Command-line interface

The Google Cloud CLI has a group of commands, gcloud logging, that provide a command-line interface to the Logging API. A summary of the important commands and examples of their use are shown on this page.

For additional information, go to the following sources:

  • For detailed documentation on the Logging Google Cloud CLI, read the reference pages for the gcloud logging command group. There might also be new or changed commands in the beta command group: gcloud beta logging.
  • For documentation on the Logging API, read Cloud Logging API.

Getting started

  1. Install the Google Cloud CLI, and then sign in to the gcloud CLI with your federated identity. After signing in, initialize the Google Cloud CLI by running the following command:

    gcloud init
  2. Set your default project so you don't have to supply the --project flag with each command:

    gcloud config set project PROJECT_ID

After you've installed and initialized the Google Cloud CLI, you can run gcloud logging commands from the command line in the same way you use other command-line tools.

Permissions

gcloud logging commands are controlled by Identity and Access Management (IAM) permissions.

To use any of the gcloud logging commands, you must have the serviceusage.services.use permission. You must also have the IAM role that corresponds to the log's location, and to your use case:

Use case IAM role
List logs Logging/Logs Viewer
Delete logs Logging/Logging Admin
Write logs Logging/Logs Writer
Read logs Logging/Logs Viewer
Read Data Access audit logs Logging/Private Logs Viewer
List sinks Logging/Logs Viewer
Create sinks Logging/Logs Configuration Writer
Update sinks Logging/Logs Configuration Writer
Delete sinks Logging/Logs Configuration Writer
Create log scopes Logging/Logs Configuration Writer

For additional information on required Logging IAM roles and permissions, go to Access control.

Summary of commands

The following sections provide summaries and examples of the gcloud CLI command-line interface for Logging. However, some command options and details are omitted; the online documentation for the gcloud CLI commands is authoritative.

From the command line, you can add --help to a partial command to get more details. For example:

gcloud logging --help
gcloud logging sinks --help
gcloud logging sinks create --help

In a few cases, important command features in the Beta version of the gcloud CLI are available:

gcloud beta logging metrics create --help

Over time, Beta features might be rolled into the standard release and new features might be added to the Beta release.

Log entries

You can write and read log entries using gcloud.

Writing log entries

Use the gcloud logging write command, corresponding to the API method entries.write.

gcloud logging write LOG_NAME  ...

LOG_NAME can either be the LOG_ID or the full resource name of the log with the LOG_ID URL-encoded.

For simplicity, this command makes several assumptions about the log entry. For example, it always sets the resource type to global.

Examples

Write a log entry to log my-test-log in the current project with a plain-text payload and a severity of ERROR:

gcloud logging write my-test-log "A simple entry" --severity=ERROR

Write a log entry with a structured (JSON) payload:

gcloud logging write my-test-log '{ "message": "My second entry", "weather": "partly cloudy"}' --payload-type=json

Write a log entry to a folder, billing account, or organization. The following command writes a log entry to a folder:

gcloud logging write my-folder-log "A folder log entry"  --folder=FOLDER_ID

To find your log entries, look in the Logs Explorer under the Global resource type.

You can also gcloud logging read or the corresponding API method. See the example in Reading log entries.

Reading log entries

To retrieve log entries, use the gcloud logging read command, corresponding to the API method entries.list:

gcloud logging read FILTER ...
FILTER is an expression to identify a set of log entries. For more information, see Logging query language.

To read log entries in folders, billing accounts, or organizations, append the --folder, --billing-account, or --organization options.

Examples

Read up to 10 log entries in your project's syslog log from Compute Engine instances containing payloads that include the word SyncAddress. The log entries are to be shown in JSON format:

gcloud logging read "resource.type=gce_instance AND logName=projects/PROJECT_ID/logs/syslog AND textPayload:SyncAddress" --limit 10 --format json

Following is an example of one returned log entry:

{
  "insertId": "2024-04-07|08:56:48.137651-07|10.162.32.129|-1509625619",
  "logName": "projects/[PROJECT_ID]/logs/syslog",
  "resource": {
    "labels": {
      "instance_id": "15543007601548829999",
      "zone": "global"
    },
    "type": "gce_instance"
  },
  "textPayload": "Apr  7 15:56:47 my-gce-instance google-address-manager: ERROR SyncAddresses exception: HTTP Error 503: Service Unavailable",
  "timestamp": "2024-04-07T15:56:47.000Z"
}

To list logs in a folder, add the --folder flag. That flag restricts the log entries read to only those in the folder itself. The same applies to the --organization and --billing-account flags. The following command retrieves activity-type audit logs from a folder. Log entries are to be shown in the default YAML format:

gcloud logging read "resource.type=folder AND logName:cloudaudit.googleapis.com%2Factivity" --folder=FOLDER_ID

Following is an excerpt of one returned entry. It records a call to SetIamPolicy on the folder:

insertId: mhcr1tc16u
logName: folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
  '@type': type.googleapis.com/google.cloud.audit.AuditLog
  methodName: SetIamPolicy
  ...
  serviceName: cloudresourcemanager.googleapis.com
  status: {}
resource:
  labels:
    folder_id: 'FOLDER_ID'
  type: folder
severity: NOTICE
timestamp: '2024-03-19T16:26:49.308Z'

The previous section, Writing log entries, contains an example of writing a log entry to a folder. Following is the command to read the log entry:

gcloud logging read "resource.type=global" --folder=FOLDER_ID --limit=1

Here is the result:

insertId: 1f22es3frcguaj
logName: folders/FOLDER_ID/logs/my-folder-log
receiveTimestamp: '2024-03-19T18:20:19.306598482Z'
resource:
  type: global
textPayload: A folder log entry
timestamp: '2024-03-19T18:20:19.306598482Z'

Logs

A log, or log stream, is the set of log entries that have the same full resource name. The full resource name is equivalent to the LogName field in the LogEntry.

The full resource name for a log must be one of the following:

projects/PROJECT_ID/logs/LOG_ID
organizations/ORGANIZATION_ID/logs/LOG_ID
folders/FOLDER_ID/logs/LOG_ID
billingAccounts/BILLING_ACCOUNT_ID/logs/LOG_ID

LOG_ID can only contain alphanumeric characters, forward-slash, underscore, hyphen, and period characters. For example, compute.googleapis.com/activity_log is a valid LOG_ID. The full resource name includes the project, folder, billing account, or organization in which the log is located. For more information, go to Trusted Cloud by S3NS resource hierarchy.

To manage logs, use the gcloud logging logs command group:

gcloud logging logs list  ...
gcloud logging logs delete  ...

URL Encoding

When passing the full resource name of a log to a gcloud logging command, you must URL-encode the LOG_ID. As an example, a LOG_ID of compute.googleapis.com/activity_log encodes to compute.googleapis.com%2Factivity_log.

When passing the LOG_ID to a gcloud logging command, you don't need to URL-encode the LOG_ID. In this case, the gcloud command encodes for you.

When receiving data that includes the full resource name of a log from a gcloud logging command, the LOG_ID is URL-encoded.

Creating logs

You create a log by writing a log entry to it. See Writing log entries.

Listing log names

Use the gcloud logging logs list command. It executes the API method projects.logs/list.

Only logs that contain log entries are displayed. The display lists full resource names of logs with the LOG_ID URL-encoded.

You can only use gcloud logging logs list to list logs in projects; you can't use it to list logs in folders, billing accounts, or organizations.

Example

List the logs in the current project:

gcloud logging logs list

Sample result:

NAME
projects/my-gcp-project-id/logs/apache-error
projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity
projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Fdata_access
projects/my-gcp-project-id/logs/compute.googleapis.com%2Factivity_log
projects/my-gcp-project-id/logs/compute.googleapis.com%2Fsystem_log
projects/my-gcp-project-id/logs/syslog

Deleting logs

To delete logs, use the gcloud logging logs delete command. It decides, based on the full resource name of a log, which of the following delete API commands to execute: projects.logs, organizations.logs, folders.logs, or billingAccounts.logs.

Example: Delete a project log

To delete a log that exists in the current project using the LOG_ID:

gcloud logging logs delete my-new-log

Really delete all log entries from
[my-new-log]?g_logs
Do you want to continue (Y/n)?  Y
Deleted [my-new-log].

An alternative is to specify the full resource name of a log with the LOG_ID URL-encoded:

gcloud logging logs delete projects/my-gcp-project-id/logs/compute.googleapis.com%2Factivity_log
Result:
Really delete all log entries from
[projects/my-gcp-project-id/logs/compute.googleapis.com%2Factivity_log]?
Do you want to continue (Y/n)?  Y
Deleted [projects/pamstestproject1/logs/compute.googleapis.com%2Factivity_log].

Example: Delete logs in folders, billing accounts or organizations

To delete a log contained in folders, billing accounts or organizations, pass the full resource name with the LOG_ID URL-encoded. For example, the following command deletes a log in a folder:

gcloud logging logs delete folders/FOLDER_ID/logs/my-folder-log

FOLDER_ID must be the unique number that identifies the folder.

Resource descriptors

All log entries contain an instance of one of a fixed set of monitored resource types that generally identifies the resource the log entry comes from, such as a particular Compute Engine VM instance. For a list of monitored resource types, go to Monitored Resource List.

To list the current resource descriptor types, use the gcloud logging resource-descriptors list command, corresponding to the API method monitoredResourceDescriptors.list. You don't need any special permissions to list the resource types.

Examples

List all the resource types that have instance in their names:

gcloud logging resource-descriptors list --filter="type:instance"

Result:

TYPE                        DESCRIPTION                                                 KEY
gce_instance                A virtual machine instance hosted in Compute Engine. project_id,instance_id,zone
gce_instance_group_manager  A Compute Engine instance group manager resource.    project_id,instance_group_manager_id,instance_group_manager_name,location
gce_instance_template       A Compute Engine instance template resource.         project_id,instance_template_id,instance_template_name

Routing logs

You route logs by creating sinks that send certain log entries to supported destinations. For more information about sinks, see Routing and storage overview: Sinks.

Use the gcloud logging sinks command group, corresponding to the API methods projects.sinks, folders.sinks, billingAccounts.sinks, and organizations.sinks.

Sinks can be located wherever logs are located: projects, folders, billing accounts, and organizations. Use the gcloud logging flags --folder, --billing-account, or --organization to refer to those locations. Omitting them defaults to the project specified by --project or the current project.

Creating sinks

Use the gcloud logging sinks create command, corresponding to the API method projects.sinks.create:

gcloud logging sinks create SINK_NAME SINK_DESTINATION  --log-filter="..." ...

Destination authorization. To determine the writer identity service account for your new sink, use the describe command in the next section to fetch the new sink's properties. You need the service account to authorize the sink to write to its destination. The gcloud logging command doesn't perform the authorization for you, as the Logs Explorer does. For more information, see Destination permissions.

Aggregated sinks. You can use one of the --folder, --billing-account, and --organization flags if you want to route the logs from that resource. You have the following options:

  • By default, using the previous flags restricts the sink to routing only the logs held in the named folder, organization, or billing account.
  • If you additionally add the --include-children flag, then the sink becomes an aggregated sink and the sink routes logs from all folders and projects contained within the named resource, subject to the filter in the --log-filter flag.
  • Billing accounts don't contain folders or projects, so --include-children has no effect with --billing-account.

For more information, see Aggregated sinks overview.

Examples

Create a sink, syslog-sink, in the current project that routes all syslog entries with severity WARNING or higher. The destination is a new Pub/Sub topic in the current project, and the sink service account, shown in the output of the logging sinks create command, is granted an IAM role that lets the service account publish content to the topic.

gcloud pubsub topics create syslog-sink-topic
gcloud logging sinks create syslog-sink pubsub.googleapis.com/projects/MY-PROJECT/topics/syslog-sink-topic \
     --log-filter="severity>=WARNING"
gcloud pubsub topics add-iam-policy-binding syslog-sink-topic \
     --member serviceAccount:LOG-SINK-SERVICE-ACCOUNT --role roles/pubsub.publisher

Listing or describing sinks

Use the gcloud logging sinks list or gcloud logging sinks describe commands, corresponding to the API methods projects.sinks.list and projects.sinks.get, respectively:

gcloud logging sinks list
gcloud logging sinks describe SINK_NAME

Examples

List sinks in the current project:

gcloud logging sinks list

NAME                            DESTINATION                                                                   FILTER
pubsub-logs-sink                pubsub.googleapis.com/projects/my-gcp-project-id/topics/my-pubsub-logs-topic  logName = "projects/my-gcp-project-id/logs/pubsubtestlog"

Updating sinks

Use the gcloud logging sinks update command, corresponding to the API method projects.sink.update:

You can update a sink to change the destination or the query:

gcloud logging sinks update SINK_NAME NEW_DESTINATION  --log-filter=NEW_FILTER

You can omit the NEW_DESTINATION or --log-filter if those parts don't change.

Deleting sinks

Use the gcloud logging sinks delete command, corresponding to the API method projects.sinks.delete: You stop routing its log entries when you delete a sink:

gcloud logging sinks delete SINK_NAME

Examples

Delete sink syslog-sink-1 in the current project:

gcloud logging sinks delete syslog-sink-1