Audited resources

Google Cloud maintains three audit logs for each Google Cloud project, folder, and organization:

• Admin Activity

• Data Access

• System Event

Wazuh supports collecting those logs by using the gcp-pubsub module. Details on how to configure the module can be found in the gcp-pubsub configuration reference.

These logs can be filtered on the Wazuh dashboard by logName:

• Admin Activity audit logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources.

• Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify or read user-provided resource data.

• System Event audit logs contain log entries for Google Cloud administrative actions that modify the configuration of resources. These audit logs are generated by the Google system. Therefore, no direct user action will drive them.

If you want to take a look at all the supported Google services with audit logs by the Wazuh GCP module, check this link.