The Google Cloud CLI has a group of commands, gcloud logging,
that
provide a command-line interface to the Logging API. A summary of the
important commands and examples of their use are shown on this page.
For additional information, go to the following sources:
- For detailed documentation on the Logging Google Cloud CLI, read the reference pages for the gcloud logging command group. There might also be new or changed commands in the beta command group: gcloud beta logging.
- For documentation on the Logging API, read Cloud Logging API.
Getting started
-
Install the Google Cloud CLI, and then sign in to the gcloud CLI with your federated identity. After signing in, initialize the Google Cloud CLI by running the following command:
gcloud init Set your default project so you don't have to supply the
--projectflag with each command:gcloud config set project PROJECT_ID
After you've installed and initialized the Google Cloud CLI, you can run
gcloud logging commands from the command line in the same way you use other
command-line tools.
Permissions
gcloud logging commands are controlled by Identity and Access Management (IAM)
permissions.
To use any of the gcloud logging commands, you must have the
serviceusage.services.use permission. You must also have the
IAM role that corresponds to the log's location, and to your
use case:
| Use case | IAM role |
|---|---|
| List logs | Logging/Logs Viewer |
| Delete logs | Logging/Logging Admin |
| Write logs | Logging/Logs Writer |
| Read logs | Logging/Logs Viewer |
| Read Data Access audit logs | Logging/Private Logs Viewer |
| List sinks | Logging/Logs Viewer |
| Create sinks | Logging/Logs Configuration Writer |
| Update sinks | Logging/Logs Configuration Writer |
| Delete sinks | Logging/Logs Configuration Writer |
| Create log scopes | Logging/Logs Configuration Writer |
For additional information on required Logging IAM roles and permissions, go to Access control.
Summary of commands
The following sections provide summaries and examples of the gcloud CLI command-line interface for Logging. However, some command options and details are omitted; the online documentation for the gcloud CLI commands is authoritative.
From the command line, you can add --help to a partial command to get more
details. For example:
gcloud logging --help
gcloud logging sinks --help
gcloud logging sinks create --help
In a few cases, important command features in the Beta version of the gcloud CLI are available:
gcloud beta logging metrics create --help
Over time, Beta features might be rolled into the standard release and new features might be added to the Beta release.
Log entries
You can write and read log entries using gcloud.
Writing log entries
Use the gcloud logging write command, corresponding to the API method entries.write.
gcloud logging write LOG_NAME ...
LOG_NAME can either be the LOG_ID or the full resource name of the log with the LOG_ID URL-encoded.
For simplicity, this command makes several assumptions about
the log entry. For example, it always sets the
resource type to global.
Examples
Write a log entry to log my-test-log in the current project with a plain-text
payload and a severity of ERROR:
gcloud logging write my-test-log "A simple entry" --severity=ERROR
Write a log entry with a structured (JSON) payload:
gcloud logging write my-test-log '{ "message": "My second entry", "weather": "partly cloudy"}' --payload-type=json
Write a log entry to a folder, billing account, or organization. The following command writes a log entry to a folder:
gcloud logging write my-folder-log "A folder log entry" --folder=FOLDER_ID
To find your log entries, look in the Logs Explorer under the Global resource type.
You can also gcloud logging read or the corresponding API method. See the
example in Reading log entries.
Reading log entries
To retrieve log entries, use the gcloud logging read command, corresponding to the API method entries.list:
gcloud logging read FILTER ...
To read log entries in folders, billing accounts, or organizations,
append the --folder, --billing-account, or --organization options.
Examples
Read up to 10 log entries in your project's syslog log from Compute Engine
instances containing payloads that include the word SyncAddress. The log
entries are to be shown in JSON format:
gcloud logging read "resource.type=gce_instance AND logName=projects/PROJECT_ID/logs/syslog AND textPayload:SyncAddress" --limit 10 --format json
Following is an example of one returned log entry:
{
"insertId": "2024-04-07|08:56:48.137651-07|10.162.32.129|-1509625619",
"logName": "projects/[PROJECT_ID]/logs/syslog",
"resource": {
"labels": {
"instance_id": "15543007601548829999",
"zone": "global"
},
"type": "gce_instance"
},
"textPayload": "Apr 7 15:56:47 my-gce-instance google-address-manager: ERROR SyncAddresses exception: HTTP Error 503: Service Unavailable",
"timestamp": "2024-04-07T15:56:47.000Z"
}
To list logs in a folder, add the --folder flag. That flag restricts the log
entries read to only those in the folder itself. The same applies to the
--organization and --billing-account flags. The following command retrieves
activity-type audit logs from a folder. Log entries are to be shown in the
default YAML format:
gcloud logging read "resource.type=folder AND logName:cloudaudit.googleapis.com%2Factivity" --folder=FOLDER_ID
Following is an excerpt of one returned entry. It records a call to
SetIamPolicy on the folder:
insertId: mhcr1tc16u
logName: folders/FOLDER_ID/logs/cloudaudit.googleapis.com%2Factivity
protoPayload:
'@type': type.googleapis.com/google.cloud.audit.AuditLog
methodName: SetIamPolicy
...
serviceName: cloudresourcemanager.googleapis.com
status: {}
resource:
labels:
folder_id: 'FOLDER_ID'
type: folder
severity: NOTICE
timestamp: '2024-03-19T16:26:49.308Z'
The previous section, Writing log entries, contains an example of writing a log entry to a folder. Following is the command to read the log entry:
gcloud logging read "resource.type=global" --folder=FOLDER_ID --limit=1
Here is the result:
insertId: 1f22es3frcguaj
logName: folders/FOLDER_ID/logs/my-folder-log
receiveTimestamp: '2024-03-19T18:20:19.306598482Z'
resource:
type: global
textPayload: A folder log entry
timestamp: '2024-03-19T18:20:19.306598482Z'
Logs
A log, or log stream, is the set of log entries that have the same full resource
name. The full resource name is equivalent to the LogName field in the
LogEntry.
The full resource name for a log must be one of the following:
projects/PROJECT_ID/logs/LOG_ID organizations/ORGANIZATION_ID/logs/LOG_ID folders/FOLDER_ID/logs/LOG_ID billingAccounts/BILLING_ACCOUNT_ID/logs/LOG_ID
LOG_ID can only contain alphanumeric characters, forward-slash,
underscore, hyphen, and period characters. For example,
compute.googleapis.com/activity_log is a valid LOG_ID. The full resource
name includes the project, folder, billing account, or organization in which the
log is located. For more information, go to
Trusted Cloud by S3NS resource hierarchy.
To manage logs, use the gcloud logging logs command group:
gcloud logging logs list ... gcloud logging logs delete ...
URL Encoding
When passing the full resource name of a log to a gcloud logging command,
you must URL-encode the LOG_ID. As an example, a LOG_ID of
compute.googleapis.com/activity_log encodes to
compute.googleapis.com%2Factivity_log.
When passing the LOG_ID to a gcloud logging command, you don't need to
URL-encode the LOG_ID. In this case, the gcloud command encodes for you.
When receiving data that includes the full resource name of a log from a
gcloud logging command, the LOG_ID is URL-encoded.
Creating logs
You create a log by writing a log entry to it. See Writing log entries.
Listing log names
Use the gcloud logging logs list command. It executes the API method projects.logs/list.
Only logs that contain log entries are displayed. The display lists full
resource names of logs with the LOG_ID URL-encoded.
You can only use gcloud logging logs list to list logs in projects; you can't
use it to list logs in folders, billing accounts, or organizations.
Example
List the logs in the current project:
gcloud logging logs list
Sample result:
NAME projects/my-gcp-project-id/logs/apache-error projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Factivity projects/my-gcp-project-id/logs/cloudaudit.googleapis.com%2Fdata_access projects/my-gcp-project-id/logs/compute.googleapis.com%2Factivity_log projects/my-gcp-project-id/logs/compute.googleapis.com%2Fsystem_log projects/my-gcp-project-id/logs/syslog
Deleting logs
To delete logs, use the
gcloud logging logs delete
command. It decides, based on the full resource name of a log,
which of the following delete API commands to execute:
projects.logs,
organizations.logs,
folders.logs,
or
billingAccounts.logs.
Example: Delete a project log
To delete a log that exists in the current project using the LOG_ID:
gcloud logging logs delete my-new-log
Really delete all log entries from [my-new-log]?g_logs Do you want to continue (Y/n)? Y Deleted [my-new-log].
An alternative is to specify the full resource name of a log with the
LOG_ID URL-encoded:
gcloud logging logs delete projects/my-gcp-project-id/logs/compute.googleapis.com%2Factivity_log
Really delete all log entries from [projects/my-gcp-project-id/logs/compute.googleapis.com%2Factivity_log]? Do you want to continue (Y/n)? Y Deleted [projects/pamstestproject1/logs/compute.googleapis.com%2Factivity_log].
Example: Delete logs in folders, billing accounts or organizations
To delete a log contained in folders, billing accounts or organizations, pass the full resource name with the LOG_ID URL-encoded. For example, the following command deletes a log in a folder:
gcloud logging logs delete folders/FOLDER_ID/logs/my-folder-log
FOLDER_ID must be the unique number that identifies the folder.
Resource descriptors
All log entries contain an instance of one of a fixed set of monitored resource types that generally identifies the resource the log entry comes from, such as a particular Compute Engine VM instance. For a list of monitored resource types, go to Monitored Resource List.
To list the current resource descriptor types, use the gcloud logging resource-descriptors list command, corresponding to the API method monitoredResourceDescriptors.list. You don't need any special permissions to list the resource types.
Examples
List all the resource types that have instance in their names:
gcloud logging resource-descriptors list --filter="type:instance"
Result:
TYPE DESCRIPTION KEY
gce_instance A virtual machine instance hosted in Compute Engine. project_id,instance_id,zone
gce_instance_group_manager A Compute Engine instance group manager resource. project_id,instance_group_manager_id,instance_group_manager_name,location
gce_instance_template A Compute Engine instance template resource. project_id,instance_template_id,instance_template_name
Routing logs
You route logs by creating sinks that send certain log entries to supported destinations. For more information about sinks, see Routing and storage overview: Sinks.
Use the gcloud logging sinks command group, corresponding to the API methods projects.sinks, folders.sinks, billingAccounts.sinks, and organizations.sinks.
Sinks can be located wherever logs are located: projects, folders, billing
accounts, and organizations. Use the gcloud logging flags --folder,
--billing-account, or --organization to refer to those locations.
Omitting them defaults to the project specified by --project or
the current project.
Creating sinks
Use the gcloud logging sinks create command, corresponding to the API method projects.sinks.create:
gcloud logging sinks create SINK_NAME SINK_DESTINATION --log-filter="..." ...
Destination authorization. To determine the writer identity service account
for your new sink, use the describe command in the next section to fetch the
new sink's properties. You need the service account to authorize the sink to
write to its destination. The gcloud logging command doesn't perform the
authorization for you, as the Logs Explorer does. For more information,
see Destination permissions.
Aggregated sinks. You can use one of the --folder,
--billing-account, and --organization flags if you want to route the logs
from that resource. You have the following options:
- By default, using the previous flags restricts the sink to routing only the logs held in the named folder, organization, or billing account.
- If you additionally add the
--include-childrenflag, then the sink becomes an aggregated sink and the sink routes logs from all folders and projects contained within the named resource, subject to the filter in the--log-filterflag. - Billing accounts don't contain folders or projects, so
--include-childrenhas no effect with--billing-account.
For more information, see Aggregated sinks overview.
Examples
Create a sink, syslog-sink, in the current project that routes all syslog
entries with severity WARNING or higher. The destination is a new
Pub/Sub topic in the current project, and the sink service account,
shown in the output of the logging sinks create command, is granted an
IAM role that lets the service account publish content to the
topic.
gcloud pubsub topics create syslog-sink-topic
gcloud logging sinks create syslog-sink pubsub.googleapis.com/projects/MY-PROJECT/topics/syslog-sink-topic \
--log-filter="severity>=WARNING"
gcloud pubsub topics add-iam-policy-binding syslog-sink-topic \
--member serviceAccount:LOG-SINK-SERVICE-ACCOUNT --role roles/pubsub.publisher
Listing or describing sinks
Use the gcloud logging sinks list or gcloud logging sinks describe commands, corresponding to the API methods projects.sinks.list and projects.sinks.get, respectively:
gcloud logging sinks list
gcloud logging sinks describe SINK_NAME
Examples
List sinks in the current project:
gcloud logging sinks list
NAME DESTINATION FILTER
pubsub-logs-sink pubsub.googleapis.com/projects/my-gcp-project-id/topics/my-pubsub-logs-topic logName = "projects/my-gcp-project-id/logs/pubsubtestlog"
Updating sinks
Use the gcloud logging sinks update command, corresponding to the API method projects.sink.update:
You can update a sink to change the destination or the query:
gcloud logging sinks update SINK_NAME NEW_DESTINATION --log-filter=NEW_FILTER
You can omit the NEW_DESTINATION or --log-filter if those parts don't change.
Deleting sinks
Use the gcloud logging sinks delete command, corresponding to the API method projects.sinks.delete: You stop routing its log entries when you delete a sink:
gcloud logging sinks delete SINK_NAME
Examples
Delete sink syslog-sink-1 in the current project:
gcloud logging sinks delete syslog-sink-1