Managing Logs Views on your Logs Buckets

Logs Views let you control who has access to the logs within your Logs Buckets. Using the Logs Router and Logs Buckets, you can centralize or subdivide your log storage based on your needs. Custom Logs Views provide you with an advanced and granular way to control access to the logs in those Logs Buckets.

For example, consider a scenario in which you store all of your organization's logs in a central project. Because Logs Buckets can contain logs from multiple projects, you might want to control which projects different users can view logs from. Using custom Logs Views, you can give one user access to logs only from a single project, while you give another user access to logs from all the projects.

Cloud Logging automatically creates the _AllLogs view for every bucket, which shows all logs. Cloud Logging also creates a view for the _Default bucket called _Default. The _Default view for the _Default bucket shows all logs except Data Access audit logs. The _AllLogs and _Default views are not editable.

The following instructions explain how to create, view, update, and delete Logs Views. Managing Logs Views involves performing the following actions:

  1. Using the gcloud command-line tool or API to create the view.
  2. Setting the Identity and Access Management (IAM) permissions through the Google Cloud Console or through the gcloud command-line tool.

Before you begin

Before creating a Logs View, complete the following steps:

  • If you haven't already, create a new Logs Bucket and route logs to the bucket.

  • Determine which logs you want to include in the view.

  • Ensure you have either of the following roles:

    • roles/logging.admin

    • roles/logging.configWriter

  • If you haven't done so already, install the Cloud SDK. The gcloud commands in this guide might not run properly in the Cloud Shell, so run them in a local terminal.

Creating a Logs View

To create a Logs View, run the following command, replacing the parts in bold with your own information:

gcloud alpha logging views create VIEW_ID \
  --log-filter="resource.type=gce_instance" --bucket=BUCKET_NAME \
  --location=LOCATION --description="Logs view for the central logs bucket for Compute Engine instance"

List the views for your bucket to confirm that your view was created:

gcloud alpha logging views list --bucket=BUCKET_NAME --location=LOCATION

Adding users to a Logs View

To add users to a view to let them access the logs, complete the following steps.

gcloud

  1. Get the project's IAM policy and write it to a local file in JSON format:

    gcloud projects get-iam-policy PROJECT_ID --format json > output.json
    
  2. Add an IAM condition that lets the user read from the bucket you created. For example:

    {
      "bindings": [
        {
          "members": [
            "username@gmail.com"
          ],
          "role": "roles/logging.viewAccessor",
          "condition": {
              "title": "Bucket reader condition example",
              "description": "Grants logging.viewAccessor role to user username@gmail.com for the [VIEW_ID] Logs View.",
              "expression":
                "resource.name == \"projects/[PROJECT_ID]/locations/[LOCATION]/buckets/[BUCKET_NAME]/views/[VIEW_ID]\""
          }
        }
      ],
      "etag": "BwWd_6eERR4=",
      "version": 3
    }
  3. Update the IAM policy:

    gcloud projects set-iam-policy PROJECT_ID output.json
    

Console

  1. In the Cloud Console for the project where you created the bucket, go to the IAM page.

    Go to the IAM page

  2. Click Add.

  3. In the New member field, add the user's email account.

  4. In the Select a role drop-down menu, select Logs Views Accessor.

    This role provides users with read access to all views. To limit user access to a specific view, add a condition based on the resource name.

    1. Click Add condition.

    2. Enter a Title and Description for the condition.

    3. In the Condition type drop-down menu, select Resource > Name.

    4. In the Operator drop-down menu, select is.

    5. In the Value field, enter the ID of the Logs View, including the full path to the view.

      For example:

      projects/PROJECT_ID/locations/LOCATION/buckets/BUCKET_NAME/views/VIEW_ID
    6. Click Save to add the condition.

  5. Click Save to set the permissions.

For more information, see IAM Conditions overview.

Updating a Logs View

To update a Logs View, run the following command, replacing the parts in bold with your own information:

gcloud alpha logging views update VIEW_ID \
  --log-filter="resource.type=gce_instance" --bucket=NEW_BUCKET_NAME \
  --location=LOCATION --description="New description for the Logs View"

List the views for your bucket to confirm that your view was updated:

gcloud alpha logging views list --bucket=NEW_BUCKET_NAME --location=LOCATION

You can't update the _Default and _AllLogs views.

Deleting a Logs View

To delete a Logs View, run the following command, replacing the parts in bold with your own information:

gcloud alpha logging views delete VIEW_ID \
  --bucket=BUCKET_NAME --location=LOCATION

List the views for your bucket to confirm that your view was deleted:

gcloud alpha logging views list --bucket=BUCKET_NAME --location=LOCATION

Viewing information about a Logs View

To describe a Logs View, run the following command, replacing the parts in bold with your own information:

gcloud alpha logging views describe VIEW_ID \
  --bucket=BUCKET_NAME --location=LOCATION

Viewing logs associated with a Logs View

To view logs in a Logs View, ensure you have the roles/logging.viewAccessor role for the Logs View.

Go to the Logs Explorer.

Go to Logs Explorer

Click Refine scope to display the Refine scope panel. From here, you can select the Logs Bucket and Logs View you want to use to view your logs.

The Refine scope panel

For more information, refer to the Logs Explorer documentation.

What's next

Go to the Logs Explorer to verify that the view you created provides access to the correct logs.

Go to Logs Explorer