Using Exported Logs

This page explains how you can find and use your exported log entries in Cloud Storage, BigQuery, and Cloud Pub/Sub.

For an overview of exporting logs, see Overview of Logs Export.

To learn how to export your logs, see the following pages:

Cloud Storage

To see your exported logs in Cloud Storage, do the following:

  1. Go to the Cloud Storage browser in the GCP Console:

    Cloud Storage browser

    1. Select the bucket you are using for logs export.

See Cloud Storage organization for details on how logs are organized in the bucket.

Exported logs availability

If you don't see any exported logs, check the export system metrics. The export system metrics can tell you how many log entries are exported and how many are dropped due to errors. If the export system metrics indicate that no log entries were exported, check your export filter to verify that log entries matching your filter have recently arrived in Stackdriver Logging:

Go to the Logs Exports page

Log entries are saved to Cloud Storage buckets in hourly batches. It might take from 2 to 3 hours before the first entries begin to appear.

Exported logs organization

When you export logs to a Cloud Storage bucket, Stackdriver Logging writes a set of files to the bucket. The files are organized in directory hierarchies by log type and date. The log type can be a simple name like syslog or a compound name like appengine.googleapis.com/request_log. If these logs were stored in a bucket named my-gcs-bucket, then the directories would be named as in the following example:

my-gcs-bucket/syslog/YYYY/MM/DD/
my-gcs-bucket/appengine.googleapis.com/request_log/YYYY/MM/DD/

A single bucket can contain logs from multiple resource types.

Stackdriver Logging does not guarantee deduplication of log entries from sinks containing identical or overlapping filters; log entries from those sinks might be written multiple times to a Cloud Storage bucket.

The leaf directories (DD/) contain multiple files, each of which holds the exported log entries for a time period specified in the file name. The files are sharded and their names end in a shard number, Sn or An (n=0, 1, 2, ...). For example, here are two files that might be stored within the directory my-gcs-bucket/syslog/2015/01/13/:

08:00:00_08:59:59_S0.json
08:00:00_08:59:59_S1.json

These two files together contain the syslog log entries for all instances during the hour beginning 0800 UTC. The log entry timestamps are expressed in UTC (Coordinated Universal Time).

To get all the log entries, you must read all the shards for each time period—in this case, file shards 0 and 1. The number of file shards written can change for every time period depending on the volume of log entries.

Within the individual sharded files, log entries are stored as a list of LogEntry objects. For an example syslog entry, see LogEntry type on this page.

Note that sort order of log entries within the files is not uniform or otherwise guaranteed.

BigQuery

To see your exported logs in BigQuery, do the following:

  1. Go to the BigQuery UI in the GCP Console:

    Go to the BigQuery UI

  2. Select the dataset used as your sink's destination.

  3. Select one of the dataset's tables. The log entries are visible on the Details tab, or you can query the table to return your data.

For more information, see Table organization to learn how the tables are organized, and Exporting Logs and the BigQuery schema to learn how the exported log entry fields are named.

BigQuery availability

If you don't see any exported logs, check the export system metrics. The export system metrics can tell you how many log entries are exported and how many are dropped due to errors. If the export system metrics indicate that no log entries were exported, check your export filter to verify that log entries matching your filter have recently arrived in Stackdriver Logging:

Go to the Logs Exports page

Log entries are saved to BigQuery in batches. It might take several minutes before the first entries begin to appear.

Table organization

When you export logs to a BigQuery dataset, Stackdriver Logging creates dated tables to hold the exported log entries. Log entries are placed in tables whose names are based on the entries' log names and timestamps1. The following table shows examples of how log names and timestamps are mapped to table names:

Log name Log entry timestamp1 BigQuery table name
syslog 2017-05-23T18:19:22.135Z syslog_20170523
apache-access 2017-01-01T00:00:00.000Z apache_access_20170101
compute.googleapis.com/activity_log 2017-12-31T23:59:59.999Z compute_googleapis_com_activity_log_20171231

1: The log entry timestamps are expressed in UTC (Coordinated Universal Time).

Schemas and fields

BigQuery table schemas for exported logs are based on the structure of the LogEntry type and the contents of the log payloads. You can see the table schema by selecting a table with exported log entries in the BigQuery Web UI.

The BigQuery table schema used to represent complex log entry payloads can be confusing and, in the case of exported audit logs, some special naming rules are used. For more information, see BigQuery Schema of Exported Logs.

Queries

For examples of queries involving exported audit logs in BigQuery, see BigQuery audit log queries.

See the Query Reference for more information on BigQuery queries. Especially useful are Table wildcard functions, which allow making queries across multiple tables and the Flatten operator, which allows to display data from repeated fields.

A sample Compute Engine logs query

The following BigQuery query retrieves log entries from multiple days and multiple log types:

  • The query searches the last three days of the logs syslog and apache-access. The query was made on 23-Feb-2015 and it covers all log entries received on 21-Feb and 22-Feb, plus log entries received on 23-Feb up to the time the query was issued.

  • The query retrieves results for a single Compute Engine instance, 1554300700000000000.

  • The query ignores traffic from the Stackdriver Monitoring endpoint health checker, Stackdriver_terminus_bot.

SELECT
  timestamp AS Time,
  logName as Log,
  textPayload AS Message
FROM
  (TABLE_DATE_RANGE(my_bq_dataset.syslog_,
    DATE_ADD(CURRENT_TIMESTAMP(), -2, 'DAY'), CURRENT_TIMESTAMP())),
  (TABLE_DATE_RANGE(my_bq_dataset.apache_access_,
    DATE_ADD(CURRENT_TIMESTAMP(), -2, 'DAY'), CURRENT_TIMESTAMP()))
WHERE
  resource.type == 'gce_instance'
  AND resource.labels.instance_id == '1554300700000000000'
  AND NOT (textPayload CONTAINS 'Stackdriver_terminus_bot')
ORDER BY time;

Here are some example output rows:

Row | Time                    | Log                                         | Message
--- | ----------------------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------
 5  | 2015-02-21 03:40:14 UTC | projects/project-id/logs/syslog             | Feb 21 03:40:14 my-gce-instance collectd[24281]: uc_update: Value too old: name = 15543007601548826368/df-tmpfs/df_complex-used; value time = 1424490014.269; last cache update = 1424490014.269;
 6  | 2015-02-21 04:17:01 UTC | projects/project-id/logs/syslog             | Feb 21 04:17:01 my-gce-instance /USR/SBIN/CRON[8082]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
 7  | 2015-02-21 04:49:58 UTC | projects/project-id/logs/apache-access      | 128.61.240.66 - - [21/Feb/2015:04:49:58 +0000] "GET / HTTP/1.0" 200 536 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
 8  | 2015-02-21 05:17:01 UTC | projects/project-id/logs/syslog             | Feb 21 05:17:01 my-gce-instance /USR/SBIN/CRON[9104]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
 9  | 2015-02-21 05:30:50 UTC | projects/project-id/log/syslogapache-access | 92.254.50.61 - - [21/Feb/2015:05:30:50 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 541 "-" "-"

A sample App Engine logs query

The following BigQuery query retrieves unsuccessful App Engine requests from the last month:

SELECT
  timestamp AS Time,
  protoPayload.host AS Host,
  protoPayload.status AS Status,
  protoPayload.resource AS Path
FROM
  (TABLE_DATE_RANGE(my_bq_dataset.appengine_googleapis_com_request_log_,
    DATE_ADD(CURRENT_TIMESTAMP(), -1, 'MONTH'), CURRENT_TIMESTAMP()))
WHERE
  protoPayload.status != 200
ORDER BY time

Here are some of the results:

Row | Time                    | Host                                  | Status | Path
--- | ----------------------- | ------------------------------------- | ------ | ------
 6  | 2015-02-12 19:35:02 UTC | default.my-gcp-project-id.appspot.com |    404 | /foo?thud=3
 7  | 2015-02-12 19:35:21 UTC | default.my-gcp-project-id.appspot.com |    404 | /foo
 8  | 2015-02-16 20:17:19 UTC | my-gcp-project-id.appspot.com         |    404 | /favicon.ico
 9  | 2015-02-16 20:17:34 UTC | my-gcp-project-id.appspot.com         |    404 | /foo?thud=%22what???%22

Cloud Pub/Sub

To see your exported logs as they are streamed through Cloud Pub/Sub, do the following:

  1. Go to the Cloud Pub/Sub page in the GCP Console:

    Go to Cloud Pub/Sub

  2. Find or create a subscription to the topic used for logs export, and pull a log entry from it. You might have to wait for a new log entry to be published.

See Exported logs organization for details on how logs are organized.

Exported logs availability

If you don't see any exported logs, check the export system metrics. The export system metrics can tell you how many log entries are exported and how many are dropped due to errors. If the export system metrics indicate that no log entries were exported, check your export filter to verify that log entries matching your filter have recently arrived in Stackdriver Logging:

Go to the Logs Exports page

When you export logs to a Cloud Pub/Sub topic, Stackdriver Logging publishes each log entry as a Cloud Pub/Sub message as soon as Stackdriver Logging receives that log entry.

Exported logs organization

The data field of each message is a base64-encoded LogEntry object. As an example, a Cloud Pub/Sub subscriber might pull the following object from a topic that is receiving log entries. The object shown contains a list with a single message, although Cloud Pub/Sub might return several messages if several log entries are available. The data value (about 600 characters) and the ackId value (about 200 characters) have been shortened to make the example easier to read:

{
 "receivedMessages": [
  {
   "ackId": "dR1JHlAbEGEIBERNK0EPKVgUWQYyODM...QlVWBwY9HFELH3cOAjYYFlcGICIjIg",
   "message": {
    "data": "eyJtZXRhZGF0YSI6eyJzZXZ0eSI6Il...Dk0OTU2G9nIjoiaGVsbG93b3JsZC5sb2cifQ==",
    "attributes": {
     "compute.googleapis.com/resource_type": "instance",
     "compute.googleapis.com/resource_id": "123456"
    },
    "messageId": "43913662360"
   }
  }
 ]
}

If you decode the data field and format it, you get the following LogEntry object:

{
  "log": "helloworld.log",
  "insertId": "2015-04-15|11:41:00.577447-07|10.52.166.198|-1694494956",
  "textPayload": "Wed Apr 15 20:40:51 CEST 2015 Hello, world!",
  "timestamp": "2015-04-15T18:40:56Z",
  "labels": {
    "compute.googleapis.com\/resource_type": "instance",
    "compute.googleapis.com\/resource_id": "123456"
  },
  "severity": "WARNING"
  }
}

Log entry objects

Stackdriver Logging log entries are objects of type LogEntry. The most important fields of the log entry are shown in the following table:

It is customary for all the log entries with a particular [LOG_ID] to have the same format. Each log type documents the contents of its payload field. See the Stackdriver Logging logs index for examples. Following are some sample log entries:

syslog

Compute Engine's syslog is a custom log type produced by the logging agent, google-fluentd, which runs on virtual machine instances:

{
  logName: "projects/my-gcp-project-id/logs/syslog",
  timestamp: "2015-01-13T19:17:01Z",
  resource: {
    type: "gce_instance",
    labels: {
      instance_id: "12345",
      zone: "us-central1-a",
      project_id: "my-gcp-project-id"
    }
  },
  insertId: "abcde12345",
  textPayload: "Jan 13 19:17:01 my-gce-instance /USR/SBIN/CRON[29980]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)"
}

request_log

App Engine's request_log has log entries containing protoPayload fields which hold objects of type RequestLog:

{
  logName: "projects/my-gcp-project-id/logs/appengine.googleapis.com%2Frequest_log",
  timestamp: "2015-01-13T19:00:39.796169Z",
  resource: {
    type: "gae_app",
    labels: {
      module_id: "default",
      zone: "us6",
      project_id: "my-gcp-project-id",
      version_id: "20150925t173233"
    }
  }
  httpRequest: {
    status: 200
  }
  insertId: "abcde12345",
  operation: {
    id: "abc123",
    producer: "appengine.googleapis.com/request_id",
    first: true,
    last: true
  }
  protoPayload: {
    @type: "type.googleapis.com/google.appengine.logging.v1.RequestLog"
    versionId: "20150925t173233",
    status: 200,
    startTime: "2017-01-13T19:00:39.796169Z",
    # ...
    appId: "s~my-gcp-project-id",
    appEngineRelease: "1.9.17",
  }
}

activity

The activity log is an Admin Activity audit log. Its payload is a JSON representation of the AuditLog type:

{
 logName: "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity"
 timestamp: "2017-04-22T13:41:32.245Z"
 severity: "NOTICE"
 resource: {
  type: "gce_instance"
  labels: {
   instance_id: "2403273232180765234"
   zone: "us-central1-b"
   project_id: "my-gcp-project-id"
  }
 }
 insertId: "54DC1882F4B49.A4996C2.6A02F4C1"
 operation: {
  id: "operation-1492868454262-54dc185e9a4f0-249fe233-f73d472a"
  producer: "compute.googleapis.com"
  last: true
 }
 protoPayload: {
  @type: "type.googleapis.com/google.cloud.audit.AuditLog"
  authenticationInfo: {
   principalEmail: "649517127304@cloudservices.gserviceaccount.com"
  }
  requestMetadata: {…}
  serviceName: "compute.googleapis.com"
  methodName: "v1.compute.instances.delete"
  resourceName: "projects/my-gcp-project-id/zones/us-central1-b/instances/abc123"
 }
}

Late-arriving log entries

Exported log entries are saved to Cloud Storage buckets in hourly batches. It might take from 2 to 3 hours before the first entries begin to appear. Exported log file shards with the suffix An ("Append") hold log entries that arrived late.

Also, App Engine combines multiple sub-entries of type google.appengine.logging.v1.LogLine (also called AppLog or AppLogLine) under a primary log entry of type google.appengine.logging.v1.RequestLog for the request that causes the log activity. The log lines each have a "request ID" that identifies the primary entry. The Logs Viewer displays the log lines with the request log entry. Stackdriver Logging attempts to put all the log lines into the batch with the original request, even if their timestamps would place them in the next batch. If that is not possible, the request log entry might be missing some log lines, and there might be "orphan" log lines without a request in the next batch. If this possibility is important to you, be prepared to reconnect the pieces of the request when you process your logs.

Third party integration with Cloud Pub/Sub

Stackdriver Logging supports logging integration with third parties. See Stackdriver Integrations for a current list of integrations.

You export your logs through a Cloud Pub/Sub topic and the third party receives your logs by subscribing to the same topic.

To perform the integration, expect to do something like the following:

  1. Obtain from the third party a Google Cloud Platform (GCP) service account name created from their GCP project. For example, 12345-xyz@developer.gserviceaccount.com. You use this name to give the third party permission to receive your logs.

  2. In your project containing the logs,

    Enable the API

  3. Create a Pub/Sub topic. You can do this when you configure a log sink, or by following these steps:

    1. Go to the Pub/Sub topic list.
    2. Select Create topic and enter a topic name. For example, projects/my-project-id/topics/my-pubsub-topic. You will export your logs to this topic.
    3. Select Create.
    4. Authorize Stackdriver Logging to export logs to the topic. See Setting permissions for Cloud Pub/Sub.
  4. Authorize the third party to subscribe to your topic:

    1. Stay in the Pub/Sub topic list for your project in the GCP Console.
    2. Select your new topic.
    3. Select Permissions.
    4. Enter the third party's service account name.
    5. In the Select a role menu, select Pub/Sub Subscriber.
    6. Select Add.
  5. Give the third party the name of your Cloud Pub/Sub topic. For example, projects/my-project-number/topics/my-pubsub-topic. They should subscribe to the topic before you start exporting.

  6. Start exporting the logs once your third party has subscribed to the topic:

    1. In your project containing the logs you want to export, click on Create Export above the search-filter box. This opens the Edit Export panel:

      Edit Export panel

    2. Enter a Sink Name.

    3. In the Sink Service menu, select Cloud Pub/Sub.

    4. In the Sink Destination menu, select the Cloud Pub/Sub topic to which the third party is subscribed.

    5. Select Create Sink to begin the export.

    6. A dialogue Sink created appears. This indicates that your export sink was successfully created with permissions to write future matching logs to the destination you selected.

Your third party should begin receiving the log entries right away.

Was this page helpful? Let us know how we did:

Send feedback about...

Stackdriver Logging