Logging and monitoring

Last reviewed 2024-04-19 UTC

This section describes how logging and monitoring work in the enterprise application blueprint for both the developer platform and the applications. Google Cloud Observability for GKE provides Cloud Logging and Cloud Monitoring services for blueprint applications.

By default, the base source code in the application templates sends logs to stdout. Using stdout is a best practice for containerized applications because stdout lets the platform handle the application logs. The application code is instrumented with Prometheus client libraries to export application-specific metrics. GKE automatically provides metrics for each application, including Kube State metrics, resource utilization, SRE golden metrics, and database instance metrics. For the developer platform team, the platform provides infrastructure, usage, and cross-application traffic metrics.

Logging storage

Cloud Operations for GKE also lets you collect system and application logs into central log buckets. The blueprint also includes a project in each environment folder that's used for storing logs. The enterprise foundation blueprint has a separate logging project where the aggregate Cloud Audit Logs logs from across the entire Google Cloud organization are exported. The log types most needed by tenants are also separated by tenant. For example, an application developer who works on the frontend application might be granted access to only frontend container logs and pod logs, and only in the development and non-production environments.

The following table lists log types, locations, and access control granularity.

Access control granularity	Log types	Log storage location
Developer platform	Multi-tenant infrastructure logs	Project: `eab-infra-cicd`
Developer platform	Application factory logs	Project: `eab-app-factory`
By environment	Node Cluster control plane Non-tenant containers or pods	Project: `eab-gke-{env}` Bucket: `_Default`
By environment	Compute Engine resources that are used by GKE Anthos Service Mesh traffic	Project: `eab-gke-{env}`
By environment and tenant	Tenant containers or pods	Project: `eab-gke-{env}` Bucket: per-tenant (scope)
By environment and tenant	Alloy DB sessions Other tenant-owned resources	Project: `eab-app-{appname}-{env}`
By tenant	Application builds Application deploys	Project: `eab-app-cicd-{appname}`

Application monitoring

Google Cloud Observability for GKE provides predefined monitoring dashboards for GKE. The blueprint also enables Google Cloud Managed Service for Prometheus, which collects metrics from Prometheus exporters and lets you query the data globally using PromQL. PromQL means that you can use familiar tools like Grafana dashboards and PromQL-based alerts. Anthos Service Mesh is enabled to provide you with dashboards in the Google Cloud console to observe and troubleshoot interactions between services and across tenants. The blueprint also includes a project for a multi-project monitoring metrics scope.

Threat and vulnerability monitoring

Security Command Center provides insight into the overall security posture of the blueprint. Security Command Center Premium tier provides Container Threat Detection for active container-based workloads in GKE. Web Security Scanner is used to detect vulnerabilities in your internet-facing services. Web Security Scanner detects vulnerabilities by crawling an HTTP service and following all links, starting at the base URL. Web Security Scanner then exercises as many user inputs and event handlers as possible.

What's next

Read about operations for both the developer platform and applications (next document in this series).