Configure usage audit logging for Gemini Enterprise

This guide explains how admins can turn on and monitor usage audit logging for Gemini Enterprise through the API. Usage audit logs let organizations track user operations, metadata, and core content for auditing and observability purposes.

You can manage usage auditing for Gemini Enterprise using the ObservabilityConfig settings in the Gemini Enterprise app. Turning on observability captures request and response data, including prompts and grounding metadata, and stores it in Cloud Logging.

Before you begin

Before configuring audit logs, ensure that you have the following IAM roles:

  • To turn on the audit logging, you must have the Discovery Engine Admin IAM role (roles/discoveryengine.admin).
  • To access Cloud Logging, you must have the Logs Viewer IAM role (roles/logging.viewer).

Turn on usage audit logging for apps

The following sections describe how to turn on usage audit logging when creating a new app or for an existing app.

Turn on usage audit logging when creating an app

You can turn on usage audit logging when creating a new app by including the observabilityConfig settings in the app creation command. To create a new app with usage audit logging turned on, run the following command:

REST

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines?engineId=APP_ID" \
-d '{
  "name": "projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID",
  "displayName": "APP_DISPLAY_NAME",
  "solutionType": "SOLUTION_TYPE_SEARCH",
  "searchEngineConfig": {
    "searchTier": "SEARCH_TIER_ENTERPRISE",
    "searchAddOns": ["SEARCH_ADD_ON_LLM"],
    "requiredSubscriptionTier": "SUBSCRIPTION_TIER_SEARCH_AND_ASSISTANT"
  },
  "industryVertical": "GENERIC",
  "appType": "APP_TYPE_INTRANET",
  "observabilityConfig": {
    "observabilityEnabled": true,
    "sensitiveLoggingEnabled": true
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.
  • LOCATION: the multi-region of your data store: global, us, or eu
  • APP_ID: the ID of the app that you want to create.
  • APP_DISPLAY_NAME: the display name of the app that you want to create.

Turn on usage audit logging for an existing app

To turn on usage audit logging on an existing app, run the following command:

REST

curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID?updateMask=observabilityConfig" \
-d '{
  "observabilityConfig": {
    "observabilityEnabled": true,
    "sensitiveLoggingEnabled": true
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.
  • LOCATION: the multi-region of your data store: global, us, or eu
  • APP_ID: the ID of the app.

Logged information

The following table summarizes the usage data logged by Gemini Enterprise:

Service path Logged data
SearchService.Search

Logs the data on the sources used for grounding or as LLM input.

Request:
  • query
  • user_info

Response:
  • attribution_token
  • results.id
AssistantService.Assist

Logs the request and response from the Gemini Enterprise assistant.

Request:
  • name
  • query.text
  • query.parts

Response:
  • assist_token
  • answer.name
  • answer.state
  • answer.replies.grounded_content.text
  • answer.replies.grounded_content.text_grounding_metadata.segments
  • answer.replies.grounded_content.text_grounding_metadata.references
  • answer.skipped_reasons
AssistantService.StreamAssist Request:
  • name
  • query.text
  • query.parts
  • agents_spec

Response:
  • assist_token
  • answer.name
  • answer.state
  • answer.replies.grounded_content.text
  • answer.replies.grounded_content.text_grounding_metadata.segments
  • answer.replies.grounded_content.text_grounding_metadata.references
  • answer.skipped_reasons
ConversationSearchService.AnswerQuery Request:
  • serving_config
  • query.query_id
  • query.text
  • session
  • user_pseudo_id
  • end_user_spec
  • answer_generation_spec.model_spec.model_version
  • answer_generation_spec.prompt_spec.preamble
  • answer_generation_spec.include_citations
  • answer_generation_spec.answer_language_code
  • answer_generation_spec.ignore_adversarial_query
  • answer_generation_spec.ignore_non_answer_seeking_query
  • answer_generation_spec.ignore_jail_breaking_query

Response:
  • answer
  • answer_query_token
EngineService.CreateEngine Request:
  • engine_id
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores

Response:
  • engine_id
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores
EngineService.UpdateEngine Request:
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores
  • update_mask

Response:
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores
AgentService.SetIamPolicy Request:
  • policy.bindings.roles
  • policy.bindings.members

Response:
  • policy.bindings.roles
  • policy.bindings.members
AgentService.CreateAgent Request:
  • parent
  • agent_id
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case

Response:
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case
AgentService.UpdateAgent Request:
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case
  • update_mask

Response:
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case

Access usage logs

To access and view the usage audit logs, follow these steps:

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer'

  2. Select the Google Cloud project for which you enabled audit logging.

  3. To show only Gemini Enterprise logs, enter the following query in the query editor field, and click Run Query:

      logName="projects/PROJECT_ID/logs/discoveryengine.googleapis.com%2Fgemini_enterprise_user_activity

    Replace the following:

    • PROJECT_ID: the ID of your project.

Turn off usage audit logs for an app

To turn off usage audit logging, run the following command:

REST

curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID?updateMask=observabilityConfig" \
-d '{
  "observabilityConfig": {
    "observabilityEnabled": false,
    "sensitiveLoggingEnabled": false
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.
  • LOCATION: the multi-region of your data store: global, us, or eu
  • APP_ID: the ID of the app.