Configure usage audit logging for NotebookLM Enterprise

This guide explains how admins can turn on and monitor usage audit logging for NotebookLM Enterprise through the API. Usage audit logs let organizations track user operations, metadata, and core content for auditing and observability purposes.

You can manage usage auditing for NotebookLM Enterprise using the ObservabilityConfig settings at the project level. Turning on observability captures request and response data, including prompts and grounding metadata, and stores it in Cloud Logging.

Before you begin

Before configuring audit logs, ensure that you have the following IAM roles:

  • To enable the audit logs, you must have the Discovery Engine Admin IAM role (roles/discoveryengine.admin).
  • To access Cloud Logging, you must have the Logs Viewer IAM role (roles/logging.viewer).

Turn on usage audit logging

To turn on usage audit logging, run the following command:

REST

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID?updateMask=customerProvidedConfig.notebooklmConfig.observabilityConfig" \
-d '{
  "customerProvidedConfig": {
    "notebooklmConfig": {
      "observabilityConfig": {
        "observabilityEnabled": true,
        "sensitiveLoggingEnabled": true
      }
    }
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.

Logged information

The following table summarizes the usage data logged by NotebookLM Enterprise:

Service Path Logged data
NotebookService.CreateNotebook Request:
  • parent
  • notebook.name
Response:
  • No response fields are logged.
NotebookService.ShareNotebook Request:
  • name
  • account_and_roles
Response:
  • No response fields are logged.
NotebookService.DeleteNotebook Request:
  • parent
  • names
Response:
  • No response fields are logged.
NotebookService.GetNotebook Request:
  • name
Response:
  • name
  • title
  • cmek_config

Access usage logs

To view the usage audit logs for NotebookLM Enterprise:

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Select the Google Cloud project for which you enabled audit logging.

  3. Use the following query to view the audit logs for NotebookLM Enterprise:

    resource.type="audited_resource"
resource.labels.service="discoveryengine.googleapis.com"
protoPayload.serviceName="discoveryengine.googleapis.com"
protoPayload.methodName:"NotebookService"

    You can further refine the query to filter by specific methods. For example: protoPayload.methodName="google.cloud.discoveryengine.v1alpha.NotebookService.CreateNotebook".

Turn off usage audit logs

To turn off usage audit logging, run the following command:

REST

curl -X PATCH \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json" \
-H "X-Goog-User-Project: PROJECT_ID" \
"https://ENDPOINT_LOCATION-discoveryengine.googleapis.com/v1alpha/projects/PROJECT_ID?updateMask=customerProvidedConfig.notebooklmConfig.observabilityConfig" \
-d '{
  "customerProvidedConfig": {
    "notebooklmConfig": {
      "observabilityConfig": {
        "observabilityEnabled": false,
        "sensitiveLoggingEnabled": false
      }
    }
  }
}'

Replace the following:

  • ENDPOINT_LOCATION: the multi-region for your API request. Specify one of the following values:
    • us for the US multi-region
    • eu for the EU multi-region
    • global for the Global location
    For more information, see Specify a multi-region for your data store.
  • PROJECT_ID: the ID of your project.