Monitor your logs

This document describes how you can use Cloud Monitoring to observe trends in your logs and to notify you when conditions you describe occur To provide Cloud Monitoring with data from your logs, Logging supports the following features:

You can generate custom metrics from your log entries. These metrics are called log-based-metrics. You can also create metric-based alerting policies to notify you when a log-based metric meets a condition. For more information, see Visualize log entry data with log-based metrics.
You can use alerting policies to monitor, in near real time, when a message appears in your log entries. These alerting policies are called log-based alerting policies. For more information, see Monitor individual log entries for messages.
You can write a SQL query in Log Analytics and create an alerting policy that monitors the results of the query. These alerting policies are called SQL-based alerting policies. For more information, see Monitor SQL query results.

SQL-based alerting policies is in Public Preview.

The rest of this document describes the differences between these three alerting policies, and provides information about authorization, costs, and limits.

Visualize log entry data with log-based metrics

When you want to monitor recurring events in your logs over time, use log-based metrics. Log-based metrics generate numeric data from your logs. Log-based metrics are suitable when you want to do any of the following:

Count the occurrences of a message, like a warning or error, in your logs and receive a notification when the number of occurrences crosses a threshold.
Observe trends in your data, like latency values in your logs, and receive a notification if the values change in an unacceptable way.
Create charts to display the numeric data extracted from your logs.

Because log-based metrics generate numeric data from your logs, you can use these metrics in alerting policies and display them in charts. For information about creating alerting policies and charts for log-based metrics, see Configure notifications for log-based metrics.

Cloud Monitoring provides a set of predefined log-based metrics, and you can define your own. To see a list of the system-defined log-based metrics, click the following button:

System-defined log-based metrics

The "metric type" strings in this table must be prefixed with logging.googleapis.com/. That prefix has been omitted from the entries in the table. When querying a label, use the metric.labels. prefix; for example, metric.labels.LABEL="VALUE".

Metric type ^{Launch stage} (Resource hierarchy levels) Display name
Kind, Type, Unit Monitored resources	Description Labels
`billing/bytes_ingested` ^GA *(project)* Bytes streamed into log buckets
`DELTA`, `INT64`, `By` global	Number of bytes streamed into log buckets for indexing, querying, and analysis; includes up to 30 days of storage. Sampled every 60 seconds. After sampling, data is not visible for up to 300 seconds. `resource_type`: Monitored resource type for the log entry.
`billing/bytes_stored` ^BETA *(project)* Logging Retention
`GAUGE`, `INT64`, `By` global	Volume of logs that are retained past the default 30 days. No data exists when the retention period of a log bucket is never larger than 30 days. This metric might have a value of zero when the retention period of a log bucket is shortened to 30 days. Sampled every 60 seconds. After sampling, data is not visible for up to 300 seconds. `data_type`: This field indicates that log volume reported here is charged for retention past the default 30 days. The data_type for all reported retention is set to `CHARGED`. `log_bucket_location`: The location where the log bucket resides. `log_bucket_id`: The id of the log bucket.
`billing/log_bucket_bytes_ingested` ^BETA *(project)* Bytes streamed into log buckets
`DELTA`, `INT64`, `By` global	Number of bytes streamed into log buckets for indexing, querying, and analysis; includes up to 30 days of storage. Sampled every 60 seconds. After sampling, data is not visible for up to 300 seconds. `log_source`: The resource container where the log comes from. `resource_type`: Monitored resource type for the logs streamed into log buckets. `log_bucket_location`: The location where the log bucket resides. `log_bucket_id`: The id of the log bucket.
`billing/log_bucket_monthly_bytes_ingested` ^BETA *(project)* Bytes streamed into log buckets monthly
`GAUGE`, `INT64`, `By` global	Number of bytes streamed into log buckets for indexing, querying, and analysis for this month-to-date; include up to 30 days of storage. Sampled every 1800 seconds. After sampling, data is not visible for up to 6000 seconds. `log_source`: The resource container where the log comes from. `resource_type`: Monitored resource type for the logs streamed into log buckets. `log_bucket_location`: The location where the log bucket resides. `log_bucket_id`: The id of the log bucket.
`billing/monthly_bytes_ingested` ^GA *(project)* Monthly bytes streamed into log buckets
`GAUGE`, `INT64`, `By` global	Month-to-date number of bytes streamed into log buckets for indexing, querying, and analysis; includes up to 30 days of storage. Sampled every 1800 seconds. After sampling, data is not visible for up to 6000 seconds. `resource_type`: Monitored resource type for the log entry.
`byte_count` ^GA *(project)* Log bytes
`DELTA`, `INT64`, `By`	Number of bytes in log entries streamed into log buckets. Excluded logs are not counted. Sampled every 60 seconds. `log`: Name of the log. `severity`: Severity of the log entry.
`dropped_log_entry_count` ^DEPRECATED *(project)* Logs-based metric errors (Deprecated)
`DELTA`, `INT64`, `1`	Use "logging.googleapis.com/logs_based_metrics_error_count" instead. Sampled every 60 seconds. `log`: Name of the log.
`exports/byte_count` ^GA *(project)* Exported log bytes
`DELTA`, `INT64`, `By` logging_sink	Number of bytes in log entries that were exported. Sampled every 60 seconds. After sampling, data is not visible for up to 420 seconds.
`exports/error_count` ^GA *(project)* Exported log entries failures
`DELTA`, `INT64`, `1` logging_sink	Number of log entries that failed to be exported. Sampled every 60 seconds. After sampling, data is not visible for up to 420 seconds.
`exports/log_entry_count` ^GA *(project)* Exported log entries
`DELTA`, `INT64`, `1` logging_sink	Number of log entries that were exported. Sampled every 60 seconds. After sampling, data is not visible for up to 420 seconds.
`log_entry_count` ^GA *(project)* Log entries
`DELTA`, `INT64`, `1`	Number of log entries streamed into log buckets. By default, log entries are stored for 30 days. Excluded logs are not counted. Sampled every 60 seconds. `log`: Name of the log. `severity`: Severity of the log entry.
`logs_based_metrics_error_count` ^GA *(project)* Logs-based metric errors
`DELTA`, `INT64`, `1`	Number of log entries streamed into log buckets that are not counted in system or user-defined logs-based metrics. This condition can occur if the timestamp of a log entry is more than 24 hours older, or 10 minutes newer, than the actual receive time. Sampled every 60 seconds. `log`: Name of the log.
`metric_label_cardinality` ^BETA *(project)* Logs-based metric active cardinality count by label
`GAUGE`, `INT64`, `1` metric	Cardinality estimate for each metric label of a logs-based metric. The estimate is computed over approximately 25 hours. Sampled every 60 seconds. After sampling, data is not visible for up to 270 seconds. `label`: Name of the metric label.
`metric_label_throttled` ^BETA *(project)* Logs-based metric label throttled status
`GAUGE`, `BOOL`, metric	Indicates if metric labels are being dropped for logs-based metrics due to exceeding cardinality limits. Sampled every 60 seconds. After sampling, data is not visible for up to 270 seconds. `label`: Name of the metric label.
`metric_throttled` ^GA *(project)* Logs-based metric throttled status
`GAUGE`, `BOOL`, metric	Indicates if labels or points are being dropped for logs-based metrics due to exceeding active time series (cardinality) limits. Sampled every 60 seconds. After sampling, data is not visible for up to 270 seconds.
`time_series_count` ^BETA *(project)* Logs-based metric active time series (cardinality) count
`GAUGE`, `INT64`, `1` metric	Active time series (cardinality) estimates for logs-based metrics. Only metric labels are counted and the estimate is computed over approximately 25 hours. Sampled every 60 seconds. After sampling, data is not visible for up to 270 seconds.

Table generated at 2024-10-30 21:25:54 UTC.

User-defined log-based metrics

You can create log-based metrics to extract numeric data from your logs. User-defined log-based metrics calculate values from both included and excluded logs.

By default, user-defined log-based metrics collect data from all logs received by the Log Router in your Google Cloud project, but you can define log-based metrics that collect data from logs routed to a specific log bucket.

For information about defining and using project-level log-based metrics, see Using log-based metrics.
For information about defining and using bucket-level log-based metrics, see Log-based metrics on log buckets.

If you define your own log-based metrics, you might incur charges. For more information about costs associated with metric ingestion, see Chargeable metrics.

Monitor individual log entries for messages

When you want to be notified anytime a specific message occurs in a log entry, use log-based alerting policies. Log-based alerting policies are useful for catching security-related events in log entries, like the following:

You want to be notified when an event appears in an audit log; for example, a human user accesses the security key of a service account.
Your application writes deployment messages to logs, and you want to be notified when a deployment change is logged.

Log-based alerting policies are useful for events that you expect to be both rare and important. You don't want to know about a trend or pattern; you want to know that something occurred.

For information about creating log-based alerting policies, see Configure log-based alerting policies.

You can configure a metric-based alerting policy to simulate a log-based alerting policy. To do so, define a log-based metric and use the metric in a metric-based alerting policy with a threshold of one. Log-based alerting policies give you that behavior without the need to create a log-based metric and configure a metric-based alerting policy.

Monitor SQL query results

You can configure alerting policies that use Log Analytics to run SQL queries on your log entry data. These types of alerting policies are effective when you want to get notified based on patterns that can't be evaluated by log-based alerting policies, such as complex patterns in log entries or aggregations of log data. For more information, see Monitor your SQL query results with an alerting policy.

Comparison of alerting options

This section compares alerting policies built on log-based metrics, log-based alerting policies, and SQL-based alerting policies.

Summary table

The following table summarizes the alerting techniques and provides links to additional information:

Metric-based alerting policies	Log-based alerting policies	SQL-based alerting policies	More information
Based on metrics derived from log entries	Based on strings in individual log entries	Based on tables returned by SQL queries over log entries	Log-based metrics Log-based alerting SQL-based alerting
Used to notify you of trends over time	Used to notify you when a specific message appears in a log	Used to notify you of a pattern in a window of log entries	Log-based metrics Log-based alerting SQL-based alerting
Calculated from Included logs (system-defined log-based metrics) Included and excluded logs (user-defined log-based metrics)	Match only included logs	Calculated from log entries in a sliding window	Available logs SQL-based alerting
Operate on metrics from all projects in the metrics scope of the scoping project	Operate on logs in the scoping project only	Operate on all readable logs in any Google Cloud project.	Alerting across multiple projects
Incident is created when the value of a metric meets a condition for a specified period	Incident is created each time a specific log entry matches a filter	Incident is created when the table of query results meets a condition	Incidents and notifications
Created and managed in Monitoring	Created in Logging; managed in Monitoring	Created in Log Analytics; managed in Monitoring	Creating and managing alerting policies SQL-based alerting
Viewed in Monitoring	Viewed in Monitoring	Viewed in Monitoring	Viewing alerting policies
Can use any notification channel supported in Monitoring	Can use any notification channel supported in Monitoring	Can use any notification channel supported in Monitoring	Notification channels

Available logs

User-defined log-based metrics are calculated from all logs received by the Logging API for the Google Cloud project, regardless of any inclusion filters or exclusion filters that may apply to the Google Cloud project. If you create an alerting policy based on a user-defined log-based metric, then the policy monitors data from all logs.

System-defined log-based metrics are calculated only from logs that have been stored in log buckets in the Google Cloud project. If a log has been explicitly excluded, then it isn't included in these metrics. If you create an alerting policy based on a system-defined log-based metric, then the policy monitors data only from included logs.

Log-based alerting policies operate only on included logs originating in a project. You can't use log-based alerting policies to notify you about messages in excluded logs, or logs from other resources, such as folders or organizations.

Both log-based metrics and log-based alerting policies operate on the Google Cloud project scope, not on individual buckets.

SQL-based alerting policies query log views on log buckets. These log buckets must be upgraded to use Log Analytics and then linked to a BigQuery dataset. For more information about SQL-based alerting policies, see Monitor your SQL query results with an alerting policy.

Alerting across multiple projects

You can monitor metrics from several projects by configuring a metrics scope. A metrics scope lists all the projects and accounts that it monitors. A scoping project hosts the metrics scope. The scoping project stores the alerting policies and other configurations that you create for the metrics scope. The scoping project for a metrics scope is the project selected by the Google Cloud console project picker.

Alerting policies based on log-based metrics, like alerting policies based on other metrics, work across all projects in the metrics scope of the scoping project.

Log-based alerting policies and SQL-based alerting policies don't operate on metrics scopes; the logs in projects are not part of a metrics scope. A log-based alerting policy evaluates only those logs that originate in the current project or that are routed to the current project. A SQL-based alerting policy queries a log view on a log bucket.

For more information about metrics scopes, including multi-project metrics scopes, and about scoping projects, see the following:

SQL-based alerting policies can query log views from any log bucket in any Google Cloud project as long as appropriate read permissions have been granted on the linked BigQuery dataset.

Incidents and notifications

When the condition of an alerting policy is met, Monitoring opens an incident and sends notifications to the notification channels of the alerting policy. To see the details of the incident, click View incident in the notification message, or navigate directly to the Incidents page in Monitoring.

Incidents for metric-based alerting policies

Alerting policies based on log-based metrics create incidents and notifications like all other metric-based alerting policies in Monitoring, as described in Alerting behavior. For more information about managing incidents for metric-based alerting policies, see Incidents for metric-based alerting policies.

Incidents for log-based alerting policies

Log-based alerting policies aren't metric-based alerting policies. When a log entry meets the condition of a log-based alerting policy, Monitoring creates incidents and notifications as follows:

The first time Cloud Logging writes a log entry that matches your alert query to a log bucket, an incident is created, and a notification is sent. If another matching log entry is then written, then a new incident is created only if the previous incident has been closed. However, it might take up to three minutes for a closed incident to be purged. When a matching log entry is received in the three minutes after you closed an incident, the system might reopen that incident rather than creating a new incident.
When you create a log-based alerting policy, you can specify the minimum time between notifications. For example, you select 10 minutes as the time between notifications. If the condition of your log-based alerting policy is met twice within that period, then you receive only one notification.

The maximum rate of notifications for log-based alerting policies is 1 notification every 5 minutes for each log-based alerting policy. However, if the query of your log-based alerting policy extracts label values, then each combination of extracted values represents its own notification timeline. For example, assume a log-based alerting policy extracts the values of a label. Assume that label can have two values. With this configuration, you could receive two notifications, one for each label value, in the same 5 minutes.
There is a limit of 20 notifications a day for each log-based alerting policy. If you reach this limit, then your notification includes a message that you have reached the limit for the day.
Incidents are automatically closed after 7 days, unless you configure a shorter period or close the incidents manually.

For more information about managing incidents for log-based alerting policies, see Manage incidents for log-based alerting policies.

Incidents for SQL-based alerting policies

For SQL-based alerting policies, Cloud Monitoring creates an incident the first time the result of the SQL query meets the condition specified in the policy. Each alerting policy has only one open incident. While the incident is open, if the condition is met again, Monitoring doesn't create further incidents or send additional notifications. Monitoring closes SQL-based incidents after seven days, unless you configure a shorter incident closure period or close the incident on your own.

For more information about managing incidents for SQL-based alerting policies, see Manage incidents for SQL-based alerting policies.

Creating and managing alerting policies

You create, modify, and delete alerting policies based on log-based metrics in Cloud Monitoring, like any other metric-based alerting policy. For more information, see Managing policies.

You can create log-based alerting policies by using the Logs Explorer or the Cloud Monitoring API. You modify and delete log-based alerting policies in Monitoring or with the Cloud Monitoring API. For more information, see Managing log-based alerting policies.

You can create SQL-based alerting policies by using Log Analytics or the Cloud Monitoring API. You modify and delete SQL-based alerting policies in Monitoring or by using the Cloud Monitoring API. For more information, see Monitor your SQL query results with an alerting policy.

Viewing alerting policies

The Policies page in Monitoring lists all the alerting policies in your Google Cloud project. This list includes policies that use log-based metrics and log-based alerting policies.

In the Google Cloud console, go to the Alerting page:
Go to Alerting

If you use the search bar to find this page, then select the result whose subheading is Monitoring.
Select See all policies.

Log-based alerting policies appear in the list with the value Logs in the Type column. Alerting policies based on metrics, including log-based metrics, appear in the list with the value Metrics in the Type column. SQL-based alerting policies appear in the list with the value SQL in the Types column. The following screenshot shows an excerpt of a policy list:

To view alerting policies by type, use the **Type** column in the list of
alerting policies.

Notification channels

You can send notifications from any type of alerting policy to any of the notification channels supported by Monitoring. You must configure these channels before you can use them in alerting policies.

For more information, see Managing notification channels.

Authorization requirements

Using log-based metrics or log-based alerting policies requires authorization for both Cloud Logging and Cloud Monitoring.

For user-defined log-based metrics, see Permissions for log-based metrics.
For log-based alerting policies, see Permissions for log-based alerting policies.
For SQL-based alerting policies, see Permissions for SQL-based alerting policies.

Costs and limits

If you define your own log-based metrics, then the following apply:

There are limits on the number and structure of user-defined log-based metrics. For more information about these limits, see limits for log-based metrics.
You might incur charges for user-defined log-based metrics. For more information about costs associated with metric ingestion, see Chargeable metrics.
SQL-based alerting policies run in a BigQuery reservation in your Google Cloud project. You might incur charges for having a BigQuery reservation. For more information about costs associated with BigQuery reservations, see BigQuery pricing.

There are no charges associated with using alerting policies based on log-based metrics.

The following Monitoring limits related to alerting policies apply:

Category	Value	Policy type¹
Alerting policies (sum of metric and log) per metrics scope ²	500	Metric, Log
Conditions per metric-based alerting policy	6	Metric
Conditions per SQL-based alerting policy (Public Preview)	1	SQL
Maximum time period that a metric-absence condition evaluates³	1 day	Metric
Maximum time period that a metric-threshold condition evaluates³	23 hours 30 minutes	Metric
Maximum length of the filter used in a metric-threshold condition	2,048 Unicode characters	Metric
Maximum number of time series monitored by a forecast condition	64	Metric
Minimum forecast window	1 hour (3,600 seconds)	Metric
Maximum forecast window	2.5 days (216,000 seconds)	Metric
Notification channels per alerting policy	16	Metric, Log
Maximum rate of notifications⁴	1 notification every 5 minutes for each log-based alerting policy	Log
Maximum number of notifications	20 notifications a day for each log-based alerting policy	Log
Maximum number of simultaneously open incidents per alerting policy	1,000	Metric
Period after which an incident with no new data is automatically closed	7 days	Metric
Maximum duration of an incident if not manually closed	7 days	Log
Retention of closed incidents	13 months	Not applicable
Retention of open incidents	Indefinite	Not applicable
Notification channels per metrics scope	4,000	Not applicable
Maximum number of alerting policies per snooze	16	Metric, Log
Retention of a snooze	13 months	Not applicable

¹Metric: an alerting policy based on metric data; Log: an alerting policy based on log messages (log-based alerts)
²Apigee and Apigee hybrid are deeply integrated with Cloud Monitoring. The alerting limit for all Apigee subscription levels—Standard, Enterprise, and Enterprise Plus—is the same as for Cloud Monitoring: 500 per metrics scope .
³The maximum time period that a condition evaluates is the sum of the alignment period and the duration window values. For example, if the alignment period is set to 15 hours, and the duration window is set 15 hours, then 30 hours of data is required to evaluate the condition.
⁴If the query of your log-based alerting policy extracts label values, then each combination of extracted values represents its own notification timeline. For example, assume a log-based alerting policy extracts the values of a label. Assume that label can have two values. With this configuration, you could receive two notifications, one for each label value, in the same 5 minutes.