View logs routed to Cloud Logging buckets

This document explains how you can find log entries that you routed to Cloud Logging buckets. Log buckets are Cloud Logging storage containers in your Google Cloud projects that hold your logs data. You can create log sinks to route all, or just a subset, of your logs to any bucket in Cloud Logging. This flexibility allows you to choose which Google Cloud project your logs are stored in and what other logs are stored with them.

Logs that you route to Cloud Logging buckets are available immediately.

For information about viewing logs routed to other destinations, see the following documents:

Cloud Storage

BigQuery

Pub/Sub

Before you begin

For instructions about how to create and manage log buckets, see the following documents:

For a conceptual discussion of sinks, see Overview of routing and storage models: Sinks.

For instructions about how to route your logs, see Route logs to supported destinations.

View logs

To troubleshoot and view individual log entries in a log bucket, do the following:

In the Google Cloud console, go to the Logs Explorer page:
Go to Logs Explorer

If you use the search bar to find this page, then select the result whose subheading is Logging.
In the Action toolbar, select Refine scope.
On the Refine scope dialog, select Log view.
Select one or more log views and then click Apply.

For information about how to run queries, see Build queries in the Logs Explorer.

To perform analytics on log entries stored in a log bucket that is upgraded to use Log Analytics, do the following:

In the Google Cloud console, go to the Log Analytics page:
Go to Log Analytics

If you use the search bar to find this page, then select the result whose subheading is Logging.
In the Log views list, find the view, and then select Query. The Query pane is populated with a default query, which includes the log view that is queried.

You can also enter a query in the Query pane, or edit a displayed query.

To query all logs in a log bucket, select the _AllLogs view for the log bucket.
In the toolbar, click Run query.

The query is executed and the result of the query is shown in the Results tab.

You can use the toolbar options to format your query, clear the query, and open the BigQuery SQL reference documentation.

For information about how to run queries, see Query and view logs in Log Analytics.

Log entries organization

Logging log entries are objects of type LogEntry.

Log entries with the same log type, referred to as [LOG_ID] in the LogEntry reference, usually have the same format. The following table shows sample log entries:

syslog

The following is an example of a Compute Engine syslog:

{
  insertId: "4zymupf98ac6v"
  jsonPayload: {
    message: "Jul 15 13:36:33 my-instance dhclient[328]: DHCPACK of 10.240.0.48 from 169.254.169.254"
  }
  logName: "projects/my-gcp-project-id/logs/syslog"
  receiveTimestamp: "2024-07-15T13:36:33.400534415Z"
  resource: {
    labels: {
      instance_id: "0123456789" (instance_name: my-instance)
      project_id: "my-gcp-project-id"
      zone: "us-central1-a"
    }
    type: "gce_instance"
  }
  timestamp: "2024-07-15T13:36:33.097822178Z"
}

request_log

The App Engine request_log has log entries containing protoPayload fields which hold objects of type RequestLog:

{
  httpRequest: {
    status: 200
  }
  insertId: "669525c0000d39d1eab2bb03"
  labels: {1}
  logName: "projects/my-gcp-project-id/logs/appengine.googleapis.com%2Frequest_log"
  operation: {4}
  protoPayload: {
    @type: "type.googleapis.com/google.appengine.logging.v1.RequestLog"
    appEngineRelease: "1.9.71"
    appId: "s~my-gcp-project-id"
    startTime: "2024-07-15T13:36:00.861387Z"
    ...
  }
  receiveTimestamp: "2024-07-15T13:36:01.169966997Z"
  resource: {2}
  spanId: "7925702051311044593"
  timestamp: "2024-07-15T13:36:00.861387Z"
  trace: "projects/my-gcp-project-id/traces/8a4fab4bd4fbafac2a0fa901c1485847"
  resource: {
    labels: {
      module_id: "default"
      project_id: "my-gcp-project-id"
      version_id: "20200221t133337"
      zone: "us14"
    }
    type: "gae_app"
  }
}

activity

The activity log is an Admin Activity audit log. Its payload is a JSON representation of the AuditLog type:

{
  insertId: "dlu8qwc69c"
  labels: {
    compute.googleapis.com/root_trigger_id: "a97f30b1-45ab-4c12-9309-8e8af3bb011f"
  }
  logName: "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity"
  operation: {
    id: "operation-1721047950764-61d48b3bf2b65-1ba1f256-82e9b5fd"
    last: true
    producer: "compute.googleapis.com"
  }
  protoPayload: {
    @type: "type.googleapis.com/google.cloud.audit.AuditLog"
    authenticationInfo: {...}
    methodName: "v1.compute.instances.insert"
    request: {...}
    requestMetadata: {...}
    resourceName: "projects/my-gcp-project-id/zones/us-central1-f/instances/my-instance"
    serviceName: "compute.googleapis.com"
  }
  receiveTimestamp: "2024-07-15T12:52:41.376292847Z"
  resource: {
  labels: {
    instance_id: "2891866457752773984" (instance_name: my-instance)
    project_id: "my-gcp-project-id"
    zone: "us-central1-f"
    }
    type: "gce_instance"
  }
  severity: "NOTICE"
  timestamp: "2024-07-15T12:52:40.965840Z"
}

Troubleshooting

If logs seem to be missing from your sink's destination or you otherwise suspect that your sink isn't properly routing logs, then see Troubleshoot routing and sinks.

Pricing

Cloud Logging doesn't charge to route logs to a supported destination; however, the destination might apply charges. With the exception of the _Required log bucket, Cloud Logging charges to stream logs into log buckets and for storage longer than the default retention period of the log bucket.

Cloud Logging doesn't charge for copying logs, for defining log scopes, or for queries issued through the Logs Explorer or Log Analytics pages.

For more information, see the following documents:

Cloud Logging pricing summary
Destination costs:
VPC flow log generation charges apply when you send and then exclude your Virtual Private Cloud flow logs from Cloud Logging.