Advanced Log Entries in GCP Cloud Log
Cloud IAM Log Queries
Logs Viewer will filter based on RESOURCES.
- These can be either NAMED resources (existing resource e.g. a role) OR categories of resources (e.g. VM)
- A Role is a resource
- A PROJECT is a resource
- A VM is a category resource (i.e. it refers to ALL VMs in Compute Engine).
- So, you can filter for all events on a project, or all Role assignments for a particular role or all VM specific events.
Compute Instance Log queries
Log Id is easier to use (over log name)
You can use the log_id function for queries with a log_name
expression. For example, the expression log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access
is the same as log_id("cloudaudit.googleapis.com/data_access")
Example 1: The following query returns 25 percent of the log entries from log syslog:
logName = "projects/my-project/logs/syslog" AND sample(insertId, 0.25)
Example 2: All Compute Instance Activity for a particular instance id
resource.type = "gce_instance" AND
resource.labels.instance_id = "6731710280662790612"
logName = "projects/my-project-id/logs/cloudaudit.googleapis.com%2Factivity"
Query at the Project Level
Example 3: Looks for an IP address in the payload of log entries from the log my_log:
logName = "projects/my_project/logs/my_log" AND
ip_in_net(jsonPayload.realClientIP, "10.1.2.0/24")
Summary and Next Steps
This is just a quick sampling of the types of log queries that cloud logging supports. It is convenient to have a centralized logging structure from the get go.
Need a GCP Consultant?
Set up a 1 on 1 appointment with Anuj to assist with your GCP cloud journey.
Leave a Reply