GCP Log Analysis

GCP Log Analysis

Google Cloud Platform (GCP) provides a powerful, scalable logging system through **Cloud Logging** (formerly Stackdriver Logging). Whether you're running a single app on Cloud Run or managing dozens of Kubernetes clusters, effective log analysis is crucial for troubleshooting, security, and performance tuning. This blog walks through how GCP logs work, how to analyze them using Log Explorer, and how to write structured queries to extract insights.

🔍 What is GCP Cloud Logging?

Cloud Logging is a fully managed logging service that lets you ingest, store, search, and analyze log data from virtually any GCP resource — Compute Engine, GKE, App Engine, Cloud Functions, and more.

Logs are stored in a central location and can be viewed using the Log Explorer, queried with **Logging Query Language (LQL)**, and exported to BigQuery, Pub/Sub, or Cloud Storage for further processing.

📂 Types of Logs in GCP

Common log types you’ll encounter in GCP include:

• Audit Logs: Track who did what and when on GCP resources.
• System Logs: OS and daemon logs from Compute Engine VMs.
• Application Logs: Custom logs written by your services.
• Request Logs: Generated automatically by services like Cloud Run and App Engine.

🔧 Accessing Log Explorer

To open Log Explorer:

1. Go to the GCP Console.
2. Navigate to Logging > Logs Explorer.
3. Select a project and resource type.

You’ll see a real-time stream of logs. You can filter logs by resource type, severity, timestamp, and log labels.

📄 Sample Log Entry Structure

Each log entry is a JSON object. Here's a simplified example:

{
  "timestamp": "2025-06-12T10:45:00.123Z",
  "severity": "ERROR",
  "logName": "projects/my-project/logs/run.googleapis.com%2Fstdout",
  "resource": {
    "type": "cloud_run_revision",
    "labels": {
      "service_name": "user-api",
      "location": "us-central1"
    }
  },
  "textPayload": "Database connection failed"
}

You can write queries to search fields like textPayload, severity, or resource.labels.

🧪 Useful Query Examples

Here are some common Logging Query Language (LQL) examples:

# All ERROR logs from Cloud Run in last 1 hour
resource.type="cloud_run_revision"
severity="ERROR"
timestamp > "2025-06-12T09:45:00Z"

# Logs that contain a specific keyword
textPayload:"timeout"

# Filter logs by service name
resource.labels.service_name="auth-service"

# Logs with latency greater than 500ms
jsonPayload.latency > "0.500s"

You can also use time range selectors to limit your queries and analyze historical logs over the past 7 or 30 days.

📤 Exporting Logs for Deeper Analysis

GCP allows exporting logs using sinks. This is useful if you want to:

• Store logs long-term in BigQuery
• Forward alerts via Pub/Sub
• Back up logs to Cloud Storage

To set up a sink:

gcloud logging sinks create my-bq-sink \
bigquery.googleapis.com/projects/my-project/datasets/logs_dataset \
--log-filter='resource.type="cloud_run_revision"' \
--project=my-project

This will stream selected logs to a BigQuery dataset, where you can run SQL for advanced analysis.

🚨 Creating Alerts from Logs

You can configure **log-based alerts** to notify you when certain patterns appear in logs. For example, you might want an alert when:

• There are more than 10 "ERROR" logs in 5 minutes
• Logs contain "unauthorized" keyword
• A VM fails health checks repeatedly

Alerts can be routed to Slack, email, or Opsgenie via GCP Monitoring’s notification channels.

💡 Tips for Better Log Analysis

• Use structured logging (JSON format) for better searchability.
• Add trace and request IDs to logs for easier debugging in microservices.
• Label logs by environment (dev, staging, prod) for filtering.
• Integrate Cloud Logging with Grafana or Datadog if needed.

✅ Conclusion

Effective log analysis in GCP helps you diagnose issues faster, monitor performance, and strengthen security posture. With tools like Log Explorer, structured queries, and sink exports, GCP equips you with everything you need to tame logs at scale. Start small by querying specific services, and evolve to full-stack visibility across your cloud infrastructure.