Set up application monitoring

Stay organized with collections Save and categorize content based on your preferences.

This document describes how you can configure Google Cloud Observability so that you can view the telemetry for an application that is registered with App Hub. You might deploy your application and then register it with App Hub, or you might deploy your applications by using the Application Design Center. Application Monitoring can help you understand the performance of your applications, services, and workloads.

Before you begin

• Identify the project whose observability scope you will configure. This project is either your App Hub host project or the management project of the app-enabled folders. For example, if the folder's display name is My Folder, then the management project's display name is My Folder-mp.

• Make sure that you have the necessary Identity and Access Management (IAM) roles to configure the observability scope. The required IAM roles depend upon whether you plan to create an aggregated sink, which lets you centralized the storage of log data.

  Configure sink and scopes

  To get the permissions that you need to configure observability scopes and to create an aggregated log sink, ask your administrator to grant you the Organization Administrator (roles/resourcemanager.organizationAdmin) IAM role on your organization. For more information about granting roles, see Manage access to projects, folders, and organizations.

  You might also be able to get the required permissions through custom roles or other predefined roles.

  Only configure scopes

  To get the permissions that you need to configure the observability scope, ask your administrator to grant you the following IAM roles:

  • Observability Editor (roles/observability.editor) on yourApp Hub host project orthe management project for your app-enabled folder
  • Logs Configuration Writer (roles/logging.configWriter) on yourApp Hub host project orthe management project for your app-enabled folder
  • Monitoring admin (roles/monitoring.admin) on yourApp Hub host project orthe management project for your app-enabled folder and on each project that you want to add to the metrics scope
  • Cloud Trace User (roles/cloudtrace.user) on yourApp Hub host project orthe management project for your app-enabled folder
  • App Hub viewer (roles/apphub.viewer) on yourApp Hub host project orthe management project for your app-enabled folder

  For more information about granting roles, see Manage access to projects, folders, and organizations.

  You might also be able to get the required permissions through custom roles or other predefined roles.

Configure the observability scope

The observability scope controls how explorer and dashboard pages search for the data to display. Each Google Cloud project contains a single observability scope. You don't directly configure a project's observability scope. Instead, for your project, you configure the following:

• The default log scope

  Configure this scope so that when you open the Logs Explorer page or view dashboards, your application's log data is displayed. Make sure this scope lists the projects and log views which store your application's log data.

• The metrics scope

  Configure this scope so that your charts, for example, those you create by using the Metrics Explorer page, and alerting policies can display or monitor your application's metric data. Make sure this scope lists the projects which store your application's metric data.

• The default trace scope

  Configure this scope so that when you open the Trace Explorer page, your application's trace data is displayed. Make sure this scope lists the projects which store your application's trace data.

The remainder of this section provides guidance about how to configure these scopes.

Configure and set the default log scope

Do one of the following:

• If you have an organization-level aggregated sink that routes all log data in your organization to a centralized log bucket, then we recommend the following:

  1. Create a log view on the centralized log bucket for your application logs.

  2. In your App Hub host project or the management project for your app-enabled folder, create a log scope and add your log view, and then set this scope as the default log scope.

• If you are using an app-enabled folder and if you don't have an organization-level aggregated sink or nested folders, then we recommend following:

  1. Create an intercepting aggregated sink for your app-enabled folder, and route those logs to the _Default log bucket of the project from which you will view your logs.

  2. In the management project for your app-enabled folder, make sure that the log scope named _Default is set as the default log scope. The scope named _Default lists the _AllLogs view on the project's _Default log bucket, which is the centralized storage location for your application.

• If you aren't using an aggregated sink, then for your App Hub host project or the management project for your app-enabled folder, configure the default log scope to list the storage locations of your application's log data. Instead of adding projects to your log scope, we recommend that you add log views on the log buckets that store your log data.

Configure the metrics scope

Make sure that the metrics scope for your App Hub host project or the management project for your app-enabled folder lists all projects that store your application's metric data:

• For app-enabled folders, Google Cloud Observability attempts to synchronize the list of projects in your app-enabled folder with the list of projects in the metrics scope. For example, if you add a project to the app-enabled folder, then a command is issued to add that project to the metrics scope.

  When the number of projects in your app-enabled folder doesn't exceed your metrics scope quota, which defaults to 375 projects per metrics scope, then Google Cloud Observability can keep the list of projects in the metrics scope synchronized with the list of projects in your app-enabled folder. For example, suppose the quota is 375 projects per metrics scope. If your app-enabled folder contains 100 projects, then the metrics scope lists all projects in your app-enabled folder. If you add projects to your app-enabled folder, then they are also added to the metrics scope.

  When the number of projects in your app-enabled folder exceeds your metrics scope quota, then the list of projects in the metrics scope won't include all projects in your app-enabled folder. For example, suppose the quota is 375 projects per metrics scope and suppose your app-enabled folder contains 380 projects. After 375 projects are added to the metrics scope, quota is exhausted and the attempts to add the remaining 5 projects fail. As a result, some application data isn't available to your management project.

  We recommend that you review your usage of your metrics scope quota and determine whether you need to request a quota update or to manually modify the metrics scope. For information about these steps, see Metrics scopes for app-enabled folders.

• For App Hub host projects, you must configure the metrics scope of the host project.

  If you change the set of projects that store your metric data, then you must also update your the metrics scope of your host project.

Configure and set the default trace scope

Do the following:

1. In your App Hub host project or the management project for your app-enabled folder, create a trace scope and add the projects that store your application's trace data. If you are using an app-enabled folder, then add the projects in that folder.

2. Set your custom trace scope as the default trace scope.

Associate an alerting policy with an App Hub application

To view your alerting policies from the context of Application Monitoring, you must associate them with a service or workload by adding application-specific labels to the alerting policy. These user-defined labels are also included in any incidents created for a policy. To learn more about labels, see Annotate incidents with labels. For a list of App Hub labels, see View application telemetry.

To associate an alerting policy with a workload or service by using the Google Cloud console, do the following:

1. In the Google Cloud console, go to the notifications Alerting page:

   Go to Alerting

   If you use the search bar to find this page, then select the result whose subheading is Monitoring.

2. In the toolbar of the Google Cloud console, select your App Hub host project or the management project for your app-enabled folder.
3. Find the alerting policy, click more_vert View more, select Edit, and then go to the Notifications and name section.
4. In the Application labels section, select your application and then select your workload or service.
5. Click Save policy.

After you complete these steps, labels with the following keys are attached to your alerting policy. These labels identify your application and your service or workload:

• apphub_application_location
• apphub_application_id
• apphub_service_id or apphub_workload_id

You can also add user labels to an alerting policy by using the Google Cloud CLI, Terraform, or the Cloud Monitoring API. However, you must use the label keys shown in the previous example. For more information, see the following:

• Manage alerting policies by API.
• Manage alerting policies with Terraform.

Grant access

IAM manages access to your log, metric, and trace data. This section summarizes roles that you might want to grant to principals:

• Logs View Accessor (roles/logging.viewAccessor) on the log views listed in the default log scope of the your App Hub host project or the management project for your app-enabled folder. To learn more about granting access to a log view, see Control access to a log view.

• Logs Viewer (roles/logging.viewer) on your App Hub host project or the management project for your app-enabled folder and on any other projects listed in its default log scope. This role grants access to most log entries in the _Default log bucket. For more information, see Logging roles.

• Monitoring Editor role (roles/monitoring.editor) on your App Hub host project or the management project for your app-enabled folder. For principals who don't need to create alerting policies, consider granting the Monitoring Viewer role (roles/monitoring.viewer).

• Cloud Trace User (roles/cloudtrace.user) on your App Hub host project or the management project for your app-enabled folder and on the projects listed in its default trace scope.

• App Hub viewer (roles/apphub.view) on your App Hub host project or the management project for your app-enabled folder.

What's next

• View application telemetry.