Monitor your logs

This document describes how you can use Cloud Monitoring to observe trends in your logs and to notify you when conditions you describe occur. To provide Cloud Monitoring with data from your logs, Logging offers you the following:

  • Log-based metrics, which you can use as follows:
    • To create alerting policies that notify you of changes over time.
    • To create charts that display changes over time.
  • Log-based alerts, which notify you anytime a specific event appears in a log.

When you want to monitor your logs over time, use charts or alerting policies based on log-based metrics.

When you want a notification, in near real time, that a message has appeared in your logs, use a log-based alert.

The rest of this document describes how to choose between log-based metrics and log-based alerts, discusses the differences between them, and provides information about authorization, costs, and limits.

Log-based metrics

When you want to monitor recurring events in your logs over time, use log-based metrics. Log-based metrics generate numeric data from your logs. Log-based metrics are suitable when you want to do any of the following:

  • Count the occurrences of a message, like a warning or error, in your logs and receive a notification when the number of occurrences crosses a threshold.
  • Observe trends in your data, like latency values in your logs, and receive a notification if the values change in an unacceptable way.
  • Create charts to display the numeric data extracted from your logs.

Because log-based metrics generate numeric data from your logs, you can use these metrics in alerting policies and display them in charts. For information about creating alerting policies and charts for log-based metrics, see Creating charts and alerts.

Cloud Monitoring provides a set of predefined log-based metrics, and you can define your own. To see a list of the system-defined log-based metrics, click the following button:

User-defined log-based metrics

You can create log-based metrics to extract numeric data from your logs. User-defined log-based metrics calculate values from both included and excluded logs.

By default, user-defined log-based metrics collect data from all logs received by the Log Router in your Google Cloud project, but you can define log-based metrics that collect data from logs routed to a specific log bucket.

If you define your own log-based metrics, you might incur charges. For more information about costs associated with metric ingestion, see Chargeable metrics.

Log-based alerting

When you want to be notified anytime a specific message occurs in a log, use log-based alerts. Log-based alerts are well suited for catching security-related events in logs, like the following:

  • You want to be notified when an event appears in an audit log; for example, a human user accesses the security key of a service account.
  • Your application writes deployment messages to logs, and you want to be notified when a deployment change is logged.

Log-based alerts are well suited for events that you expect to be both rare and important. You don't want to know about a trend or pattern; you want to know that something occurred.

For information about creating log-based alerts, see Using log-based alerts.

You can simulate a log-based alert by defining a log-based metric and using the metric in an alerting policy with a threshold of 1. Log-based alerts give you that behavior without the need to create a log-based metric and configure a metric-based alerting policy.

Comparison of alerting options

This section compares alerting policies built on log-based metrics to log-based alerts.

Summary table

The following table summarizes the alerting techniques and provides links to additional information in this document:

Alerts on log-based metrics Log-based alerts More information
Based on metrics derived from log entries Based on strings in individual log entries Log-based metrics and
Log-based alerting
Used to notify you of trends over time Used to notify you when a specific message appears in a log Log-based metrics and
Log-based alerting
Calculated from
  • Included logs (system-defined log-based metrics)
  • Included and excluded logs (user-defined log-based metrics)
Match only included logs Available logs
Operate on metrics from all projects in the metrics scope of the scoping project Operate on logs in the scoping project only Alerting across multiple projects
Triggered when the value of a metric meets a condition for a specified period Triggered each time a specific log entry matches a filter Incidents and notifications
Created and managed in Monitoring Created in Logging;
managed in Monitoring
Creating and managing alerting policies
Viewed in Monitoring Viewed in Monitoring Viewing alerting policies
Can use any notification channel supported in Monitoring Can use any notification channel supported in Monitoring Notification channels

Available logs

User-defined log-based metrics are calculated from all logs received by the Logging API for the Google Cloud project, regardless of any inclusion filters or exclusion filters that may apply to the Google Cloud project. If you create an alerting policy based on a user-defined log-based metric, then the policy monitors data from all logs.

System-defined log-based metrics are calculated only from logs that have been stored in log buckets in the Google Cloud project. If a log has been explicitly excluded, then it isn't included in these metrics. If you create an alerting policy based on a system-defined log-based metric, then the policy monitors data only from included logs.

Log-based alerts operate only on included logs; you can't use log-based alerts to notify you about messages in excluded logs.

Both log-based metrics and log-based alerts operate on the Google Cloud project scope, not on individual buckets.

Alerting across multiple projects

You can monitor metrics from several projects by configuring a metrics scope. A metrics scope lists all the projects and accounts that it monitors. A scoping project hosts the metrics scope. The scoping project stores the alerting policies and other configurations that you create for the metrics scope. The scoping project for a metrics scope is the project selected by the Google Cloud console project picker.

Alerting policies based on log-based metrics, like alerting policies based on other metrics, work across all projects in the metrics scope of the scoping project.

Log-based alerts don't operate on metrics scopes; the logs in projects are not part of a metrics scope. A log-based alert evaluates only those logs that originate in the current project or that are routed to the current project.

For more information about metrics scopes, including multi-project metrics scopes, and about scoping projects, see the following:

Incidents and notifications

When an alerting policy is triggered, it opens an incident in Monitoring and sends notifications to any channels you've selected. To see the details of the incident, click View incident in the notification message, or navigate directly to the Incidents page in Monitoring.

Alerting policies based on log-based metrics create incidents and notifications like all other metric-based alerting policies in Monitoring, as described in Alerting behavior. For more information about managing incidents for metric-based alerting policies, see Incidents for metric-based alerts.

Log-based alerts are not metric-based alerts. Log-based alerts create incidents and notifications as follows:

  • The first time Cloud Logging writes a log entry that matches your alert query to a log bucket, an incident is created, and a notification is sent. If another matching log entry is then written, then a new incident is created only if the previous incident has been closed. However, it might take up to three minutes for a closed incident to be purged. When a matching log entry is received in the three minutes after you closed an incident, the system might reopen that incident rather than creating a new incident.

  • There is a limit of 20 notifications a day for each log-based alert. If you reach this limit, then your notification includes a message that you have reached the limit for the day.

  • When you create a log-based alert, you can specify the minimum time between notifications to reduce repeated notifications. For example, if you select 10 minutes as the time between notifications, and your log-based alert is triggered twice within that period, then you receive only one notification.

    The maximum rate of notifications is 1 notification every 5 minutes for each log-based alert.

  • Incidents are automatically closed after 7 days, unless you configure a shorter period or close the incidents manually.

For more information about managing these incidents, see Managing incidents for log-based alerts.

Creating and managing alerting policies

You create, modify, and delete alerting policies based on log-based metrics in Cloud Monitoring, like any other metric-based alerting policy. For more information, see Managing policies.

You can create log-based alerts by using the Logs Explorer or the Cloud Monitoring API. You modify and delete log-based alerts in Monitoring. For more information, see Managing log-based alerts.

Viewing alerting policies

The Policies page in Monitoring lists all the alerting policies in your Google Cloud project. This list includes policies that use log-based metrics and log-based alerts.

  1. In the navigation panel of the Google Cloud console, select Monitoring, and then select  Alerting:

    Go to Alerting

  2. Select See all policies.

Log-based alerts appear in the list with the value Logs in the Type column. Alerts based on metrics, including log-based metrics, appear in the list with the value Metrics in the Type column. The following screenshot shows an excerpt of a policy list:

To distinguish log-based alerts and metric-based alerts, use the **Type**
column in the list of alerting policies.

Notification channels

You can send notifications from both metric- and log-based alerts to any of the notification channels supported by Monitoring. You must configure these channels before you can use them in alerting policies.

For more information, see Managing notification channels.

Authorization requirements

Using log-based metrics or log-based alerts requires authorization for both Cloud Logging and Cloud Monitoring.

Costs and limits

If you define your own log-based metrics, then the following apply:

  • There are limits on the number and structure of user-defined log-based metrics. For more information about these limits, see limits for log-based metrics.
  • You might incur charges for user-defined log-based metrics. For more information about costs associated with metric ingestion, see Chargeable metrics.

There are no charges associated with using alerting policies based on log-based metrics.

The following Monitoring limits related to alerting policies apply:

Category Value Policy type1
Alerting policies (sum of metric and log) per metrics scope 2 500 Metric, Log
Conditions per alerting policy 6 Metric
Maximum time period that a
metric-absence condition evaluates3
1 day Metric
Maximum time period that a
metric-threshold condition evaluates3
23 hours 30 minutes Metric
Maximum length of the filter used
in a metric-threshold condition
2,048 Unicode characters Metric
Maximum number of time series
monitored by a forecast condition
64 Metric
Minimum forecast window 1 hour (3,600 seconds) Metric
Maximum forecast window 2.5 days (216,000 seconds) Metric
Notification channels per alerting policy 16 Metric, Log
Maximum rate of notifications 1 notification every 5 minutes for each log-based alert Log
Maximum number of notifications 20 notifications a day for each log-based alert Log
Maximum number of simultaneously open incidents
per alerting policy
1,000 Metric
Period after which an incident with no new data is
automatically closed
7 days Metric
Maximum duration of an incident if not manually closed 7 days Log
Retention of closed incidents 13 months Not applicable
Retention of open incidents Indefinite Not applicable
Notification channels per metrics scope 4,000 Not applicable
Maximum number of alerting policies per snooze 16 Metric, Log
Retention of a snooze 13 months Not applicable
1Metric: an alerting policy based on metric data; Log: an alerting policy based on log messages (log-based alerts)
2Apigee and Apigee hybrid are deeply integrated with Cloud Monitoring. The alerting limit for all Apigee subscription levels—Standard, Enterprise, and Enterprise Plus—is the same as for Cloud Monitoring: 500 per metrics scope .
3The maximum time period that a condition evaluates is the sum of the alignment period and the duration window values. For example, if the alignment period is set to 15 hours, and the duration window is set 15 hours, then 30 hours of data is required to evaluate the condition.