Note: This documentation applies to the Standard, Plus, and Frontline editions of Gemini Enterprise. For information about the Business edition, see the Gemini Enterprise - Business edition Help Center.

Access Gemini Enterprise usage audit logs with Cloud Logging

This page describes how to set up and access usage audit logs for Gemini Enterprise.

Key concepts

This section introduces key concepts related to observability in Gemini Enterprise.

Concept	Description
Usage audit logs	Usage audit logs are records of administrative activities and accesses within your Google Cloud resources. They provide detailed information about who performed what action, when, and from where. These logs are essential for security auditing, compliance, and understanding how your resources are being used.

Before you begin

Before configuring audit logs, ensure that you have the following:

Turn on the observability settings. For more information, see Turn on observability settings.
To turn on the audit logging, you must have the Discovery Engine Admin IAM role (roles/discoveryengine.admin).
To access Cloud Logging, you must have the Logs Viewer IAM role (roles/logging.viewer).
Ensure you have created a Gemini Enterprise app. To create one, see Create an app.

Logged information

The following table summarizes the usage data logged by Gemini Enterprise:

Service path	Logged data
`SearchService.Search`	Logs the data on the sources used for grounding or as LLM input. Request: `query` `user_info` Response: `attribution_token` `results.id`
`AssistantService.Assist`	Logs the request and response from the Gemini Enterprise assistant. Request: `name` `query.text` `query.parts` Response: `assist_token` `answer.name` `answer.state` `answer.replies.grounded_content.text` `answer.replies.grounded_content.text_grounding_metadata.segments` `answer.replies.grounded_content.text_grounding_metadata.references` `answer.skipped_reasons`
`AssistantService.StreamAssist`	Request: `name` `query.text` `query.parts` `agents_spec` Response: `assist_token` `answer.name` `answer.state` `answer.replies.grounded_content.text` `answer.replies.grounded_content.text_grounding_metadata.segments` `answer.replies.grounded_content.text_grounding_metadata.references` `answer.skipped_reasons`
`ConversationSearchService.AnswerQuery`	Request: `serving_config` `query.query_id` `query.text` `session` `user_pseudo_id` `end_user_spec` `answer_generation_spec.model_spec.model_version` `answer_generation_spec.prompt_spec.preamble` `answer_generation_spec.include_citations` `answer_generation_spec.answer_language_code` `answer_generation_spec.ignore_adversarial_query` `answer_generation_spec.ignore_non_answer_seeking_query` `answer_generation_spec.ignore_jail_breaking_query` Response: `answer` `answer_query_token`
`EngineService.CreateEngine`	Request: `engine_id` `engine.name` `engine.create_time` `engine.display_name` `engine.update_time` `engine.data_store_ids` `engine.data_stores` Response: `engine_id` `engine.name` `engine.create_time` `engine.display_name` `engine.update_time` `engine.data_store_ids` `engine.data_stores`
`EngineService.UpdateEngine`	Request: `engine.name` `engine.create_time` `engine.display_name` `engine.update_time` `engine.data_store_ids` `engine.data_stores` `update_mask` Response: `engine.name` `engine.create_time` `engine.display_name` `engine.update_time` `engine.data_store_ids` `engine.data_stores`
`AgentService.SetIamPolicy`	Request: `policy.bindings.roles` `policy.bindings.members` Response: `policy.bindings.roles` `policy.bindings.members`
`AgentService.CreateAgent`	Request: `parent` `agent_id` `agent.name` `agent.display_name` `agent.create_time` `agent.update_time` `agent.definition_case` Response: `agent.name` `agent.display_name` `agent.create_time` `agent.update_time` `agent.definition_case`
`AgentService.UpdateAgent`	Request: `agent.name` `agent.display_name` `agent.create_time` `agent.update_time` `agent.definition_case` `update_mask` Response: `agent.name` `agent.display_name` `agent.create_time` `agent.update_time` `agent.definition_case`
`AgentService.CreateAgentRequest`	Request: `parent` `agent_id` `agent.name` `agent.display_name` `agent.create_time` `agent.update_time` `agent.definition_case` Response: `agent.name` `agent.display_name` `agent.create_time` `agent.update_time` `agent.definition_case`
`GroundedGenerationService.GenerateGroundedContent`	Request: `contents` `location` `generation_spec` `system_instruction` `safety_settings` `user_labels` `grounding_spec.explicit_search_queries` `grounding_spec.grounding_sources` Response: `content` `grounding_metadata` `grounding_score`
`DataConnectorService.UpdateDataConnector`	Request: `data_connector.name` `data_connector.create_time` `data_connector.update_time` `data_connector.data_source` `data_connector.refresh_interval` `data_connector.bap_config` Response: `data_connector.name` `data_connector.create_time` `data_connector.update_time` `data_connector.data_source` `data_connector.refresh_interval` `data_connector.bap_config`
`AssistantService.AddContextFile`	Request: `name` `file_name` Response: `session` `file_id`
`AssistantService.UploadSessionFile`	Request: `name` `blob.filename` Response: `file_id`

Access usage audit logs

To access and view all Gemini Enterprise usage audit logs, follow these steps:

In the Google Cloud console, go to the Logs Explorer page.

Go to Logs Explorer
Select the Google Cloud project for which you enabled audit logging.

To show only Gemini Enterprise logs, enter the following query in the query editor field, and click Run Query:

  logName="projects/PROJECT_ID/logs/discoveryengine.googleapis.com%2Fgemini_enterprise_user_activity" OR logName=~"projects/PROJECT_ID/logs/discoveryengine.googleapis.com%2Fgen_ai.*"

Replace the following:

PROJECT_ID: the ID of your project.

Control access to logs

You can control access to the logs in Cloud Logging. For detailed guidance on access control methods, including using IAM conditions for fine-grained access, see Access control with IAM.

Default access control

By default, Gemini Enterprise sends Cloud Logging data to the _Default bucket. The following IAM roles control access to this bucket:

Logs Viewer role (roles/logging.viewer)
Private Logs Viewer role (roles/logging.privateLogViewer)
Logs View Accessor role (roles/logging.viewAccessor)

Fine-grained access control

If your project contains logs with varying sensitivity levels, you can use several Google Cloud and Cloud Logging tools to configure more fine-grained access control.

You can configure fine-grained access control using the following options:

Option	Description
IAM conditions	Set up fine-grained access control using IAM conditions. For more information, see Logging roles.
Log views	Use log views to limit user access to a subset of logs within a log bucket. For more information, see Configure log views on a log bucket.
Log sinks	Use log sinks to route sensitive logs to a separate project with more restrictive IAM access. For more information, see Route logs to supported destinations.
Tags	Use tags to manage IAM access to individual log buckets within a project. For more information, see Use tags to manage access to log buckets.
Field-level access control	Use field-level access control to hide or restrict access to specific fields within log entries. For more information, see Configure field-level access.

What's next

To turn off logging of prompt inputs and response outputs, see Turn off observability settings.