Stay organized with collections
Save and categorize content based on your preferences.
This document describes the data model used by Cloud Logging.
The data model specifies the format in which your log data is stored. It
also determines the dimensions over which you can query your log data.
Data model
In Cloud Logging, a log is a named collection of individual entries.
You can query your data by the name of the log. Logs are composed
of entries that conform to the LogEntry structure.
Each log entry records status or describes a specific event, such as
the creation of a virtual machine instance, and minimally consists of the
following:
A timestamp that indicates either when the event took place or when it was
received by Cloud Logging.
Information about the source of the log entry. This source is called
the monitored resource. Examples of monitored resources include individual
Compute Engine instances and Google Kubernetes Engine containers.
For a complete listing of monitored resource types, see
Monitored resources and services.
A payload which must be one of the following:
textPayload: These payloads are formatted as a single string.
jsonPayload: These payloads are structured, so you can
query by key-value pairs.
We recommend that applications always write structured log data.
protoPayload: These payloads follow the format of a proto file and the
fields are formatted as JSON.
The name of the log to which it belongs. The name of a log includes the full
path of the resource to which the log entries belong, followed by an
identifier. The following are examples of log names:
You can write queries that retrieve only those log entries where the value of
a LogEntry field matches some criteria. For example, you can display only
those log entries whose severity field has the value of ERROR.
The following type of log entries are stored in the
_Required log bucket in the Google Cloud project,
billing account, folder, or organization in which they originate:
All other log entries that originate in a Google Cloud project, billing account,
folder, or organization are stored in the
_Default log bucket. However, you can change which
log entries are stored in this log bucket.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Log entry data model\n\nThis document describes the data model used by Cloud Logging.\nThe data model specifies the format in which your log data is stored. It\nalso determines the dimensions over which you can query your log data.\n\nData model\n----------\n\nIn Cloud Logging, a *log* is a named collection of individual entries.\nYou can query your data by the name of the log. Logs are composed\nof entries that conform to the [`LogEntry`](/logging/docs/reference/v2/rest/v2/LogEntry) structure.\n\nEach log entry records status or describes a specific event, such as\nthe creation of a virtual machine instance, and minimally consists of the\nfollowing:\n\n- A timestamp that indicates either when the event took place or when it was received by Cloud Logging.\n- Information about the source of the log entry. This source is called the *monitored resource* . Examples of monitored resources include individual Compute Engine instances and Google Kubernetes Engine containers. For a complete listing of monitored resource types, see [Monitored resources and services](/logging/docs/api/v2/resource-list).\n- A payload which must be one of the following:\n\n - `textPayload`: These payloads are formatted as a single string.\n - `jsonPayload`: These payloads are [structured](/logging/docs/structured-logging), so you can query by key-value pairs. We recommend that applications always write structured log data.\n - `protoPayload`: These payloads follow the format of a proto file and the fields are formatted as JSON.\n- The name of the log to which it belongs. The name of a log includes the full\n path of the resource to which the log entries belong, followed by an\n identifier. The following are examples of log names:\n\n - `projects/my-project/logs/stdout`\n - `projects/my-project/compute.googleapis.com/activity`\n\nYou can write queries that retrieve only those log entries where the value of\na `LogEntry` field matches some criteria. For example, you can display only\nthose log entries whose `severity` field has the value of `ERROR`.\n\nLog entry types\n---------------\n\n[Audit logs](/logging/docs/audit) and [Access Transparency](/assured-workloads/access-transparency/docs/overview) provide\ninformation necessary to satisfy compliance regulations.\nAudit logs provide information about administrative activities\nand accesses within your Google Cloud resources.\nAccess Transparency logs record actions taken by Google Cloud\nstaff when accessing your Google Cloud content. For a list of supported\nservices, see [Google Cloud services with audit logs](/logging/docs/audit/services)\nand [Google Cloud services with Access Transparency logs](/assured-workloads/access-transparency/docs/supported-services).\n\nThe following type of log entries are stored in the\n[`_Required` log bucket](/logging/docs/store-log-entries#required-bucket) in the Google Cloud project,\nbilling account, folder, or organization in which they originate:\n\n- [Admin Activity audit logs](/logging/docs/audit#admin-activity)\n- [System Event audit logs](/logging/docs/audit#system-event)\n- Google Workspace Admin Audit logs\n- Enterprise Groups Audit logs\n- Login Audit logs\n\n\u003c!-- --\u003e\n\n- Access Transparency logs\n\nAll other log entries that originate in a Google Cloud project, billing account,\nfolder, or organization are stored in the\n[`_Default` log bucket](/logging/docs/store-log-entries#default-bucket). However, you can change which\nlog entries are stored in this log bucket.\n\nWhat's next\n-----------\n\n- [Store log data](/logging/docs/store-log-entries).\n- [Route log data](/logging/docs/routing/overview).\n- [Query and view logs overview](/logging/docs/log-analytics)."]]
