Viewing activity logs

Compute Engine activity logs are deprecated. Instead, use audit logs. For more information, see Migrating from activity logs to audit logs.

Compute Engine activity logs aren't the same thing as audit logs. Audit logs contain the same information as legacy activity logs and more. We recommend you use audit logs instead of activity logs. If you are already using activity logs, read Migrating from activity logs to audit logs.

Compute Engine provides activity logs that let you track certain events that affect your project, such as API calls and system events. Specifically, activity logs provide information about:

  • Compute Engine API calls: GCE_API_CALL events are API calls that change the state of a resource. For example, API calls to create a disk, update instance metadata, create an instance group, change a machine type, are recorded in activity logs. API calls that do not update a resource, such as get and list requests aren't recorded.
  • Operation logs: GCE_OPERATION_DONE events are logged when an API call changes the state of a resource finishes, Compute Engine returns a completed operation event that is recorded in your activity logs.
  • System logs: GCE_SYSTEM_EVENT events are logged when Compute Engine performs a system event, it is recorded in activity logs. For example, a transparent maintenance event would be logged as a system event.

For example, with an API event, an activity log provides details such as the start and end time of an API request, the specifics of the request body, the authorized user who made the API request, and the request endpoint. You can download activity logs to search for specific API requests, or to review system events initiated by Compute Engine.

Activity logs do not provide billing or usage information about a project, such as how long a virtual machine instance has been running or how much it costs. For billing logs, see the billing export feature. For usage logs, see Viewing usage reports.

Activity logs are provided as part of the Cloud Logging service. For more information about Logging in general, read the Cloud Logging documentation.

Before you begin

  • Familiar with Cloud Logging.
  • If you haven't already, set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine as follows.

    Select the tab for how you plan to use the samples on this page:


    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.


    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.


    To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

      Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init

    For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Permissions required for this task

To perform this task, you must have the following permissions:

  • logging.logServiceIndexes.list on the project
  • logging.logServices.list on the project

Viewing logs

Activity logging is enabled by default for all Compute Engine projects.

You can see your project's activity logs through the Logs Explorer in the Google Cloud console:

  1. In the Google Cloud console, go to the Logging page.

    Go to the Logging page

  2. When in the Logs Explorer, select and filter your resource type from the first drop-down list.
  3. From the All logs drop-down list, select to see Compute Engine activity logs.

Routing logs

To learn how to export activity logs, read Configure and manage sinks in the Cloud Logging documentation.

Identifying log files

When you export logs into Cloud Storage, the log files are stored in the structure described by the Log entry objects documentation.

Compute Engine log files are stored with the following directory structure:


The following is an example log filename stored in a Cloud Storage bucket named my-bucket:


In BigQuery, activity logs are stored in a set of tables, one table for each log type and day, and the tables are named using the following format:


For information about how to query activity logs in BigQuery, see Log entries in BigQuery.

Reading activity logs

Activity logs are structured as described in the LogEntry type documentation.

Compute Engine activity logs have:

  • as value of the log field
  • metadata, which describes common information such as timestamp
  • structPayload, which contains the specific contents of the log entry

You can get more details about the common fields provided with every log entry from the LogEntry description, but the payload contents of activity log entries are specific to Compute Engine and are described below.

Payload contents

The contents of a log entry are provided in JSON object format, and are stored in the structPayload field. The structPayload field contains the following information:

Field Type Description
actor string Email of user or service account performing the operation. This is the same as the user_id.
error string Provides any error details if an error occurred during this event. This is omitted if there were no errors. Errors usually prevent a request from completing successfully. You can use this field to debug a failed request.
event_subtype string Describes the specific subtype as an API method.

For example, a request to insert a new instance appears as compute.instances.insert, and a request to delete an Address resource appears as compute.addresses.delete.

See the API reference for a comprehensive list of API methods.

event_timestamp_us timestamp The timestamp, in microseconds, of the logged event since standard epoch. This is the same as metadata.timestamp.
event_type string Describes the general event type.

This can be one of the following values:

  • GCE_API_CALL. Indicates a REST API call that updated a resource.
  • GCE_OPERATION_DONE. After an API request completes, whether successful or not, this event type is logged.
  • GCE_SYSTEM_EVENT. A system event initiated by Compute Engine.
info string An optional field with additional information, if applicable. This field is omitted if there is no additional information to show.
operation string When an API request is made to update or change any resources, a corresponding operation object is created to track the request to completion. This property describes the operation object for this event, providing information such as the operation name, the zone or region of the operation, and the operation ID.

Operations can be a zone operation, a region operation, or a global operation, depending on the resource the operation is modifying.

request JSON Contains the original API request body.

resource JSON Describes the particular resource that is being modified by this event. For example, a virtual machine (VM) instance is considered a resource and an example resource property for a VM looks like the following:
"resource": {
  "type": "instance",
  "name": "example-instance",
  "id": "0",
  "zone": "us-central1-f"

A list of resource types is described in detail in the API reference.

Note: If an action affects multiple resources, there may be multiple log entries with the same trace_id.

trace_id string A system-provided trace ID used to group related logs that are triggered by a single action. For example:
trace_id: "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e"
user_agent string Describes the client that performed this request. For example, if you used the Cloud Client Libraries for Java to make a request, the user agent would be Google-API-Java-Client.
version string The current log format version indicates the Compute Engine log schema. The current version is 1.2.

Note: The Compute Engine API versioning is separate from the log format versioning.

warning string Provides any warning details if any warnings occurred during this event. A warning is informational and does not affect the request, unlike errors.

Sample log entry

For example, a sample log entry describing an API request to create a VM looks like the following:

  "log": "",
  "insertId": "2015-09-16|13:49:42.532185-07||335899593",
  "metadata": {
    "severity": "INFO",
    "projectId": "835469197146",
    "serviceName": "",
    "zone": "us-central1-f",
    "timestamp": "2015-09-16T20:49:42.423637Z"
  "structPayload": {
    "version": "1.2",
    "trace_id": "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e",
    "event_timestamp_us": "1442436582423637",
    "event_type": "GCE_API_CALL",
    "event_subtype": "compute.instances.insert",
    "resource": {
      "type": "instance",
      "name": "example-instance",
      "id": "0",
      "zone": "us-central1-f"
    "actor": {
      "user": ""
    "ip_address": "",
    "user_agent": "apitools-client/1.0",
    "request": {
      "url": "",
      "body": "{
              \"name\":\"External NAT\",

    "operation": {
      "type": "operation",
      "name": "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e",
      "id": "291347737657178184",
      "zone": "us-central1-f"

Deprecated activity log entries

The following activity log entries will be discontinued, with no replacement, on June 1, 2020:

Monitored Resource Type Event SubType
gce_backend_service BackendServiceConfigProgramming
gce_instance addFirewallRuleToSecurityPolicy
gce_instance attachCloudLink
gce_instance attachFirewallSecurityPolicy
gce_instance compute.instanceGroupManagers.updateHealth
gce_instance compute.instanceGroups.detachHealthCheck
gce_instance compute.instanceNetworkConfig.updateName
gce_instance compute.regionInstanceGroups.attachHealthCheck
gce_instance compute.regionInstanceGroups.detachHealthCheck
gce_instance createFirewallSecurityPolicy
gce_instance deleteFirewallSecurityPolicy
gce_instance detachFirewallSecurityPolicy
gce_instance patchFirewallRuleInSecurityPolicy
gce_instance removeCloudLink
gce_instance removeFirewallRuleFromSecurityPolicy
gce_instance updateFirewallSecurityPolicy
gce_instance updateVpnTunnel
gce_instance_group compute.instanceGroups.attachHealthCheck
gce_instance_group compute.instanceGroups.attachNetworkInterfaces
gce_instance_group compute.instanceGroups.detachHealthCheck
gce_instance_group compute.regionInstanceGroups.attachHealthCheck
gce_instance_group compute.regionInstanceGroups.detachHealthCheck
gce_instance_template compute.zoneInstanceTemplates.insert
gce_network compute.networks.switchLegacyToCustomMode
gce_project compute.projects.moveProjectNetworking
gce_reserved_address compute.addresses.insertDnsForwarding
gce_reserved_address compute.addresses.insertNatAddress
gce_ssl_certificate SslCertificateAddManagedCertificateChallenge
gce_ssl_certificate SslCertificateProvisionManagedCertificate
gce_ssl_certificate SslCertificateRemoveManagedCertificateChallenge
gce_subnetwork compute.subnetworks.createOrUpdateVirtualSubnetwork
vpn_tunnel updateVpnTunnel