Compute Engine provides activity logs that let you track certain events that affect your project, such as API calls and system events. Specifically, activity logs provide information about:
- Compute Engine API calls -
GCE_API_CALLevents are API calls that change the state of a resource. For example, API calls to create a disk, update instance metadata, create an instance group, change a machine type, are recorded in activity logs. API calls that do not update a resource, such asgetandlistrequests are not recorded. - Operation logs -
GCE_OPERATION_DONEevents are logged when an API call changes the state of a resource finishes, Compute Engine returns a completed operation event that is recorded in your activity logs. - System logs -
GCE_SYSTEM_EVENTevents are logged when Compute Engine performs a system event, it is recorded in activity logs. For example, a transparent maintenance event would be logged as a system event.
For example, with an API event, an activity log provides details such as the start and end time of an API request, the specifics of the request body, the authorized user who made the API request, and the request endpoint. You can download activity logs to search for specific API requests, or to review system events initiated by Compute Engine.
Activity logs do not provide billing or usage information about a project, such as how long a virtual machine instance has been running or how much it costs. For billing logs, see the billing export feature. For usage logs, see Viewing Usage Reports.
Compute Engine activity logs are also not the same thing as audit logs.
Activity logs are provided as part of the Stackdriver Logging service. For more information about Stackdriver Logging in general, read the Stackdriver Logging documentation.
Before you begin
- If you want to use the command-line examples in this guide:
- Install or update to the latest version of the gcloud command-line tool.
- Set a default region and zone.
- Familiar with Stackdriver Logging.
Permissions required for this task
To perform this task, you must have the following permissions.
logging.logServiceIndexes.liston the projectlogging.logServices.liston the project
Viewing logs
Activity logging is enabled by default for all Compute Engine projects.
You can see your project's activity logs through the Logs Viewer in the Google Cloud Platform Console:
- Go to the Logging page in the GCP Console.
- When in the logs viewer, select and filter your resource type from the first drop-down menu.
- Select compute.googleapis.com/activity_log from the All logs drop-down menu to see Compute Engine activity logs.
Exporting logs
Read Configuring Logs Export in the Stackdriver documentation to learn how to export activity logs.
Identifying log files
When you export logs into Google Cloud Storage, the log files are stored in the structure described by the Log entry objects documentation.
Compute Engine log files are stored with the following directory structure:
<bucket>/compute.googleapis.com/activity_log/<year>/<month>/<day>
The following is an example log file name stored in a Google Cloud Storage bucket named my-bucket:
my-bucket/compute.googleapis.com/activity_log/2014/10/31/20:00:00_20:59:59_S0.json
In BigQuery, activity logs are stored in a set of tables, one table for each log type and day, and the tables are named using the following format:
<dataset>.compute_googleapis_com_activity_log_YYYYMMDD
For information on how to query activity logs in BigQuery, see Log entries in Google BigQuery.
Reading activity logs
Activity logs are structured as described in the LogEntry type documentation.
Compute Engine activity logs have:
compute.googleapis.com/activity_logas value of thelogfieldmetadata, which describes common information such as timestampstructPayload, which contains the specific contents of the log entry
You can get more details about the common fields provide with every log entry from the LogEntry description, but the payload contents of activity log entries are specific to Compute Engine and are described below.
Payload contents
The contents of a log entry are provided in JSON object format, and are stored
in the structPayload field. The structPayload field contains the following
information:
| Field | Type | Description |
|---|---|---|
actor |
string | Email of user or service account performing the operation. This is the
same as the user_id. |
error |
string | Provides any error details if an error occurred during this event. This is omitted if there were no errors. Errors will usually prevent a request from completing successfully. You can use this field to debug a failed request. |
event_subtype |
string | Describes the specific subtype as an API method.
For example, a request to
insert a new instance
appears as See the API reference for a comprehensive list of API methods. |
event_timestamp_us |
timestamp | The timestamp of the logged event in microseconds since standard epoch.
This is the same as metadata.timestamp. |
event_type |
string | Describes the general event type.
This can be one of:
|
info |
string | An optional field with additional information if applicable. This field is omitted if there is no additional information to show. |
operation |
string | When an API request is made to update or change any resources, a corresponding
operation object is created to track the request to completion. This property
describes the operation object for this event, providing information such as
the operation name, the zone or region of the operation, and the operation ID.
Operations can be a zone operation, a region operation, or a global operation, depending on the resource the operation is modifying. |
request |
JSON | Contains the original API request body.
|
resource |
JSON | Describes the particular resource that is being modified by this event.
For example, a virtual machine instance is considered a resource and an example
resource property for a virtual machine would look like the following:
"resource": {
"type": "instance",
"name": "example-instance",
"id": "0",
"zone": "us-central1-f"
}
A list of resource types is described in detail in the API reference. Note: If an action affects multiple resources,
there may be multiple log entries with the same |
trace_id |
string | A system-provided trace ID used to group related logs that are triggered by
a single action. For example:
trace_id: "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e" |
user_agent |
string | Describes the client that performed this request. For example,
if you used the Java client library to make a request, the user agent would be
Google-API-Java-Client. |
version |
string | The current log format version indicates of the Compute Engine
log schema. The current version is 1.2.
Note: The Compute Engine API versioning is separate from the log format versioning. |
warning |
string | Provides any warning details if any warnings occurred during this event. A warning is informational and does not affect the request, unlike errors. |
Sample log entry
For example, a sample log entries describing an API request to create a virtual machine looks like the following:
{
"log": "compute.googleapis.com/activity_log",
"insertId": "2015-09-16|13:49:42.532185-07|10.106.9.208|335899593",
"metadata": {
"severity": "INFO",
"projectId": "835469197146",
"serviceName": "compute.googleapis.com",
"zone": "us-central1-f",
"labels":{
"compute.googleapis.com/resource_id":"0",
"compute.googleapis.com/resource_name":"example-instance",
"compute.googleapis.com/resource_type":"instance",
"compute.googleapis.com/resource_zone":"us-central1-f"
},
"timestamp": "2015-09-16T20:49:42.423637Z"
},
"structPayload": {
"version": "1.2",
"trace_id": "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e",
"event_timestamp_us": "1442436582423637",
"event_type": "GCE_API_CALL",
"event_subtype": "compute.instances.insert",
"resource": {
"type": "instance",
"name": "example-instance",
"id": "0",
"zone": "us-central1-f"
},
"actor": {
"user": "user@example.com"
},
"ip_address": "",
"user_agent": "apitools-client/1.0",
"request": {
"url": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances",
"body": "{
\"canIpForward\":false,
\"description\":\"\",
\"disks\":[{
\"autoDelete\":true,
\"boot\":true,
\"deviceName\":\"example-instance\",
\"initializeParams\":{
\"diskSizeGb\":\"10\",
\"diskType\":\"https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/diskTypes/pd-standard\",
\"sourceImage\":\"https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20150818\"
},
\"mode\":\"READ_WRITE\",
\"type\":\"PERSISTENT\"
}],
\"machineType\":\"https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/machineTypes/n1-standard-1\",
\"metadata\":{
\"items\":[]
},
\"name\":\"example-instance\",
\"networkInterfaces\":[{
\"accessConfigs\":[{
\"name\":\"External NAT\",
\"type\":\"ONE_TO_ONE_NAT\"
}],
\"network\":\"https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default\"
}],
\"scheduling\":{
\"automaticRestart\":true,
\"onHostMaintenance\":\"MIGRATE\",
\"preemptible\":false
},
\"serviceAccounts\":[{
\"email\":\"default\",
\"scopes\":[
\"https://www.googleapis.com/auth/devstorage.read_only\",
\"https://www.googleapis.com/auth/logging.write\"
]
}],
\"tags\":{
\"items\":[]
},
\"zone\":\"https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f\"
}"
},
"operation": {
"type": "operation",
"name": "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e",
"id": "291347737657178184",
"zone": "us-central1-f"
}
}
}
