I understand that audit logs includes by default Admin activities like 'delete' but I can't find any logs in the GCP logs registry related to created or deleted collections in my Firestore project.
I used the following query:
resource.type=("datastore_database" OR "datastore_index")
logName=(
"projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"
OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"
OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fsystem_event"
OR "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fpolicy"
)
Edited to fix projects path (thanks to Javier M)
This method, seen under ADMIN WRITE audit logs, are related to long running operations, which are API calls that takes a long time to complete. Thus, the method will erase the long-running operation (meaning that the client is no longer interested on its result). It has nothing to do with deleting entries in a Cloud Firestore instance.
You cannot see logs for Delete Collection simply because you can't delete a collection. Instead, you need to delete all the documents and sub documents you have under the Collection.
Therefore, what you'll see in the logs referring as delete will be for deleting a document and deleting a field. Once all documents are deleted, you can assume a Collection is deleted as well.
You can see a Collection as a namespace or as a container (which is how the documentation refers to it) for documents.