Firebase Realtime Database DATA_ACCESS audit logs logs are not visible in GCP Logging-CodePudding

I have a real time database and having multiple listeners on it. I would like to see a log entry in my audit logs when a read happens.(my listeners are reading out the database when some changes occur).

Google Cloud Audit logs are the best candidate for that so I have enabled all the entries related to Firebase Realtime Database API:

I am the owner of the project so I am not lacking of any permissions. I would like to see who has read my database. My listeners have read for sure but I can not see those events in the logs. I can see the following log entries but none of them are the ones I would like to see:

Could you please tell me how could I see the actual reading of my database?

CodePudding user response：

Using the Google Cloud console or the API, this guide shows you how to enable or disable all Data Access audit logs in your Cloud projects, billing accounts, folders, and organizations.

Data Access audit logs are by default disabled, except for BigQuery. Data Access audit logs must be explicitly enabled if they are to be written for Google Cloud services other than BigQuery.

As per this doc For your Google Cloud resources and services, you can enable and configure certain Data Access audit log settings

You need a role with permissions at the appropriate resource level to view or set Data Access configuration policies. See Manage access to Cloud projects, folders, and organizations for instructions on how to grant these resource-level roles.

Refer this doc and set up audit logs for Data Access for more information.

CodePudding user response：

Thanks Sai for the pointers on Data Access Logs (or Cloud Audit Logs) enablement.

Just want to chime in from Firebase Realtime Database's perspective.

You have already found our documentation page: https://firebase.google.com/support/guides/cloud-audit-logging/firebase-realtime-database#enabling_audit_logging

Note that there can be up to 1h of delay between audit logs IAM configs change and your databases picks up the change.

Also keep in mind that RTDB cloud audit logs only include listen registration event, update broadcast are omitted. For more details, see compare audit logs with profiler documentation.