This document provides an overview of Cloud Logging, which is a real-time log-management system with storage, search, and analysis capabilities. Cloud Logging automatically collects log data from Trusted Cloud by S3NS resources. For regulatory or security reasons, you can determine where your log data is stored.
You can also collect log data from applications that you write by instrumenting your application by using a client library.
Query, view, and analyze log data
You can view and analyze your log data by using the Logs Explorer page in the Trusted Cloud console. This interface is designed to let you view individual log entries and find related log entries.
For more information, see Query and view log data.
Log storage and retention
You don't have to configure the location where log data is stored. By default, Trusted Cloud projects, billing accounts, folders, and organization resources automatically store the log data that originates in the resource. For example, if your Trusted Cloud project contains a Compute Engine instance, then the log data Compute Engine generates is automatically stored.
You can configure a number of aspects about your log storage, such as which log data are stored, which are discarded, and where the log data are stored. For more information, see Store log entries.
Log entries are stored for a specified length of time and are then deleted. For more information, see Logs retention periods.
Log routing
You can route, or forward, log entries to the following destinations:
Trusted Cloud project
Log bucket
- Pub/Sub topic, which provides support for third-party integrations.
When log data is routed, the destination can be in a different resource from where the log data originates. For example, you can route log data from one project to a log bucket stored in a different project.
For more information, see Route log entries.
Categories of log data
Log categories are meant to help describe the logging information available to you; the categories aren't mutually exclusive:
Platform log entries are written by Trusted Cloud by S3NS services. These log entries can help you debug and troubleshoot issues, and help you better understand the Trusted Cloud services you're using.
Component log entries are generated by Trusted Cloud by S3NS-provided software components that run on your systems. For example, GKE provides software components that users can run on their own virtual machine or in their own data center. These log entries are often used to provide user support.
Security log entries help you answer "who did what, where, and when":
- Cloud Audit Logs provide information about administrative activities and accesses within your Trusted Cloud resources. Enabling audit logs helps your security, auditing, and compliance entities monitor Trusted Cloud data and systems for possible vulnerabilities or external data misuse. For a list of supported services, see Trusted Cloud by S3NS services with audit logs.
- User-written log entries are logs written by custom applications and services. Typically, this data is written to Cloud Logging by using the Cloud Logging API.
Access control
Identity and Access Management (IAM) permissions and roles control access to log buckets. You can grant predefined roles to principals, or you can create custom roles. For more information about required permissions, see Access control.