Pub/Sub generates audit logs that capture administrative and access activities of Pub/Sub resources. Some examples of these activities include creating a topic, updating a subscription, or deleting a snapshot. You can use these logs for troubleshooting issues and ensuring the security of your messaging infrastructure.
Here are some important points to remember regarding audit logs in Pub/Sub:
- Pub/Sub audit logs use the service name - pubsub.googleapis.com.
- Pub/Sub has different types of logs. These include the following: - Admin activity logs record actions like creating, deleting, or updating topics and subscriptions. 
- Data access logs record actions like retrieving a topic or listing subscriptions. 
- System event logs record events like removing inactive subscriptions. 
 
- Pub/Sub does not log message operations like publishing, subscribing, or acknowledging messages. 
For more information about audit logs for Pub/Sub, see Audit logging.
View Pub/Sub audit logs
Logs Explorer provides a centralized location to access all your log data within Cloud de Confiance by S3NS. You can use Logs Explorer to view Pub/Sub logs.
- Get the required permissions to view Logs Explorer. - For more information, see Before you begin. 
- In the Cloud de Confiance console, go to the Logs Explorer page. 
- Select an existing Cloud de Confiance project, folder, or organization. 
- To display all audit logs related to Pub/Sub, enter the following query into the query-editor field: - protoPayload.serviceName="pubsub.googleapis.com"  - Figure 1 Enter a query. 
- Click Run query. 
- To display the audit logs for a specific resource and audit log type, in the Query builder pane, do the following: - For All resources, select the Cloud de Confiance resource whose audit logs you want to see. For example, select Cloud Pub/Sub Topic and then select the topic name. 
- For All log names, select the audit log type that you want to see. - For example: - For Admin activity audit logs, select enter - activity.
- For System event audit logs, select - system_event.
 
 
The query runs automatically.
How to use audit logs to troubleshoot Pub/Sub issues
- Determine the specific problem that you're investigating. Here is a list of potential issues: - Identify who created, deleted, or modified topics, subscriptions, snapshots, or schemas. 
- Track changes to topic or subscription settings. 
- Verify if a topic or subscription exists and its current status. 
 - However, you cannot use audit logs to troubleshoot issues related to message publishing and delivery. You won't find logs for message delivery failures, message duplication, or message ordering problems. Audit logs also won't help you identify slow subscribers or issues with message acknowledgments. For troubleshooting message-level issues, you'll need to rely on other tools like monitoring metrics, dead-letter queues, and application logs. 
- Based on the issue, construct a query to filter the audit logs. For example, to find out who deleted a subscription, filter by - protoPayload.methodName="google.pubsub.v1.Publisher.DeleteSubscription".- To investigate a potential error with creating a subscription, filter by - protoPayload.methodName="google.pubsub.v1.Subscriber.CreateSubscription".
- Examine the timestamps, principals, and resource names in the log entries to understand the sequence of events and identify any anomalies. 
For more information on how to construct an audit log query for Pub/Sub, see Audit logging.