Cloud IAM Log Queries

Logs Viewer will filter based on RESOURCES.

  • These can be either NAMED resources (existing resource e.g. a role) OR categories of resources (e.g. VM)
  • A Role is a resource
  • A PROJECT is a resource
  • A VM is a category resource (i.e. it refers to ALL VMs in Compute Engine).
  • So, you can filter for all events on a project, or all Role assignments for a particular role or all VM specific events.

Compute Instance Log  queries

Log Id is easier to use (over log name)

You can use the log_id function for queries with a log_name expression. For example, the expression log_name="projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Fdata_access is the same as log_id("cloudaudit.googleapis.com/data_access")

Example 1: The following query returns 25 percent of the log entries from log syslog:

logName = "projects/my-project/logs/syslog" AND sample(insertId, 0.25)

Example 2: All Compute Instance Activity for a particular instance id

 resource.type = "gce_instance" AND
    resource.labels.instance_id = "6731710280662790612"
    logName = "projects/my-project-id/logs/cloudaudit.googleapis.com%2Factivity"

Query at the Project Level

Example 3: Looks for an IP address in the payload of log entries from the log my_log:

logName = "projects/my_project/logs/my_log" AND
ip_in_net(jsonPayload.realClientIP, "10.1.2.0/24")

Summary and Next Steps

This is just a quick sampling of the types of log queries that cloud logging supports. It is convenient to have a centralized logging structure from the get go.

Need a GCP Consultant?

Set up a 1 on 1 appointment with Anuj to assist with your GCP cloud journey.