logging - Configure or retrieve logging on buckets

logging - Configure or retrieve logging on buckets


gsutil logging set on -b logging_bucket [-o log_object_prefix] url... gsutil logging set off url... gsutil logging get url


Google Cloud Storage offers access logs and storage data in the form of CSV files that you can download and view. Access logs provide information for all of the requests made on a specified bucket in the last 24 hours, while the storage logs provide information about the storage consumption of that bucket for the last 24 hour period. The logs and storage data files are automatically created as new objects in a bucket that you specify, in 24 hour intervals.

The logging command has two sub-commands:


The set sub-command has two sub-commands:


The "gsutil logging set on" command will enable access logging of the buckets named by the specified URLs, outputting log files in the specified logging_bucket. logging_bucket must already exist, and all URLs must name buckets (e.g., gs://bucket). The required bucket parameter specifies the bucket to which the logs are written, and the optional log_object_prefix parameter specifies the prefix for log object names. The default prefix is the bucket name. For example, the command:

gsutil logging set on -b gs://my_logging_bucket -o AccessLog \\
    gs://my_bucket1 gs://my_bucket2

will cause all read and write activity to objects in gs://mybucket1 and gs://mybucket2 to be logged to objects prefixed with the name "AccessLog", with those log objects written to the bucket gs://my_logging_bucket.

In addition to enabling logging on your bucket(s), you will also need to grant cloud-storage-analytics@google.com write access to the log bucket, using this command:

gsutil acl ch -g cloud-storage-analytics@google.com:W gs://my_logging_bucket

Note that log data may contain sensitive information, so you should make sure to set an appropriate default bucket ACL to protect that data. (See gsutil help defacl.)


This command will disable access logging of the buckets named by the specified URLs. All URLs must name buckets (e.g., gs://bucket).

No logging data is removed from the log buckets when you disable logging, but Google Cloud Storage will stop delivering new logs once you have run this command.


If logging is enabled for the specified bucket url, the server responds with a JSON document that looks something like this:

  "logBucket": "my_logging_bucket",
  "logObjectPrefix": "AccessLog"

You can download log data from your log bucket using the gsutil cp command.

Access Log And Storage Data Fields

For a complete list of access log fields and storage data fields, see: https://cloud.google.com/storage/docs/access-logs#format

Send feedback about...

Cloud Storage Documentation