This document provides you with suggested queries to make it easier to find
important logs using the Logs Explorer in the Google Cloud console.
The listed queries are written in the
Logging query language,
and they can be used in the
Logs Explorer, the
Logging API,
or the
command-line interface.
The Logs Explorer uses Boolean expressions to specify a subset of all
the log entries in your project. You can use these queries to choose log entries
from specific logs or log services, or that satisfy conditions on metadata or
user-defined fields.
Before you begin
Ensure that you have the correct Identity and Access Management permissions or roles for
building queries using the Logs Explorer. For details on the
necessary IAM permissions, see
Permissions for the Google Cloud console.
Get started
-
In the Google Cloud console, go to the Logs Explorer page:
Go to Logs Explorer
If you use the search bar to find this page, then select the result whose subheading is
Logging.
Select the appropriate Google Cloud project or other Google Cloud
resource for which you want to view logs.
Use the sample queries
To apply a query from the following tables, click the
content_copy Content Copy icon for the expression,
and then paste the copied expression into
the Logs Explorer query-editor field.
The following screenshot illustrates the query pane:
If you don't see the query-editor field, enable Show query.
After you review your query expression, click Run query. Logs that match your
query are listed under Query results.
Some of the queries listed later on this page include variables that you should
replace with valid values. For example, when a query includes logName, then
the PROJECT_ID you supply must refer to the selected
Google Cloud project; otherwise, the query won't work.
Note the following:
If you have a query with a timestamp, then the
time-range selector
is disabled, and the query uses the timestamp expression as its time-range
restriction. If a query doesn't use a timestamp expression, then the query
uses the time-range selector as its time-range restriction.
The length of a query can't exceed 20,000 characters.
The Logging query language
is case-insensitive, with the exception of regular expressions.
You can use the log_id function for queries with a log_name
expression. For example, the expression
log_name="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"
is the same as log_id("cloudaudit.googleapis.com/data_access").
For more information about the log_id function, see
Logging query language: Functions.
For instructions about querying in the Google Cloud console, see
Build queries in the Logs Explorer.
The following sections group queries by Google Cloud services.
App Engine queries
| Query/filter name |
Expression |
| App Engine logs from New Year's Eve (in UTC time) |
resource.type="gae_app" AND
severity>=ERROR AND
timestamp>="2018-12-31T00:00:00Z" AND timestamp<="2019-01-01T00:00:00Z" |
| App Engine request logs with server errors |
resource.type="gae_app" AND
log_id("appengine.googleapis.com/request_log") AND
httpRequest.status>=500 |
| Sampled HTTP error logs |
resource.type="gae_app" AND
protoPayload.status >= 400 AND
sample(insertId, 0.1)
|
| Search for App Engine trace ID |
resource.type="gae_app" AND
trace="projects/PROJECT_ID/traces/TRACE_ID" |
| App Engine logs |
resource.type="gae_app" AND
resource.labels.module_id="MODULE_ID" AND
resource.labels.version_id="VERSION_ID" |
| Recent App Engine deployments |
resource.type="gae_app" AND
protoPayload."@type"="type.googleapis.com/google.cloud.audit.AuditLog" AND
protoPayload.serviceName="appengine.googleapis.com" |
API enable and disable queries
| Query/filter name |
Expression |
| Audit API enable logs |
protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.EnableService" |
| Audit API disable logs |
protoPayload.methodName="google.api.serviceusage.v1.ServiceUsage.DisableService" |
BigQuery queries
| Query/filter name |
Expression |
| BigQuery audit logs |
resource.type=("bigquery_dataset" OR "bigquery_project") AND
logName:"cloudaudit.googleapis.com" |
| BigQuery audit logs for a project |
resource.type="bigquery_project" AND
logName:"cloudaudit.googleapis.com" |
| BigQuery audit logs for a dataset |
resource.type="bigquery_dataset" AND
logName:"cloudaudit.googleapis.com" |
| BigQuery audit logs for BI Engine Model |
resource.type="bigquery_biengine_model" AND
logName:"cloudaudit.googleapis.com" |
| BigQuery audit logs for a Data Transfer Service Run. |
resource.type="bigquery_dts_run" AND
logName:"cloudaudit.googleapis.com" |
| BigQuery audit logs for a Data Transfer Service configuration. |
resource.type="bigquery_dts_config" AND
logName:"cloudaudit.googleapis.com" |
| BigQuery data transfer service jobs |
resource.type=("bigquery_project") AND
protoPayload.requestMetadata.callerSuppliedUserAgent=
"BigQuery Data Transfer Service" AND
protoPayload.methodName=("google.cloud.bigquery.v2.JobService.InsertJob" OR
"google.cloud.bigquery.v2.JobService.Query") |
| BigQuery transfer run logs |
resource.type="bigquery_dts_config" AND
labels.run_id="RUN_ID" AND
resource.labels.config_id="CONFIG_ID" |
| BigQuery dataset updates |
resource.type="bigquery_dataset" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName=
"google.cloud.bigquery.v2.DatasetService.UpdateDataset" |
| BigQuery jobs completed |
resource.type="bigquery_project" AND
log_id("cloudaudit.googleapis.com/data_access") AND
protoPayload.methodName=("google.cloud.bigquery.v2.JobService.InsertJob"
OR "google.cloud.bigquery.v2.JobService.Query") |
| BigQuery large queries |
resource.type="bigquery_project" AND
protoPayload.metadata.jobChange.job.jobStats.queryStats.totalBilledBytes
> 1073741824 |
| BigQuery quota exceeded |
resource.type=("bigquery_dataset" OR "bigquery_project")
AND
protoPayload.status.code=8 AND
severity>=WARNING |
| BigQuery query started |
resource.type="bigquery_project" AND
protoPayload.metadata.jobInsertion.reason:* |
| BigQuery concurrent load/extract jobs |
resource.type="bigquery_resource" AND
protoPayload.methodName="jobservice.insert" AND
protoPayload.serviceData.jobInsertRequest.resource.jobConfiguration.query.query:
"extract" |
Dataflow queries
| Query/filter name |
Expression |
| Errors and warnings in Dataflow workers |
resource.type="dataflow_step" AND
log_id("dataflow.googleapis.com/worker") AND
severity>=WARNING |
Dataproc queries
| Query/filter name |
Expression |
| Dataproc Apache Hadoop logs |
resource.type="cloud_dataproc_cluster" AND
jsonPayload.class:"org.apache.hadoop.mapreduce" |
Cloud Deployment Manager
| Query/filter name |
Expression |
| Deployment Manager errors |
resource.type="deployment" AND
severity>=ERROR |
Cloud Run functions queries
| Query/filter name |
Expression |
| Cloud function errors |
resource.type="cloud_function" AND
log_id("cloudfunctions.googleapis.com/cloud-functions") AND
severity>=ERROR |
Cloud Monitoring queries
| Query/filter name |
Expression |
Show all notification channel
errors |
resource.type="stackdriver_notification_channel" AND
severity>=ERROR |
Show notification channel
errors due to throttling |
resource.type="stackdriver_notification_channel" AND
severity>=ERROR AND
jsonPayload.summary="Notification delivery throttled." |
Show logs written by
the uptime resource |
resource.type="uptime_url" |
Show requests received from
the uptime-check service |
"GoogleStackdriverMonitoring-UptimeChecks" |
Cloud Run queries
| Query/filter name |
Expression |
| Cloud Run logs for a specific job |
resource.type="cloud_run_job" AND
resource.labels.service_name="JOB_NAME"
|
| Cloud Run logs for a specific revision and service |
resource.type="cloud_run_revision" AND
resource.labels.service_name="SERVICE_NAME" |
Cloud Source Repositories queries
| Query/filter name |
Expression |
| Cloud Source Repository logs |
resource.type="csr_repository" AND
resource.labels.name="REPOSITORY_NAME" |
Spanner queries
| Query/filter name |
Expression |
| Cloud Spanner logs for a specific spanner instance |
resource.type="spanner_instance" AND
resource.labels.instance_id="SPANNER_INSTANCE" |
Cloud SQL queries
| Query/filter name |
Expression |
| Cloud SQL audit logs |
resource.type="cloudsql_database" AND
resource.labels.database_id="DATABASE_ID" AND
log_id("cloudaudit.googleapis.com/activity") |
| Cloud SQL MySQL error logs |
resource.type="cloudsql_database" AND
log_id("cloudsql.googleapis.com/mysql.err") |
| Cloud SQL MySQL-based databases |
resource.type="cloudsql_database" AND
resource.labels.database_id="DATABASE_ID" AND
log_id("cloudsql.googleapis.com/mysql") |
| Cloud SQL Postgres-based databases |
resource.type="cloudsql_database" AND
resource.labels.database_id="DATABASE_ID" AND
log_id("cloudsql.googleapis.com/postgres.log") |
| Cloud SQL SQL Server error logs |
resource.type="cloudsql_database" AND
log_id("cloudsql.googleapis.com/sqlserver.err") |
| Cloud SQL SQL Server-based databases |
resource.type="cloudsql_database" AND
resource.labels.database_id="DATABASE_ID" AND
log_id("cloudsql.googleapis.com/sqlagent.out") |
Cloud Storage queries
| Query/filter name |
Expression |
| GCS bucket logs |
resource.type="gcs_bucket" AND
resource.labels.bucket_name="BUCKET_NAME" |
| GCS bucket audit logs |
resource.type="gcs_bucket" AND
logName:"cloudaudit.googleapis.com" |
| GCS bucket creation logs |
resource.type="gcs_bucket" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.method_name="storage.buckets.create" |
| GCS bucket deletion logs |
resource.type="gcs_bucket" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.method_name="storage.buckets.delete" |
Cloud Tasks queries
| Query/filter name |
Expression |
| Cloud Tasks queue logs |
resource.type="cloud_tasks_queue" AND
resource.labels.queue_id="QUEUE_ID" |
Compute Engine queries
| Query/filter name |
Expression |
| Compute Engine Admin Activity logs |
resource.type="gce_instance" AND
log_id("cloudaudit.googleapis.com/activity") |
| Compute Engine firewall rule deletion |
resource.type="gce_firewall_rule" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName:"firewalls.delete" |
| Compute Engine VM syslogs |
resource.type="gce_instance" AND
log_id("syslog") |
| Compute Engine VM authlogs |
resource.type="gce_instance" AND
log_id("authlog") |
| Compute Engine Host Error |
resource.type="gce_instance"
protoPayload.serviceName="compute.googleapis.com"
(protoPayload.methodName:"compute.instances.hostError"
OR
operation.producer:"compute.instances.hostError")
log_id("cloudaudit.googleapis.com/system_event")
resource.labels.instance_id="INSTANCE_ID"
severity=INFO
|
| Compute Engine Host Memory Alert |
resource.type="gce_instance" AND
protoPayload.serviceName="compute.googleapis.com" AND
(jsonPayload.methodName:"compute.instances.host_event_notify"
OR
operation.producer:"compute.instances.host_event_notify") AND
log_id("cloudaudit.googleapis.com/host_event_notify") AND
resource.labels.instance_id="INSTANCE_ID" AND
severity=CRITICAL
|
| Compute Engine Host Migrated |
resource.type="gce_instance"
protoPayload.serviceName="compute.googleapis.com"
(protoPayload.methodName:
"compute.instances.migrateOnHostMaintenance"
OR
operation.producer:
"compute.instances.migrateOnHostMaintenance")
log_id("cloudaudit.googleapis.com/system_event")
resource.labels.instance_id="INSTANCE_ID"
severity=INFO |
| Compute Engine VM Terminated/Preempted |
resource.type="gce_instance"
protoPayload.methodName=~"compute\.instances\.(guestTerminate|preempted)"
log_id("cloudaudit.googleapis.com/system_event")
resource.labels.instance_id="INSTANCE_ID" |
| Compute Engine VM terminated due to Scratch Disk Creation Failure |
resource.type="gce_instance"
protoPayload.serviceName="compute.googleapis.com"
(protoPayload.methodName="compute.instances.scratchDiskCreationFailed"
OR
operation.producer:
"compute.instances.scratchDiskCreationFailed)
log_id("cloudaudit.googleapis.com/system_event")
resource.labels.instance_id="INSTANCE_ID"
severity=INFO |
| Compute Engine VM Instance Created |
resource.type="gce_instance"
protoPayload.methodName:"compute.instances.insert"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.request.name="INSTANCE_NAME" |
| Compute Engine VM Instance Deleted with Name |
resource.type="gce_instance"
protoPayload.methodName:"compute.instances.delete"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.resourceName:"INSTANCE_NAME" |
| Compute Engine VM Instance Deleted with ID |
resource.type="gce_instance"
protoPayload.methodName:"compute.instances.delete"
log_id("cloudaudit.googleapis.com/activity")
resource.labels.instance_id="INSTANCE_ID" |
| Compute Engine VM Instance Restarted |
resource.type="gce_instance"
protoPayload.methodName=~"compute\.instances\.(
stop|reset|automaticRestart|guestTerminate|
instanceManagerHaltForRestart)"
(log_id("cloudaudit.googleapis.com/activity")
OR log_id("cloudaudit.googleapis.com/system_event"))
resource.labels.instance_id="INSTANCE_ID" |
| Compute Engine Shielded VM Boot Integrity Failure |
resource.type="gce_instance"
log_id("compute.googleapis.com/shielded_vm_integrity")
jsonPayload.earlyBootReportEvent.policyEvaluationPassed="false"
resource.labels.instance_id="INSTANCE_ID" |
| Compute Engine VM instance stopped by Guest OS |
resource.type="gce_instance"
protoPayload.serviceName="compute.googleapis.com"
(protoPayload.methodName:"compute.instances.guestTerminate" OR
operation.producer:"compute.instances.guestTerminate")
log_id("cloudaudit.googleapis.com/system_event")
resource.labels.instance_id="INSTANCE_ID"
severity=INFO |
| Compute Engine Shielded VM boot file was blocked |
resource.type="gce_instance"
log_id("serialconsole.googleapis.com/serial_port_1_output")
textPayload:("Security Violation")
resource.labels.instance_id="INSTANCE_ID" |
| Persistent Disk Created |
resource.type="gce_disk" AND
protoPayload.methodName:"compute.disks.insert" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.resourceName: "PERSISTENT_DISK_NAME" |
| Nodes added in Sole Tenant Node |
resource.type="gce_node_group"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.methodName=~("compute.nodeGroups.addNodes"
OR "compute.nodeGroups.insert")
resource.labels.node_group_id="NODE_GROUP_ID"
severity="INFO" |
| Autoscale events in Sole Tenant Node |
resource.type="gce_node_group"
log_id("cloudaudit.googleapis.com/system_event")
protoPayload.methodName=~("compute.nodeGroups.deleteNodes"
OR "compute.nodeGroups.addNodes")
resource.labels.node_group_id="NODE_GROUP_ID" |
| Manual Snapshot Taken |
resource.type="gce_snapshot"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.methodName:"compute.snapshots.insert"
protoPayload.resourceName:"SNAPSHOT_NAME" |
| Scheduled Snapshot Taken |
resource.type="gce_disk"
log_id("cloudaudit.googleapis.com/system_event")
protoPayload.methodName="ScheduledSnapshots"
protoPayload.response.operationType="createSnapshot"
protoPayload.response.targetLink="PERSISTENT_DISK_NAME" |
| Snapshot Schedule Created |
resource.type="gce_resource_policy"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.methodName:"compute.resourcePolicies.insert"
protoPayload.request.name="SCHEDULE_NAME" |
| Snapshot Schedule Attached |
resource.type="gce_disk"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.methodName:"compute.disks.addResourcePolicies"
protoPayload.request.resourcePolicys:"SCHEDULE_NAME"
protoPayload.resourceName:"PERSISTENT_DISK_NAME" |
| Quota Exceeded |
resource.type="gce_instance"
protoPayload.methodName:"compute.instances.insert"
protoPayload.status.message:"QUOTA_EXCEEDED"
severity=ERROR |
| Query unhealthy instances in instance group |
resource.type="gce_instance_group"
resource.labels.instance_group_name="INSTANCE_GROUP_NAME"
jsonPayload.healthCheckProbeResult.healthState="UNHEALTHY" |
| Query instance group members within a time frame in UTC time format |
resource.type="gce_instance_group_manager"
resource.labels.instance_group_manager_name="INSTANCE_GROUP_NAME"
jsonPayload.@type=
"type.googleapis.com/compute.InstanceGroupManagerEvent"
jsonPayload.instanceHealthStateChange.detailedHealthState="HEALTHY"
timestamp >= START_TIME timestamp <= END_TIME |
| Instances removed from Instance Group |
resource.type="gce_instance_group"
protoPayload.methodName:"compute.instanceGroups.removeInstances"
log_id("cloudaudit.googleapis.com/activity")
resource.labels.instance_group_name="INSTANCE_GROUP_NAME" |
| Instance template set or updated |
resource.type="gce_instance_group_manager"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.methodName=
"v1.compute.instanceGroupManagers.setInstanceTemplate"
resource.labels.instance_group_manager_name="INSTANCE_GROUP_MANAGER" |
| Firewall rule deleted |
resource.type="gce_firewall_rule"
log_id("cloudaudit.googleapis.com/activity")
protoPayload.methodName:"firewalls.delete" |
| Firewall logs |
resource.type="gce_subnetwork"
log_id("compute.googleapis.com/firewall")
jsonPayload.instance.vm_name="INSTANCE_NAME" |
Google Cloud Observability queries
| Query/filter name |
Expression |
| Log sink activities |
resource.type="logging_sink" AND
log_id("cloudaudit.googleapis.com/activity") |
| Log-based metric create or update activities |
resource.type="metric" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName:(UpdateLogMetric OR CreateLogMetric) |
| Uptime URL checks for a host |
resource.type="uptime_url" AND
resource.labels.host="URL" |
Identity and Access Management queries
| Query/filter name |
Expression |
| Service account creation logs |
resource.type="service_account" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName="google.iam.admin.v1.CreateServiceAccount" |
| Service account creation key logs |
resource.type="service_account" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey" |
| Set access control policy logs |
resource.type="project" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName="SetIamPolicy" |
| External principal granted access to organization |
resource.type="project" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog" AND
protoPayload.request.@type:"IamPolicy" AND
protoPayload.serviceData.policyDelta.bindingDeltas.member:* AND
NOT protoPayload.serviceData.policyDelta.bindingDeltas.member:"@DOMAIN_NAME.com" |
| Resource creation, modification, or deletion |
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName:("create" OR "delete" OR "update") |
| Role granted to principal |
log_id("cloudaudit.googleapis.com/activity") AND
resource.type="project" AND
protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.bindingDeltas.action="Add" AND
protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ID" |
| Role removed from principal |
log_id("cloudaudit.googleapis.com/activity") AND
resource.type="project" AND
protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND
protoPayload.methodName="SetIamPolicy" AND
protoPayload.serviceData.policyDelta.bindingDeltas.action="Remove" AND
protoPayload.serviceData.policyDelta.bindingDeltas.member:"EMAIL_ID" |
| Permission updated in a custom role |
log_id("cloudaudit.googleapis.com/activity") AND
resource.type="iam_role" AND
protoPayload.serviceName="iam.googleapis.com" AND
protoPayload.methodName:"UpdateRole" AND
resource.labels.role_name:"ROLE_ID" |
Kubernetes-related queries
For an overview and examples of Admin Activity audit log queries, see those provided on the
GKE Audit logging page.
Cluster-level queries
| Query/filter name |
Expression |
| Google Kubernetes Engine cluster operations |
resource.type="gke_cluster" AND
log_id("cloudaudit.googleapis.com/activity") |
| Google Kubernetes Engine cluster creation |
resource.type="gke_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName="google.container.v1.ClusterManager.CreateCluster"
|
| Kubernetes cluster deployment |
resource.type="k8s_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName:"deployments"
|
| Kubernetes cluster authentication failure |
resource.type="k8s_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.authenticationInfo.principalEmail="system:anonymous"
|
Kubernetes cluster operations and events in us-central1-b |
resource.type="k8s_cluster" AND
resource.labels.location="us-central1-b"
|
| Kubernetes pod requests from users |
resource.type="k8s_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName:"io.k8s.core.v1.pods" AND
protoPayload.authenticationInfo.principalEmail="USER_EMAIL"
|
| Kubernetes events |
resource.type="k8s_cluster" AND
log_id("events")
|
| Kubernetes Endpoints update |
resource.type="k8s_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.request.kind="Endpoints"
|
| Kubernetes control plane logs |
resource.type="k8s_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.serviceName="k8s.io"
|
| Kubernetes Engine control plane logs |
resource.type="k8s_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.serviceName="container.googleapis.com"
|
| Pod deletion |
resource.type="k8s_cluster" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName=~"io\.k8s\.core\.v1\.pods\.(create|delete)"
|
| Kubernetes pod audit logs from control plane |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.resourceName="core/v1/namespaces/POD_NAMESPACE/pods/POD_NAME
|
| Kubernetes pod evictions |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName="io.k8s.core.v1.pods.eviction.create"
|
| Kubernetes node audit logs from the control plane |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.methodName:"io.k8s.core.v1.nodes"
|
| Kubernetes cluster control plane for Addon Manager Activity |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.authenticationInfo.principalEmail="system:addon-manager"
|
Kubernetes control plane errors (excluding Conflict, which is normal) |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("cloudaudit.googleapis.com/activity") AND
protoPayload.status.message!="Conflict" AND
protoPayload.status.code!=0
|
| Ingress Controller events |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("events") AND
jsonPayload.source.component="loadbalancer-controller"
|
| Service Controller events (kube-controller-manager) |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("events") AND
jsonPayload.source.component="service-controller"
|
| Cluster Autoscaler events |
resource.type="k8s_cluster" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("events") AND
jsonPayload.source.component="cluster-autoscaler"
|
Pod-level queries
| Filter name |
Expression |
| Query pod during creation |
resource.type="k8s_pod" AND
resource.labels.pod_name="POD_NAME" AND
log_id("events")
|
| Query pod terminated due to resource pressure |
resource.type="k8s_pod" AND
log_id("events") AND
jsonPayload.reason="Evicted"
|
| Scheduler events |
resource.type="k8s_pod" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("events") AND
jsonPayload.source.component="default-scheduler"
|
| Scheduler events (preemptions) |
resource.type="k8s_pod" AND
resource.labels.location="CLUSTER_LOCATION" AND
resource.labels.cluster_name="CLUSTER_NAME" AND
log_id("events") AND
jsonPayload.source.component="default-scheduler" AND
jsonPayload.reason="Preempted"
|
Node-level queries
| Filter name |
Expression |
| Node events |
resource.type="k8s_node" AND
log_id("events")
|
| Looking at Kube-proxy logs |
resource.type="k8s_node" AND
log_id("kube-proxy")
|
| Looking at dockerd logs |
resource.type="k8s_node" AND
log_id("container-runtime")
|
| Looking at kubelet errors or failures |
resource.type="k8s_node" AND
log_id("kubelet") AND
jsonPayload.MESSAGE:("error" OR "fail")
|
| Looking at node logs for GKE system logs |
resource.type = "k8s_node"
logName:( "logs/container-runtime" OR
"logs/docker" OR
"logs/kube-container-runtime-monitor" OR
"logs/kube-logrotate" OR
"logs/kube-node-configuration" OR
"logs/kube-node-installation" OR
"logs/kubelet" OR
"logs/kubelet-monitor" OR
"logs/node-journal" OR
"logs/node-problem-detector")
|
Namespace queries
| Filter name |
Expression |
| Container and pod logs for GKE system logs |
resource.type = ("k8s_container" OR "k8s_pod")
resource.labels.namespace_name = (
"cnrm-system" OR
"config-management-system" OR
"gatekeeper-system" OR
"gke-connect" OR
"gke-system" OR
"istio-system" OR
"knative-serving" OR
"monitoring-system" OR
"kube-system")
|
Container queries
| Filter name |
Expression |
| Stdout container logs across all pods and containers in a cluster |
resource.type="k8s_container" AND
log_id("stdout")
|
| Container error logs across all pods and containers in a cluster |
resource.type="k8s_container" AND
log_id("stderr") AND
severity=ERROR
|
| Container error logs for a pod with a specific name |
resource.type="k8s_container" AND
resource.labels.pod_name="POD_NAME" AND
severity=ERROR
|
| Container error logs for a specific container in a specific pod |
resource.type="k8s_container" AND
resource.labels.pod_name="POD_NAME" AND
resource.labels.container_name="server" AND
severity=ERROR
|
| Container error logs for a specific namespace and container |
resource.type="k8s_container" AND
resource.labels.namespace_name="istio-system" AND
resource.labels.container_name="egressgateway" AND
severity=ERROR
|
| Container logs for a pod with a specific label |
resource.type="k8s_container" AND
labels."k8s-pod/app"="loadgenerator" AND
severity=ERROR
|
| Container error logs for pods running on a specific node |
resource.type="k8s_container" AND
labels."compute.googleapis.com/resource_name"=NODE_NAME AND
severity=ERROR
|
| Container logs for a pod with a label generated using skaffold |
resource.type="k8s_container" AND
labels."k8s-pod/app"="loadgenerator" AND
labels."k8s-pod/skaffold_dev/run-id"=SKAFFOLD_RUN_ID
severity=ERROR
|
Container error logs for a specific pod containing a POST in the textPayload |
resource.type="k8s_container" AND
resource.labels.pod_name="POD_NAME" AND
textPayload:"POST" AND
severity=ERROR
|
Container error logs for a specific pod containing a GET in the structured JSON |
resource.type="k8s_container" AND
resource.labels.pod_name="POD_NAME" AND
jsonPayload."http.req.method"="GET" AND
severity=ERROR
|
| Container errors logs in the kube-system namespace |
resource.type="k8s_container" AND
resource.labels.namespace_name="kube-system" AND
severity=ERROR
|
| Container error in the container insights log |
resource.type="k8s_container" AND
log_id("clouderrorreporting.googleapis.com/insights")
|
| Kubernetes container logs |
resource.type="k8s_container" AND
resource.labels.container_name="CONTAINER_NAME"
|
Control plane queries
Note: GKE control plane logs must be enabled.
| Filter name |
Expression |
| Kubernetes API server logs |
resource.type="k8s_control_plane_component"
resource.labels.component_name="apiserver"
resource.labels.location="CLUSTER_LOCATION"
resource.labels.cluster_name="CLUSTER_NAME"
|
| Kubernetes Scheduler logs |
resource.type="k8s_control_plane_component"
resource.labels.component_name="scheduler"
resource.labels.location="CLUSTER_LOCATION"
resource.labels.cluster_name="CLUSTER_NAME"
|
| Kubernetes Controller Manager logs |
resource.type="k8s_control_plane_component"
resource.labels.component_name="controller-manager"
resource.labels.location="CLUSTER_LOCATION"
resource.labels.cluster_name="CLUSTER_NAME"
|
TPU workload queries
Note: GKE system and workload logging must be enabled.
| Filter name |
Expression |
| Stdout container logs across all TPU nodes with the same prefix
|
resource.type="k8s_container" AND
labels."compute.googleapis.com/resource_name"=~"TPU_NODE_PREFIX.*" AND
log_id("stdout")
|
| Container error logs across all TPU nodes with the same prefix
|
resource.type="k8s_container" AND
labels."compute.googleapis.com/resource_name"=~"TPU_NODE_PREFIX.*" AND
log_id("stderr") AND
severity=ERROR
|
| Stdout container logs from the same GKE Job
|
resource.type="k8s_container" AND
labels."k8s-pod/batch.kubernetes.io/job-name" = "JOB_NAME" AND
log_id("stdout")
|
| Container error logs from the same GKE Job
|
resource.type="k8s_container" AND
labels."k8s-pod/batch.kubernetes.io/job-name"="JOB_NAME" AND
log_id("stderr") AND
severity=ERROR
|
| Stdout container logs from the same GKE JobSet
|
resource.type="k8s_container" AND
labels."k8s-pod/jobset_sigs_k8s_io/jobset-name"="JOBSET_NAME" AND
log_id("stdout")
|
| Container error logs from the same GKE JobSet
|
resource.type="k8s_container" AND
labels."k8s-pod/jobset_sigs_k8s_io/jobset-name"="JOBSET_NAME" AND
log_id("stderr") AND
severity=ERROR
|
Logging agent application queries
| Query/filter name |
Expression |
| Apache logs |
resource.type="gce_instance" AND
(logName:"/apache-access" OR logName:"/apache-error") |
| Cassandra logs |
resource.type="gce_instance" AND
log_id("cassandra") |
| Chef logs |
resource.type="gce_instance" AND
logName:"projects/PROJECT_ID/logs/chef-" |
| Gitlab logs |
resource.type="gce_instance"
logName:"projects/PROJECT_ID/logs/gitlab-" |
| Jenkins logs |
resource.type="gce_instance" AND
log_id("jenkins") |
| Jetty logs |
resource.type="gce_instance" AND
logName:"projects/PROJECT_ID/logs/jetty-" |
| Joomla logs |
resource.type="gce_instance" AND
log_id("joomla") |
| Linux syslogs |
resource.type="gce_instance" AND
log_id("syslog") |
| Magneto logs |
resource.type="gce_instance" AND
logName:"projects/PROJECT_ID/logs/magneto-" |
| Mediawiki logs |
resource.type="gce_instance" AND
log_id("mediawiki") |
| memcached logs |
resource.type="gce_instance" AND
log_id("memcached") |
| MongoDB logs |
resource.type="gce_instance" AND
log_id("mongodb") |
| MySQL logs |
resource.type="gce_instance" AND
log_id("mysql") |
| Nginx logs |
resource.type="gce_instance" AND
logName:"projects/PROJECT_ID/logs/nginx-" |
| PostgreSQL logs |
resource.type="gce_instance" AND
log_id("postgresql") |
| Puppet logs |
resource.type="gce_instance" AND
logName:"projects/PROJECT_ID/logs/puppet-" |
| RabbitMQ logs |
resource.type="gce_instance" AND
logName:"projects/PROJECT_ID/logs/rabbitmq-" |
| Redmine logs |
resource.type="gce_instance" AND
log_id("redmine") |
| Salt logs |
resource.type="gce_instance" AND
logName:"projects/PROJECT_ID/logs/salt-" |
| Slow MySQL queries |
resource.type="gce_instance" AND
log_id("mysql-slow") |
| Solr logs |
resource.type="gce_instance" AND
log_id("solr") |
| SugarCRM logs |
resource.type="gce_instance" AND
log_id("sugarcrm") |
| Tomcat logs |
resource.type="gce_instance" AND
log_id("tomcat") |
| Zookeeper logs |
resource.type="gce_instance" AND
log_id("zookeeper") |
Networking queries
| Query/filter name |
Expression |
| Firewall- all logs |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/firewall") |
| Firewall logs for a given country |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/firewall") AND
jsonPayload.remote_location.country=COUNTRY_ISO_ALPHA_3 |
| Firewall logs from a VM |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/firewall") AND
jsonPayload.instance.vm_name="INSTANCE_NAME" |
| Firewall subnet logs |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/firewall") AND
resource.labels.subnetwork_name="SUBNET_NAME" |
| Compute Engine subnetwork traffic logs to a subnet |
resource.type="gce_subnetwork" AND
ip_in_net(jsonPayload.connection.dest_ip, "SUBNET_IP") |
| VPC Flow logs |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/vpc_flows") |
| VPC Flow logs for specific port and protocol |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/vpc_flows") AND
jsonPayload.connection.src_port="PORT_ID" AND
jsonPayload.connection.protocol="PROTOCOL" |
| VPC Flow logs for specific subnet |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/vpc_flows") AND
resource.labels.subnetwork_name"=SUBNET_NAME" |
| VPC Flow logs for specific subnet prefix |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/vpc_flows") AND
ip_in_net(jsonPayload.connection.dest_ip,SUBNET_IP) |
| VPC Flow logs for a specific VM |
resource.type="gce_subnetwork" AND
log_id("compute.googleapis.com/vpc_flows") AND
jsonPayload.src_instance.vm_name="VM_NAME" |
| VPN gateway logs |
resource.type="vpn_gateway" AND
resource.labels.gateway_id="GATEWAY_ID" |
| HTTP Load Balancer 5xx errors |
resource.type="http_load_balancer" AND
httpRequest.status>=500 |
| HTTP Load Balancer requests to PHPMyAdmin |
resource.type="http_load_balancer" AND
httpRequest.request_url:"phpmyadmin" |
Security queries
| Query/filter name |
Expression |
| Audit logs—all |
logName:"cloudaudit.googleapis.com" |
| Audit logs- Access Transparency (AXT) |
log_id("cloudaudit.googleapis.com/access_transparency") |
| Audit logs- Admin Activity |
log_id("cloudaudit.googleapis.com/activity") |
| Audit logs- Data Access |
log_id("cloudaudit.googleapis.com/data_access") |
| Audit logs- System Event |
log_id("cloudaudit.googleapis.com/system_event") |
Troubleshooting
For instructions about troubleshooting common issues when using the
Logs Explorer, see
Using the Logs Explorer: Troubleshooting.
What's next
For more information about the query syntax, which you can use to customize
these queries, see
Logging query language.
For more information about querying in the Google Cloud console, see
Build queries by using the Logging query language.
