This page explains how to enable network policy logging in a Google Distributed Cloud user cluster and how to export logs. See Using network policy logging to learn how to configure which events are logged and how logs are formatted.
Overview
Network policies are Pod-level firewalls; they specify network traffic that Pods are allowed to send and receive. Network policy logs record network policy events. You can log all events or you can configure logging selectively based on the following criteria:
- Allowed connections.
- Denied connections.
- Connections allowed by specific policies.
- Denied connections to Pods in specific namespaces.
Before you begin
Network policy logging is supported in user clusters that use
Dataplane V2. You can enable
Dataplane V2 when creating a new user cluster by using the
enableDataplaneV2
field in the user cluster configuration file.
Enabling logging
Network policy logging is not enabled by default. For information on enabling logging and selecting which events to log, see Configuring network policy logging.
Accessing logs
The network policy logs generated on each cluster node are available locally on
the cluster nodes at
/var/log/network/policy_actiontimestamp.log. A new
timestamped log file is created when the current log file reaches 10 MB. Up to
five previous log files are stored.
Exporting logs
We recommend you use Fluent Bit to export logs from your cluster nodes. Fluent Bit is an open source log processor and forwarder that supports exporting to Cloud Logging and many other data sinks.
What's next
- Learn how to configure network policy logging
- Learn how to create a network policy