Configure usage audit logging for Gemini Enterprise

This guide explains how admins can turn on and monitor usage audit logging for Gemini Enterprise through the API. Usage audit logs let organizations track user operations, metadata, and core content for auditing and observability purposes.

You can manage usage auditing for Gemini Enterprise using the ObservabilityConfig settings in the Gemini Enterprise app. Turning on observability captures request and response data, including prompts and grounding metadata, and stores it in Cloud Logging.

Before you begin

Before configuring audit logs, ensure that you have the following IAM roles:

  • To turn on the audit logging, you must have the Discovery Engine Admin IAM role (roles/discoveryengine.admin).
  • To access Cloud Logging, you must have the Logs Viewer IAM role (roles/logging.viewer).

Turn on usage audit logging for apps

The following sections describe how to turn on usage audit logging when creating a new app or for an existing app.

Turn on usage audit logging when creating an app

You can turn on usage audit logging when creating a new app by including the observabilityConfig settings in the app creation command. To create a new app with usage audit logging turned on, run the following command:

REST

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines?engineId=APP_ID" \
-d '{
  "name": "projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID",
  "displayName": "APP_DISPLAY_NAME",
  "solutionType": "SOLUTION_TYPE_SEARCH",
  "searchEngineConfig": {
    "searchTier": "SEARCH_TIER_ENTERPRISE",
    "searchAddOns": ["SEARCH_ADD_ON_LLM"],
    "requiredSubscriptionTier": "SUBSCRIPTION_TIER_SEARCH_AND_ASSISTANT"
  },
  "industryVertical": "GENERIC",
  "appType": "APP_TYPE_INTRANET",
  "observabilityConfig": {
    "observabilityEnabled": true,
    "sensitiveLoggingEnabled": true
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.
  • LOCATION: the multi-region of your data store: global, us, or eu
  • APP_ID: the ID of the app that you want to create.
  • APP_DISPLAY_NAME: the display name of the app that you want to create.

Turn on usage audit logging for an existing app

To turn on usage audit logging on an existing app, run the following command:

REST

curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID?updateMask=observabilityConfig" \
-d '{
  "observabilityConfig": {
    "observabilityEnabled": true,
    "sensitiveLoggingEnabled": true
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.
  • LOCATION: the multi-region of your data store: global, us, or eu
  • APP_ID: the ID of the app.

Logged information

The following table summarizes the usage data logged by Gemini Enterprise:

Service path Logged data
SearchService.Search

Logs the data on the sources used for grounding or as LLM input.

Request:
  • query
  • user_info

Response:
  • attribution_token
  • results.id
AssistantService.Assist

Logs the request and response from the Gemini Enterprise assistant.

Request:
  • name
  • query.text
  • query.parts

Response:
  • assist_token
  • answer.name
  • answer.state
  • answer.replies.grounded_content.text
  • answer.replies.grounded_content.text_grounding_metadata.segments
  • answer.replies.grounded_content.text_grounding_metadata.references
  • answer.skipped_reasons
AssistantService.StreamAssist Request:
  • name
  • query.text
  • query.parts
  • agents_spec

Response:
  • assist_token
  • answer.name
  • answer.state
  • answer.replies.grounded_content.text
  • answer.replies.grounded_content.text_grounding_metadata.segments
  • answer.replies.grounded_content.text_grounding_metadata.references
  • answer.skipped_reasons
ConversationSearchService.AnswerQuery Request:
  • serving_config
  • query.query_id
  • query.text
  • session
  • user_pseudo_id
  • end_user_spec
  • answer_generation_spec.model_spec.model_version
  • answer_generation_spec.prompt_spec.preamble
  • answer_generation_spec.include_citations
  • answer_generation_spec.answer_language_code
  • answer_generation_spec.ignore_adversarial_query
  • answer_generation_spec.ignore_non_answer_seeking_query
  • answer_generation_spec.ignore_jail_breaking_query

Response:
  • answer
  • answer_query_token
EngineService.CreateEngine Request:
  • engine_id
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores

Response:
  • engine_id
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores
EngineService.UpdateEngine Request:
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores
  • update_mask

Response:
  • engine.name
  • engine.create_time
  • engine.display_name
  • engine.update_time
  • engine.data_store_ids
  • engine.data_stores
AgentService.SetIamPolicy Request:
  • policy.bindings.roles
  • policy.bindings.members

Response:
  • policy.bindings.roles
  • policy.bindings.members
AgentService.CreateAgent Request:
  • parent
  • agent_id
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case

Response:
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case
AgentService.UpdateAgent Request:
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case
  • update_mask

Response:
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case
AgentService.CreateAgentRequest Request:
  • parent
  • agent_id
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case

Response:
  • agent.name
  • agent.display_name
  • agent.create_time
  • agent.update_time
  • agent.definition_case
GroundedGenerationService.GenerateGroundedContent Request:
  • contents
  • location
  • generation_spec
  • system_instruction
  • safety_settings
  • user_labels
  • grounding_spec.explicit_search_queries
  • grounding_spec.grounding_sources

Response:
  • content
  • grounding_metadata
  • grounding_score
DataConnectorService.UpdateDataConnector Request:
  • data_connector.name
  • data_connector.create_time
  • data_connector.update_time
  • data_connector.data_source
  • data_connector.refresh_interval
  • data_connector.bap_config

Response:
  • data_connector.name
  • data_connector.create_time
  • data_connector.update_time
  • data_connector.data_source
  • data_connector.refresh_interval
  • data_connector.bap_config
AssistantService.AddContextFile Request:
  • name
  • file_name

Response:
  • session
  • file_id
AssistantService.UploadSessionFile Request:
  • name
  • blob.filename

Response:
  • file_id

Access usage logs

To access and view the usage audit logs, follow these steps:

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Select the Google Cloud project for which you enabled audit logging.

  3. To show only Gemini Enterprise logs, enter the following query in the query editor field, and click Run Query:

      logName="projects/PROJECT_ID/logs/discoveryengine.googleapis.com%2Fgemini_enterprise_user_activity" OR logName=~"projects/PROJECT_ID/logs/discoveryengine.googleapis.com%2Fgen_ai.*"

    Replace the following:

    • PROJECT_ID: the ID of your project.

Control access to logs

You can control access to the logs in Cloud Logging. For detailed guidance on access control methods, including using IAM conditions for fine-grained access, see Access control with IAM.

Default access control

By default, Gemini Enterprise sends Cloud Logging data to the _Default bucket. The following IAM roles control access to this bucket:

Fine-grained access control

If your project contains logs with varying sensitivity levels, you can use several Google Cloud and Cloud Logging tools to configure more fine-grained access control.

You can configure fine-grained access control using the following options:

Option Description
IAM conditions Set up fine-grained access control using IAM conditions. For more information, see Logging roles.
Log views Use log views to limit user access to a subset of logs within a log bucket. For more information, see Configure log views on a log bucket.
Log sinks Use log sinks to route sensitive logs to a separate project with more restrictive IAM access. For more information, see Route logs to supported destinations.
Tags Use tags to manage IAM access to individual log buckets within a project. For more information, see Use tags to manage access to log buckets.
Field-level access control Use field-level access control to hide or restrict access to specific fields within log entries. For more information, see Configure field-level access.

Turn off usage audit logs for an app

To turn off usage audit logging, run the following command:

REST

curl -X PATCH -H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID/locations/LOCATION/collections/default_collection/engines/APP_ID?updateMask=observabilityConfig" \
-d '{
  "observabilityConfig": {
    "observabilityEnabled": false,
    "sensitiveLoggingEnabled": false
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.
  • LOCATION: the multi-region of your data store: global, us, or eu
  • APP_ID: the ID of the app.