Cloud Logging
Service 47

Cloud Logging

LogsOperations

Cloud Logging is the central log aggregator on Google Cloud. Every GCP service emits logs to it automatically — Cloud Run request logs, GKE pod stdout/stderr, Compute Engine serial console, IAM audit, every API call across the platform. Workloads outside GCP can write through the Cloud Logging API or via the Ops Agent on VMs. The output is a unified queryable store of everything that happened on the platform, in one place, with a single query language.

The non-obvious thing about Cloud Logging is its economics. The service itself is cheap; the analytic queries and the long-term retention are not. A production org without thought-out routing and retention strategy can run a six-figure annual Cloud Logging bill while still missing the data they actually need during an incident. The architectural decisions in this chapter — which logs go where, how long they live, what gets routed to BigQuery, what audit categories are even enabled — matter more than the API surface.

Centralized Log Collection

GCP services emit logs without configuration — that part is free, in the sense that you do not enable it. What gets collected by default: HTTP request logs from Cloud Run, App Engine, and load balancers; container stdout/stderr from GKE; serial console output from GCE; Cloud Audit Logs (Admin Activity always; others on demand); structured platform logs from every other managed service. For workloads on VMs or off GCP, the Ops Agent (the modern replacement for the older Cloud Logging Agent and Fluentd) collects system logs, application logs, and metrics in one process.

Sinks and Log Routing

→ BigQueryanalytics
Route logs to BigQuery to query them with SQL — usage analysis, security investigations, dashboards.
→ Cloud Storagearchive
Route to a bucket for cheap long-term retention and compliance archives.
→ Pub/SubSIEM
Stream to Pub/Sub to feed an external SIEM or a real-time processing pipeline.

A sink is just a filter plus a destination. The same log can fan out to several sinks at once.

A sink is a routing rule: log entries matching a filter are exported to a destination. Three common destinations:

  • BigQuery — for SQL-based analytics, long-term audit, and joining with business data. The right place for any logs you want to keep beyond the default retention.
  • Cloud Storage — for cold archival at the lowest cost. Logs land as files; analytics requires loading back into BigQuery.
  • Pub/Sub — for real-time forwarding to external SIEM (Chronicle / Google Security Operations, Splunk, Sentinel) or to custom pipelines.

Sinks are the single most important Cloud Logging configuration. Without them, every log entry is stuck in the default _Default bucket with the default 30-day retention. With them, the team controls cost, retention, and downstream analytics deliberately.

Log Explorer and Filtering

The Log Explorer in the GCP console runs queries against logging buckets using Cloud Logging's filter syntax. For "show me errors from this service in the last hour" the UI is fine. For complex analytics — "which user agents account for the 5xx error rate, broken down by region and hour" — switch to Log Analytics, which exposes logs as BigQuery-style SQL. The two share data; the UI choice is about query complexity, not access.

Cloud Audit Logs — Special Status

Admin Activity · System Eventalways on
On by default, free, 400-day retention. Records every config change and Google-initiated event. You cannot turn these off — and would not want to. (Policy Denied logs are also generated by default, but they are billed, land in the 30-day _Default bucket, and can be excluded.)
Data Accessopt-in
Off by default; you enable it, and it can get expensive. Records who read which data — invaluable for investigations, high-volume on busy services. Enable deliberately, per service.

Cloud Audit Logs are a special category that records every API call against GCP resources. Four sub-types:

  • Admin Activity — administrative API calls. Always on, free, retained 400 days by default. Never disable; you will need them in an incident review.
  • Data Access — data plane reads and writes (Cloud Storage object reads, Spanner row reads). Off by default for a reason: enabling everywhere at full detail produces volumes that dwarf application logs and runs an enormous bill. Enable selectively on sensitive resources. The one exception is BigQuery — its Data Access logs are always on and cannot be disabled.
  • System Event — Google-initiated actions on your resources (live migration, automatic security patches). Always on, free, useful in audits.
  • Policy Denied — IAM denials, VPC Service Controls denials. Generated by default, but unlike Admin Activity these are billed, kept 30 days in the _Default bucket, and can be excluded with a filter. Critical for debugging "why can't this work" and for catching attempted unauthorized access.

Log-Based Metrics

Cloud Logging can derive metrics from log content. A counter that increments when a log line matches a filter (every 5xx response from this service); a distribution that captures a numeric field from logs (latency_ms extracted from request logs). These metrics flow into Cloud Monitoring and feed dashboards and alerts. The pattern is powerful but cardinality is the trap: label dimensions with unbounded values (user IDs, request paths) explode metric series count and cost.

Retention, Storage Cost, and Log Analytics

Logging buckets each have a retention policy. The defaults: _Default bucket keeps 30 days; _Required bucket (Admin Activity audit, etc.) keeps 400 days; custom buckets can be configured up to 3650 days. Longer retention costs more linearly. For long-term audit beyond what custom buckets practically support, route to BigQuery.

Log Analytics is the BigQuery-backed analytics layer on top of logging buckets — without copying data, you query logs in SQL. The right tool for complex queries the Log Explorer does not handle well: aggregations, joins, regex extraction at scale.

Common Mistakes
  • Every log in the default _Default bucket with no sinks. The team loses logs to retention, runs expensive queries against a giant bucket, and cannot separate retention policies by data class.
  • Data Access audit logs enabled everywhere on full detail "for safety". The bill is multiples of every other Cloud Logging cost combined. Enable selectively on regulated or sensitive resources.
  • No sink to BigQuery for long-term audit. After 30 days the default retention drops the data; six months later, the security review needs logs that no longer exist.
  • Complex queries done in Log Explorer instead of Log Analytics. The UI works for simple filters; for cross-field aggregation and joins, Log Analytics SQL is the right surface.
  • Log-based metrics created with high-cardinality labels (user IDs, full URLs, request bodies). Metric series count explodes; the Cloud Monitoring bill follows.
  • Retention set to "forever" on a bucket without compliance justification. Storage cost scales linearly with time. Pick a defensible number.
  • Free-form text logs from applications. Structured JSON logs let downstream queries extract fields cleanly; text logs make every query a regex.
Best Practices
  • Cloud Audit Logs Admin Activity always on. (It is by default. Confirm; do not disable.)
  • Data Access audit logs only on sensitive resources — PII tables, financial data, regulated systems. Not as a blanket setting.
  • Sink production logs to BigQuery for long-term audit and analytics. Cold archive to Cloud Storage for compliance retention.
  • Separate custom logging buckets per data class with retention policies that match the class — short for high-volume operational logs, long for security and audit.
  • Log-based metrics for SLO inputs — error rate, custom latency cohorts. Watch label cardinality.
  • Structured JSON logs from applications. The platform parses them; downstream queries work on fields, not free text.
  • SIEM forwarding via Pub/Sub for orgs running external SIEMs alongside Google Security Operations.
Comparable services AWS CloudWatch Logs Azure Monitor Logs (Log Analytics workspace)

Knowledge Check

Why are Data Access audit logs off by default in Cloud Logging?

  • They are deprecated and slated for removal, replaced by the newer structured audit log equivalents
  • At full detail across an organization, Data Access logs produce volumes that dwarf application logs, so they are enabled selectively on sensitive resources
  • They require the Premium tier of Cloud Logging, which carries an extra per-project subscription charge
  • They violate data-privacy regulations in most jurisdictions and require explicit recorded user consent on file before an administrator can enable them on a resource

What is the principal role of a Cloud Logging sink?

  • A query optimizer that pre-aggregates incoming logs and caches them to speed up the Log Explorer UI
  • A routing rule that exports log entries matching a filter to a destination — BigQuery, Cloud Storage, or Pub/Sub for SIEM and custom pipelines
  • A retention policy that automatically deletes old log entries once they age past a configured threshold, freeing bucket storage and capping ongoing cost
  • A read-only mirror of a logging bucket exposed exclusively to designated read-only audit users in another project

When does Log Analytics beat the Log Explorer for a query?

  • Log Explorer is deprecated, so every saved query and dashboard should be migrated over to run on Log Analytics
  • For analytics that need aggregation, joins, or regex extraction at scale — Log Analytics exposes logs as BigQuery-style SQL, while Log Explorer's filter syntax handles only simpler lookups
  • When the query result must be exported into an external third-party analytics or business-intelligence tool, because the Log Explorer surface offers no built-in way to export its query results at all
  • When the team needs IAM-scoped per-user access, since the Log Explorer is open to every project member by default with no restriction

What is the trap with log-based metrics?

  • Log-based metrics cannot drive Cloud Monitoring alerting policies and are display-only on dashboards, so they offer no operational paging value
  • High-cardinality labels (user IDs, full URLs, request bodies) explode the metric series count and run an outsized Cloud Monitoring bill
  • Log-based metrics silently break and stop recording whenever the underlying source logs are emitted in a structured JSON format
  • Log-based metrics are capped at 100 definitions per project, a hard limit that throttles observability for larger organizations

A team needs to retain compliance-relevant audit logs for seven years. What is the right pattern?

  • Keep them in the default _Default logging bucket and slide its retention setting all the way up to the maximum value the bucket configuration will allow
  • Create a sink that routes the relevant Audit Log entries to BigQuery (or Cloud Storage for cold archive) — Logging buckets do not practically retain that long, while those services do at far lower cost
  • Write a scheduled job that pulls the relevant entries daily through the Cloud Logging API and archives them onto local on-prem compliance storage
  • Disable retention entirely; with no explicit retention policy configured on the destination bucket, Cloud Logging then quietly falls back to keeping every matching log entry indefinitely by default at no charge

You got correct