This document explains how you can find log entries that you routed to Cloud Logging buckets. Log buckets are Cloud Logging storage containers in your Google Cloud projects that hold your logs data. You can create log sinks to route all, or just a subset, of your logs to any bucket in Cloud Logging. This flexibility allows you to choose which Google Cloud project your logs are stored in and what other logs are stored with them.
Logs that you route to Cloud Logging buckets are available immediately.
For information about viewing logs routed to other destinations, see the following documents:
Before you begin
For instructions about how to create and manage log buckets, see the following documents:
For a conceptual discussion of sinks, see Overview of routing and storage models: Sinks.
For instructions about how to route your logs, see Route logs to supported destinations.
View logs
To troubleshoot and view individual log entries in a log bucket, do the following:
-
In the Google Cloud console, go to the Logs Explorer page:
If you use the search bar to find this page, then select the result whose subheading is Logging.
- In the Action toolbar, select Refine scope.
- On the Refine scope dialog, select Log view.
Select one or more log views and then click Apply.
For information about how to run queries, see Build queries in the Logs Explorer.
To perform analytics on log entries stored in a log bucket that is upgraded to use Log Analytics, do the following:
-
In the Google Cloud console, go to the Log Analytics page:
If you use the search bar to find this page, then select the result whose subheading is Logging.
In the Log views list, find the view, and then select Query. The Query pane is populated with a default query, which includes the log view that is queried.
You can also enter a query in the Query pane, or edit a displayed query.
To query all logs in a log bucket, select the
_AllLogs
view for the log bucket.In the toolbar, click Run query.
The query is executed and the result of the query is shown in the Results tab.
You can use the toolbar options to format your query, clear the query, and open the BigQuery SQL reference documentation.
For information about how to run queries, see Query and view logs in Log Analytics.
Log entries organization
Logging log entries are objects of type LogEntry
.
Log entries with the same log type, referred to as [LOG_ID]
in the
LogEntry
reference, usually have the same format. The following
table shows sample log entries:
syslog
The following is an example of a Compute Engine syslog
:
{
insertId: "4zymupf98ac6v"
jsonPayload: {
message: "Jul 15 13:36:33 my-instance dhclient[328]: DHCPACK of 10.240.0.48 from 169.254.169.254"
}
logName: "projects/my-gcp-project-id/logs/syslog"
receiveTimestamp: "2024-07-15T13:36:33.400534415Z"
resource: {
labels: {
instance_id: "0123456789" (instance_name: my-instance)
project_id: "my-gcp-project-id"
zone: "us-central1-a"
}
type: "gce_instance"
}
timestamp: "2024-07-15T13:36:33.097822178Z"
}
request_log
The App Engine request_log
has log entries containing
protoPayload
fields which hold objects of type
RequestLog
:
{
httpRequest: {
status: 200
}
insertId: "669525c0000d39d1eab2bb03"
labels: {1}
logName: "projects/my-gcp-project-id/logs/appengine.googleapis.com%2Frequest_log"
operation: {4}
protoPayload: {
@type: "type.googleapis.com/google.appengine.logging.v1.RequestLog"
appEngineRelease: "1.9.71"
appId: "s~my-gcp-project-id"
startTime: "2024-07-15T13:36:00.861387Z"
...
}
receiveTimestamp: "2024-07-15T13:36:01.169966997Z"
resource: {2}
spanId: "7925702051311044593"
timestamp: "2024-07-15T13:36:00.861387Z"
trace: "projects/my-gcp-project-id/traces/8a4fab4bd4fbafac2a0fa901c1485847"
resource: {
labels: {
module_id: "default"
project_id: "my-gcp-project-id"
version_id: "20200221t133337"
zone: "us14"
}
type: "gae_app"
}
}
activity
The activity
log is an Admin Activity audit log.
Its payload is a JSON representation of the
AuditLog
type:
{
insertId: "dlu8qwc69c"
labels: {
compute.googleapis.com/root_trigger_id: "a97f30b1-45ab-4c12-9309-8e8af3bb011f"
}
logName: "projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity"
operation: {
id: "operation-1721047950764-61d48b3bf2b65-1ba1f256-82e9b5fd"
last: true
producer: "compute.googleapis.com"
}
protoPayload: {
@type: "type.googleapis.com/google.cloud.audit.AuditLog"
authenticationInfo: {...}
methodName: "v1.compute.instances.insert"
request: {...}
requestMetadata: {...}
resourceName: "projects/my-gcp-project-id/zones/us-central1-f/instances/my-instance"
serviceName: "compute.googleapis.com"
}
receiveTimestamp: "2024-07-15T12:52:41.376292847Z"
resource: {
labels: {
instance_id: "2891866457752773984" (instance_name: my-instance)
project_id: "my-gcp-project-id"
zone: "us-central1-f"
}
type: "gce_instance"
}
severity: "NOTICE"
timestamp: "2024-07-15T12:52:40.965840Z"
}
Troubleshooting
If logs seem to be missing from your sink's destination or you otherwise suspect that your sink isn't properly routing logs, then see Troubleshoot routing and sinks.
Pricing
Cloud Logging doesn't charge to route logs to a
supported destination; however, the destination might apply charges.
With the exception of the _Required
log bucket,
Cloud Logging charges to stream logs into log buckets and
for storage longer than the default retention period of the log bucket.
Cloud Logging doesn't charge for copying logs, for defining log scopes, or for queries issued through the Logs Explorer or Log Analytics pages.
For more information, see the following documents:
- Cloud Logging pricing summary
Destination costs:
- VPC flow log generation charges apply when you send and then exclude your Virtual Private Cloud flow logs from Cloud Logging.