This document describes audit logging for Google Cloud remote Model Context Protocol (MCP) servers. Google Cloud services generate audit logs that record administrative and access activities within your Google Cloud resources. For more information about Cloud Audit Logs, see the following:
- Types of audit logs
- Audit log entry structure
- Storing and routing audit logs
- Cloud Logging pricing summary
- Enable Data Access audit logs
Service name
Audit logs for MCP servers are generated per service. To filter for MCP audit logs:
protoPayload.serviceName= "SERVICE_NAME/mcp"
Where SERVICE_NAME is the name of the service—for
example bigquery.googleapis.com. To get a list of enabled services, see
List services.
Permission types
Each Identity and Access Management permission has a type property, whose value is an enum that can be
one of four values: ADMIN_READ, ADMIN_WRITE, DATA_READ, or DATA_WRITE.
When you call a method, the service generates an audit log whose category
is dependent on the type property of the permission required to perform the
method.
Methods that require an Identity and Access Management permission with the type property value
of DATA_READ, DATA_WRITE, or ADMIN_READ generate
Data Access audit logs.
Methods that require an Identity and Access Management permission with the type property value
of ADMIN_WRITE generate Admin Activity
audit logs.
Data access audit logs for MCP
Data Access audit logs for MCP are disabled by default because audit logs can be quite large. If you want Data Access audit logs to be written for Google Cloud remote MCP server use, then you must explicitly enable them. Data Access audit logs are written to the Google Cloud project whose data is accessed. Enabling these logs might result in your Google Cloud project being charged for the additional logs usage.
To enable audit logs for MCP only you must enable the DATA_READ audit logs for
the service mcp.googleapis.com. If you want to enable audit logs for all
services, enable allServices.
For more information about enabling and configuring Data Access audit logs, see Enable Data Access audit logs.
System events
System Event audit logs are generated by Google Cloud systems, not direct user action. For more information, see System Event audit logs.