This document describes the data model used by Cloud Logging. The data model specifies the format in which your log data is stored. It also determines the dimensions over which you can query your log data.
Data model
In Cloud Logging, a log is a named collection of individual entries.
You can query your data by the name of the log. Logs are composed
of entries that conform to the LogEntry structure.
Each log entry records status or describes a specific event, such as the creation of a virtual machine instance, and minimally consists of the following:
- A timestamp that indicates either when the event took place or when it was received by Cloud Logging.
- Information about the source of the log entry. This source is called the monitored resource. Examples of monitored resources include individual Compute Engine instances and Google Kubernetes Engine containers. For a complete listing of monitored resource types, see Monitored resources and services.
A payload which must be one of the following:
textPayload: These payloads are formatted as a single string.jsonPayload: These payloads are structured, so you can query by key-value pairs. We recommend that applications always write structured log data.protoPayload: These payloads follow the format of a proto file and the fields are formatted as JSON.
The name of the log to which it belongs. The name of a log includes the full path of the resource to which the log entries belong, followed by an identifier. The following are examples of log names:
projects/my-project/logs/stdoutprojects/my-project/compute.googleapis.com/activity
You can write queries that retrieve only those log entries where the value of
a LogEntry field matches some criteria. For example, you can display only
those log entries whose severity field has the value of ERROR.
Log entry types
Audit logs and Access Transparency provide information necessary to satisfy compliance regulations. Audit logs provide information about administrative activities and accesses within your Google Cloud resources. Access Transparency logs record actions taken by Google Cloud staff when accessing your Google Cloud content. For a list of supported services, see Google Cloud services with audit logs and Google Cloud services with Access Transparency logs.
The following type of log entries are stored in the
_Required log bucket in the Google Cloud project,
billing account, folder, or organization in which they originate:
- Admin Activity audit logs
- System Event audit logs
- Google Workspace Admin Audit logs
- Enterprise Groups Audit logs
- Login Audit logs
- Access Transparency logs
All other log entries that originate in a Google Cloud project, billing account,
folder, or organization are stored in the
_Default log bucket. However, you can change which
log entries are stored in this log bucket.