Cloud SQL logging

This page describes how to find and use Cloud Logging to view and query logs for your Cloud SQL instance.

Cloud SQL uses Cloud Logging. See the cloud logging documentation for complete information and review the Cloud SQL sample queries.

Viewing logs

To view logs for your Cloud SQL instance log entries:

Console

  1. Go to the Logs Viewer
  2. Select an existing Cloud SQL project at the top of the page.
  3. In the Query builder, add the following:
    • Resource: select Cloud SQL Database. In the dialog, select a Cloud SQL instance.
    • Log names: scroll to the Cloud SQL section and select appropriate log files for your instance. For example:
      • cloudsql.googleapis.com/sqlagent.out
      • cloudsql.googleapis.com/sqlserver.err
    • Severity: select a log level.
    • Time range: select a preset or create a custom range.

gcloud

Use the gcloud logging command to view log entries. In the example below, replace PROJECT_ID. The limit flag is an optional parameter that indicates the maximum number of entries to return.

gcloud logging read "projects/[PROJECT_ID]/logs/cloudsql.googleapis.com/sqlagent.out" --limit=10

Troubleshooting

Click the links in the table for details:

For this problem... The issue might be... Try this...
Logging is using a lot of CPU and memory. Logging needs to be tuned. Try tuning logging resource usage.
Audit logs are not found. User authentication. Check user roles and permissions.
Operations information not found in logs. Audit logs are not enabled. Enable audit logging.

Logging is using a lot of CPU and memory

Logging is using a lot of CPU and memory.

The issue might be

Logging usage needs to be tuned.

Things to try

The log_statement flag can be set to none and the logging_collector flag can be set to off. If logging is still occurring, there may be other log-related flags that can be tuned. You can edit the instance to modify these flags.


Audit logging

You turned on audit logging for Cloud SQL but are unable to find any audit logs in Cloud Logging

The issue might be

Data-Access logs are only written if the operation is an authenticated user-driven API call that creates, modifies, or reads user-created data, or if the operation accesses configuration files or metadata of resources.

Things to try

Check the roles and permissions of the user performing the operations.


Operation information not found in logs

You want to find more information about an operation. For example, a user was deleted but you can't find out who did it. The logs show the operation started but do not provide any more information.

The issue might be

You must enable audit logging for detailed and personal identifying information (PII) like this to be logged.

Things to try

Enable audit logging in your project.