armor uses audit logs to record administrative and resource management activities. For more information, see Model Armor audit logging overview.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Obtain the required permissions

To get the permissions that you need to configure logging for Model Armor, ask your administrator to grant you the Model Armor Admin (roles/modelarmor.admin) IAM role on the Model Armor template. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Enable APIs

You must enable Model Armor APIs before you can use Model Armor.

  gcloud services enable modelarmor.googleapis.com --project=PROJECT_ID
   

Configure logging in templates

Templates define the filters and thresholds for different safety and security categories. When creating or updating a Model Armor template, you can specify whether Model Armor logs certain operations. Use the following flags in the template metadata:

• log_template_operations: A boolean value that enables logging of the create, update, read, and delete template operations.

• log_sanitize_operations: A boolean value that enables logging of the sanitize operations. The logs include the prompt and response, Model Armor's evaluation results, and additional metadata fields.

  curl -X POST \
      -d '{ "filterConfig": {}, "templateMetadata": { "logTemplateOperations": true, "logSanitizeOperations": true } }' \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer $(gcloud auth print-access-token)" \
      "https://modelarmor.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/templates?template_id=TEMPLATE_ID"

   request = modelarmor_v1.CreateTemplateRequest(
     parent="projects/PROJECT_ID/locations/LOCATION",
     template_id="TEMPLATE_ID",
     template={
        "name": "projects/PROJECT_ID/locations/LOCATION/templates/TEMPLATE_ID",
        "filter_config": {},
        "template_metadata": {
           "log_template_operations": True,
           "log_sanitize_operations": True
        }
     }
   )
   response = client.create_template(request=request)
   

View logs

Access Model Armor logs using Logs Explorer in Cloud Logging. For more information, see View logs by using the Logs Explorer. Filter by the service name modelarmor.googleapis.com. Look for entries related to the operations that you enabled in your template. For a list of all the service names and monitored resource types, see Monitored resources and services.

Filter Model Armor logs

Use log labels for filtering the Model Armor logs for the sanitization operations and template logging.

Run the following query in the Logs Explorer to filter the sanitization operations logs.

jsonPayload.@type="type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry"

To further refine the sanitization operation logs, you can specify a project ID, client name, or correlation ID in the query.

• Using a project ID:

  jsonPayload.@type="type.googleapis.com%2Fgoogle.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry";project=PROJECT_ID
  

• Using a client name:

  jsonPayload.@type="type.googleapis.com/google.cloud.modelarmor.logging.v1.SanitizeOperationLogEntry"
  labels."modelarmor.googleapis.com/client_name"="CLIENT_NAME"
  

• Using a correlation ID:

  labels."modelarmor.googleapis.com/client_correlation_id"="CORRELATION_ID"
  

Replace the following:

• PROJECT_ID: the Google Cloud project ID.
• CLIENT_NAME: the name of your client.
• CORRELATION_ID: the unique identifier that you generate for a specific request.

Correlate logs and related events

To correlate logs and events related to that particular interaction, you will need a client correlation ID. It is a unique identifier that you generate (for example, a UUID) to track a specific request across your system. To set a client correlation ID in a curl header, use the -H option to include a custom header in your request. Here's the sample format:

curl -X POST -d  '{"userPromptData": { "text": 'USER_PROMPT' } }' \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "MA-Client-Correlation-Id: $uuid" \
    "https://modelarmor.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/templates/TEMPLATE_ID:sanitizeUserPrompt"

curl -X POST \
    -d  '{"modelResponseData": { "text": 'MODEL_RESPONSE' }, "userPrompt": 'USER_PROMPT' }' \
    -H "Content-Type: application/json" \
    -H "MA-Client-Correlation-Id: $uuid" \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    "https://modelarmor.LOCATION.rep.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/templates/TEMPLATE_ID:sanitizeModelResponse"

Replace the following:

• PROJECT_ID: the ID of the project that the template belongs to.
• LOCATION: the location of the template.
• TEMPLATE_ID: the ID of the template.
• USER_PROMPT: the prompt provided to the model.
• MODEL_RESPONSE: the response received from the model.