Looker Core Audit Logs
Ingests audit logs from Looker (Google Cloud core) instances via Google Cloud Logging. This connector automatically filters log entries to your Looker Core instances and supports all four audit log categories.
Sync Type: Incremental
Requirements
Before setting up the Looker Core Audit Logs input, you need to:
- Have a Google Cloud Platform (GCP) account with one or more Looker Core instances.
- Decide which audit log categories to collect (see Log Categories below).
- If collecting Data Access logs, explicitly enable them first (see Enabling Data Access Logs).
- Create a GCP service account with the necessary permissions.
- Generate a JSON key for the service account.
Log Categories
Looker Core publishes four audit log categories through Google Cloud Logging:
| Category | Always Available | Billed |
|---|---|---|
| Admin Activity | Yes | No |
| Data Access | No — must be explicitly enabled | Yes |
| System Event | Yes | No |
| Policy Denied | Yes | No |
Admin Activity captures administrative operations on your Looker instance such as creating or deleting instances, configuration changes, and IAM changes.
Data Access captures user queries and data access operations inside Looker (e.g., running Looks, accessing dashboards, API reads). These logs are disabled by default and are billed by Google. Only enable this category if you have turned it on in GCP and are prepared for the associated cost.
System Event captures Google-system-driven actions on your Looker instance (e.g., automatic maintenance operations).
Policy Denied captures requests denied by VPC Service Controls or organization policy.
Enabling Data Access Logs
Data Access logs are disabled by default and must be explicitly enabled in GCP before this connector can collect them.
- In the Google Cloud console, go to the Audit Logs page.
- Select the GCP project that hosts your Looker Core instance.
- In the Data Access audit logs configuration table, select one or more Google Cloud services from the Service column.
- In the Permission types tab, select the Data Access audit log types that you want to enable for your selected services.
- Check the Data Read and/or Data Write checkboxes under the Looker service.
- Click Save.
Note: Once enabled, Data Access logs begin generating immediately and are billed by Google Cloud. Review Cloud Audit Logs pricing before enabling.
IAM Roles
The service account requires different roles depending on which log categories you want to collect:
| Role | Grants Access To |
|---|---|
roles/logging.viewer | Admin Activity, System Event, Policy Denied |
roles/logging.privateLogViewer | All of the above plus Data Access logs |
If you plan to collect Data Access logs, assign roles/logging.privateLogViewer. Otherwise, roles/logging.viewer is sufficient.
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Project IDs | array | Yes | The GCP project IDs hosting your Looker Core instances (e.g., my-gcp-project). Accepts bare project IDs (my-project) or fully-qualified names (projects/my-project). |
| Log Categories | array | Yes | The audit log categories to ingest. Select one or more from: activity, data_access, system_event, policy. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Credentials JSON | string | Yes | GCP service account JSON key with roles/logging.viewer or roles/logging.privateLogViewer on the project. |
Setting up the Service Account
- Go to the Google Cloud Console.
- Select the GCP project that hosts your Looker Core instance.
- Navigate to IAM & Admin > Service Accounts.
- Click Create Service Account.
- Enter a name (e.g.,
looker-audit-logs-monad) and click Create and Continue. - Assign the appropriate role:
roles/logging.viewer— if collecting Admin Activity, System Event, and/or Policy Denied only.roles/logging.privateLogViewer— if also collecting Data Access logs.
- Click Continue and then Done.
- Find the newly created service account in the list and click on it.
- Go to the Keys tab and click Add Key > Create new key.
- Choose JSON as the key type and click Create.
- Save the downloaded JSON key file securely.
If your Looker instances span multiple GCP projects, repeat the role assignment for each project.
Setting up the Input
- In the Monad UI, go to the Inputs section.
- Click Add Input and select Looker Core Audit Logs.
- Configure the input settings:
- Project IDs: List the GCP project IDs that host your Looker Core instances (e.g.,
my-gcp-project). - Log Categories: Select the categories you want to collect. If selecting
data_access, ensure you have enabled Data Access logs in GCP first.
- Project IDs: List the GCP project IDs that host your Looker Core instances (e.g.,
- In the Secrets section, paste the contents of your service account JSON key file.
- Click Test Connection to verify everything is configured correctly.
Details
The Looker Core Audit Logs connector wraps the Google Cloud Logs connector and automatically:
- Scopes queries to your specified GCP projects via
ResourceNames. - Filters log entries to Looker Core using
resource.type="audited_resource"andprotoPayload.serviceName="looker.googleapis.com". - Restricts to the log categories you selected using a log name filter.
- Enables proto payload parsing to properly decode the
google.cloud.audit.AuditLogprotobuf payload. - Tracks the timestamp of the last processed entry for incremental sync.
Related Articles
- Looker Core Audit Logging Documentation
- Cloud Audit Logs Overview
- Enabling Data Access Audit Logs
- Cloud Logging Quotas and Limits
- Cloud Audit Logs Pricing