Stay organized with collections
Save and categorize content based on your preferences.
Last reviewed 2024-12-13 UTC
This section describes how logging and monitoring work in the enterprise
application blueprint for both the developer platform and the applications.
Google Cloud Observability for GKE
provides Cloud Logging and Cloud Monitoring services for blueprint
applications.
By
default, the base source code in the application templates sends logs to
stdout. Using stdout is a best practice for containerized applications
because stdout lets the platform handle the application logs. The application
code is instrumented with Prometheus client libraries to export application-specific metrics.
GKE automatically provides metrics for each application,
including Kube State metrics,
resource utilization, SRE golden metrics,
and database instance metrics. For the developer platform team, the platform
provides infrastructure, usage, and cross-application traffic metrics.
Logging storage
Cloud Operations for GKE also lets you collect system and
application logs into central log buckets. The blueprint also
includes a project in each environment folder that's used for storing logs. The enterprise foundation
blueprint has a separate logging project
where the aggregate Cloud Audit Logs logs from across the entire
Google Cloud organization are exported. The log types most needed by
tenants are also separated by tenant. For example, an application developer who
works on the frontend application might be granted access to only frontend
container logs and pod logs, and only in the development and non-production
environments.
The following table lists log types, locations, and access control granularity.
Access control granularity
Log types
Log storage location
Developer platform
Multi-tenant infrastructure logs
Project: eab-infra-cicd
Application factory logs
Project: eab-app-factory
By environment
Node
Cluster control plane
Non-tenant containers or pods
Project: eab-gke-{env}
Bucket:
_Default
Compute Engine resources that are used by GKE
Cloud Service Mesh traffic
Project: eab-gke-{env}
By environment and tenant
Tenant containers or pods
Project: eab-gke-{env}
Bucket: per-tenant
(scope)
Alloy DB sessions
Other tenant-owned resources
Project: eab-app-{appname}-{env}
By tenant
Application builds
Application deploys
Project: eab-app-cicd-{appname}
Application monitoring
Google Cloud Observability for GKE provides predefined monitoring dashboards for
GKE. The blueprint also enables Google Cloud Managed Service for Prometheus, which
collects metrics from Prometheus exporters and lets you query the data globally
using PromQL. PromQL means that you can use familiar tools like Grafana
dashboards and PromQL-based alerts. Cloud Service Mesh is enabled to provide
you with
dashboards
in the Google Cloud console to observe and troubleshoot interactions between
services and across tenants. The blueprint also includes a project for a
multi-project monitoring metrics scope.
Threat and vulnerability monitoring
Security Command Center
provides insight into the overall security posture of the blueprint.
Security Command Center Premium tier provides
Container Threat Detection
for active container-based workloads in GKE.
Web Security Scanner
is used to detect vulnerabilities in your internet-facing services.
Web Security Scanner detects vulnerabilities by crawling an HTTP service and
following all links, starting at the base URL. Web Security Scanner then exercises
as many user inputs and event handlers as possible.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-13 UTC."],[],[],null,["# Logging and monitoring\n\nThis section describes how logging and monitoring work in the enterprise\napplication blueprint for both the developer platform and the applications.\n[Google Cloud Observability for GKE](/stackdriver/docs/solutions/gke)\nprovides Cloud Logging and Cloud Monitoring services for blueprint\napplications.\n\nBy\ndefault, the base source code in the application templates sends logs to\n`stdout`. Using `stdout` is a best practice for containerized applications\nbecause `stdout` lets the platform handle the application logs. The application\ncode is instrumented with Prometheus client libraries to [export application-specific metrics](/stackdriver/docs/managed-prometheus/setup-managed#gmp-pod-monitoring).\nGKE automatically provides metrics for each application,\nincluding [Kube State metrics](/stackdriver/docs/managed-prometheus/exporters/kube_state_metrics),\nresource utilization, [SRE golden metrics](/stackdriver/docs/solutions/gke/app-performance-metrics#app-perf-ingest),\nand database instance metrics. For the developer platform team, the platform\nprovides infrastructure, usage, and cross-application traffic metrics.\n\nLogging storage\n---------------\n\nCloud Operations for GKE also lets you collect system and\napplication logs into [central log buckets](/logging/docs/storage). The blueprint also\nincludes a project in each environment folder that's used for storing logs. The enterprise foundation\nblueprint has a separate [logging project](/architecture/blueprints/security-foundations/detective-controls#centralized-logging)\nwhere the aggregate Cloud Audit Logs logs from across the entire\nGoogle Cloud organization are exported. The log types most needed by\ntenants are also separated by tenant. For example, an application developer who\nworks on the `frontend` application might be granted access to only `frontend`\ncontainer logs and pod logs, and only in the development and non-production\nenvironments.\n\nThe following table lists log types, locations, and access control granularity.\n\nApplication monitoring\n----------------------\n\nGoogle Cloud Observability for GKE provides [predefined monitoring dashboards](/monitoring/dashboards) for\nGKE. The blueprint also enables [Google Cloud Managed Service for Prometheus](/stackdriver/docs/managed-prometheus), which\ncollects metrics from Prometheus exporters and lets you query the data globally\nusing PromQL. PromQL means that you can use familiar tools like Grafana\ndashboards and PromQL-based alerts. Cloud Service Mesh is enabled to provide\nyou with\n[dashboards](/service-mesh/docs/observability-overview)\nin the Google Cloud console to observe and troubleshoot interactions between\nservices and across tenants. The blueprint also includes a project for a\n[multi-project monitoring metrics scope](/monitoring/settings).\n\nThreat and vulnerability monitoring\n-----------------------------------\n\n[Security Command Center](/security-command-center/docs/security-command-center-overview)\nprovides insight into the overall security posture of the blueprint.\nSecurity Command Center Premium tier provides\n[Container Threat Detection](/security-command-center/docs/concepts-container-threat-detection-overview)\nfor active container-based workloads in GKE.\n[Web Security Scanner](/security-command-center/docs/concepts-web-security-scanner-overview)\nis used to detect vulnerabilities in your internet-facing services.\nWeb Security Scanner detects vulnerabilities by crawling an HTTP service and\nfollowing all links, starting at the base URL. Web Security Scanner then exercises\nas many user inputs and event handlers as possible.\n\nWhat's next\n-----------\n\n- Read about [operations for both the developer platform and applications](/architecture/blueprints/enterprise-application-blueprint/ops-developer-platform-applications) (next document in this series)."]]
