This page provides an overview of Secure Web Proxy logs, the available log types, and how to access them.
Overview
Secure Web Proxy logging capabilities let you capture information and perform critical tasks in the following key areas:
Monitoring and compliance
- Enforce compliance with regulations, improve network security, and provide visibility into the traffic going to internet destinations.
- Acquire valuable layers of control and visibility over workload traffic.
- Gain critical insights for effective Security Operations Center (SOC) monitoring.
- Use logs to detect and track security events to help ensure proactive threat response.
Deployment and configuration
- Track your initial infrastructure setup, user account creation, and configuration changes.
- Monitor for potential errors to help ensure a smooth and secure deployment.
- Understand the impact of policy-tuning adjustments and optimize your protection.
Available logs
The following types of logs are available in Secure Web Proxy:
- Cloud Audit Logs
- Proxy transaction logs
Cloud Audit Logs
Cloud Audit Logs provides the following details:
- Information related to API calls made to the infrastructure and proxy setup, creation and modification of policies, and monitoring checks. To capture the interactions, Cloud Audit Logs uses Google Cloud CLI commands and the Secure Web Proxy API.
- Information related to creating and deleting Secure Web Proxy instances, modifying settings, and applying updates. Google Cloud console logs capture console activity that is related to the Secure Web Proxy configuration.
- Insights into changes made to the Secure Web Proxy infrastructure.
- Adjustments to Secure Web Proxy settings, rules, and parameters that shape Secure Web Proxy behavior.
- Modifications to user privileges and access controls within Secure Web Proxy.
- Implementation of policy modifications, capturing pre-edit and post-edit details.
Secure Web Proxy audit logs follow the standard audit log structure. For information about the standard audit log format, see AuditLog.
Proxy transaction logs
Proxy transaction logs capture details about individual requests processed by the Secure Web Proxy. The logs include a detailed record of every transaction between the users and the internet that is mediated by Secure Web Proxy.
Proxy transaction log entries can be divided into the following types:
HttpRequest
HttpRequest log entries contain the following information:
| Name | Type | Description |
|---|---|---|
| requestMethod | String | The request method. Examples: GET, HEAD, PUT, POST.
|
| requestUrl | String | The scheme (http, https), the hostname, the path and the query portion of the URL that was requested. Example: "http://example.com/some/info?color=red". |
| requestSize |
String (int64 format) |
The size, in bytes, of the HTTP request message, including the request headers and the request body. |
| status | Integer | The HTTP or HTTPS status code indicating the response. Examples: 200, 404.
|
| responseSize | String (int64 format) | The size, in bytes, of the HTTP response message sent back to the client, including the response headers and the response body. |
| userAgent | String | The user agent sent by the client. Example: "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461; .NET CLR 1.0.3705)". |
| remoteIp | String |
The IP address (IPv4 or IPv6) of the client that issued the HTTP request. This field can include port information. Examples: 192.168.1.1, 10.0.0.1:80, FE80::0202:B3FF:FE1E:8329.
|
| serverIp | String |
The IP address (IPv4 or IPv6) of the origin server that the request was sent to. This field can include port information. Examples: 192.168.1.1, 10.0.0.1:80, FE80::0202:B3FF:FE1E:8329.
|
| referrer | String |
The referer URL of the request, as defined in HTTP/1.1 Header Field Definitions. |
| latency | String (Duration format) | The request processing latency on the server, from the time the request was received until the response was sent. A duration in seconds with up to nine fractional digits and ending with |
| cacheLookup | Boolean | Whether a cache lookup was attempted. |
| cacheHit | Boolean | Whether or not an entity was served from cache (with or without validation). |
| cacheValidatedWithOriginServer | Boolean | Whether or not the response was validated with the origin server before being served from cache. This field is only meaningful if cacheHit is True. |
| cacheFillBytes | String (int64 format) | The number of HTTP response bytes inserted into cache. Only set when a cache fill is attempted. |
| protocol | String | Protocol used for the request. Examples: "HTTP/1.1", "HTTP/2", "websocket" |
LoadBalancerLogEntry
The LoadBalancerLogEntry log entries contain the following information:
| Name | Type | Description |
|---|---|---|
| insertId | String | The unique log ID. |
| jsonPayload.@type | String | The log type.
The log type value is always |
| jsonPayload.enforcedGatewaySecurityPolicy.hostname | String | The hostname associated with the request. |
| jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.action | String | The action taken on the request. |
| jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.rule | String | The name of the rule applied to the request. |
Gateway monitored resource
Gateway monitored resource log entries contain the following information:
| Name | Type | Description |
|---|---|---|
| resource_container | String | The container associated with the gateway. |
| location | String | The name of the region in which the gateway is defined. |
| network_name | String | The name of the Virtual Private Cloud (VPC) network in which the gateway was created. |
| gateway_type | String | The type enum of the gateway. |
| gateway_name | String | The name of the gateway resource. |
Logging examples
Secure Web Proxy generates detailed log entries whenever it processes a request, keeping track of its actions and applied policies. The following examples show how Secure Web Proxy logs work.
Example of an allow entry
The following log entry shows that the Secure Web Proxy intercepted and
inspected the HTTPS traffic for [www.example.com](https://www.example.com/) and
allowed it to proceed to the destination website. The policy and rule names are
swp-policy and allow-port-443 respectively.
| Field | Values |
|---|---|
| enforcedGatewaySecurityPolicy | "requestWasTlsIntercepted": true, "hostname": "www.example.com", "matchedRules": [ { "action": "ALLOWED", "name": "projects/76537/locations/us-central1/gatewaySecurityPolicies/swp-policy/rules/allow-port-443" } ] |
| httpRequest | "requestMethod": "GET", "requestUrl": "https://www.example.com/", "requestSize": "41", "status": 200, "responseSize": "1446", "userAgent": "curl/7.74.0", "remoteIp": "10.128.0.12:35418", "serverIp": "93.184.216.34:443", "latency": "0.051800s", "protocol": "HTTP/2" |
| resource | "type": "networkservices.googleapis.com/Gateway", "labels": { "gateway_name": "multi-level-tlds", "network_name": "projects/76537/global/networks/default", "location": "us-central1", "resource_container": "", "gateway_type": "SECURE_WEB_GATEWAY" } |
| timestamp | "2024-02-15T16:56:19.570534Z" |
| severity | "INFO" |
| logName | "projects/76537/logs/networkservices.googleapis.com%2Fgateway_requests" |
| receiveTimestamp | "2024-02-15T16:56:20.714988329Z" |
Example of a deny entry
This log entry shows that the Secure Web Proxy inspected the traffic for www.example.com:443 and denied the HTTPS request due to the default_denied rule in the Secure Web Proxy policy.
| Field | Values |
|---|---|
| enforcedGatewaySecurityPolicy | "hostname": "www.example.com:443", "matchedRules": [ { "name": "default_denied", "action": "DENIED" } ] |
| httpRequest |
"requestMethod": "CONNECT", "requestSize": "122", "status": 403, "responseSize": "141", "userAgent": "curl/7.74.0", "remoteIp": "10.128.0.12:36338", "latency": "0.000133s", "protocol": "HTTP/1.1" |
| resource | "type": "networkservices.googleapis.com/Gateway", "labels": { "gateway_type": "SECURE_WEB_GATEWAY", "resource_container": "", "location": "us-central1", "network_name": "projects/gcp-1768/global/networks/default", "gateway_name": "high-latency-repro" } |
| timestamp | "2024-02-15T16:55:00.089727Z" |
| severity | "WARNING" |
| logName | "projects/gcp-1768/logs/networkservices.googleapis.com%2Fgateway_requests" |
| receiveTimestamp | "2024-02-15T16:55:04.456901833Z" |
View logs in Cloud Logging
To view your Secure Web Proxy logs in the Logs Explorer, do the following:
In the Google Cloud console, go to the Logs Explorer page.
Select an existing Google Cloud project at the top of the page, or create a new project.
Using the drop-down menus, select the resource
networkservices.googleapis.com/Gatewayor the Secure Web Proxy instance name.
For more information, see Using the Logs Explorer.