Understand and view logs

This page provides an overview of Secure Web Proxy logs, the available log types, and how to access them.

Overview

Secure Web Proxy logging capabilities let you capture information and perform critical tasks in the following key areas:

  • Monitoring and compliance

    • Enforce compliance with regulations, improve network security, and provide visibility into the traffic going to internet destinations.
    • Acquire valuable layers of control and visibility over workload traffic.
    • Gain critical insights for effective Security Operations Center (SOC) monitoring.
    • Use logs to detect and track security events to help ensure proactive threat response.
  • Deployment and configuration

    • Track your initial infrastructure setup, user account creation, and configuration changes.
    • Monitor for potential errors to help ensure a smooth and secure deployment.
    • Understand the impact of policy-tuning adjustments and optimize your protection.

Available logs

The following types of logs are available in Secure Web Proxy:

  • Cloud Audit Logs
  • Proxy transaction logs

Cloud Audit Logs

Cloud Audit Logs provides the following details:

  • Information related to API calls made to the infrastructure and proxy setup, creation and modification of policies, and monitoring checks. To capture the interactions, Cloud Audit Logs uses Google Cloud CLI commands and the Secure Web Proxy API.
  • Information related to creating and deleting Secure Web Proxy instances, modifying settings, and applying updates. Google Cloud console logs capture console activity that is related to the Secure Web Proxy configuration.
  • Insights into changes made to the Secure Web Proxy infrastructure.
  • Adjustments to Secure Web Proxy settings, rules, and parameters that shape Secure Web Proxy behavior.
  • Modifications to user privileges and access controls within Secure Web Proxy.
  • Implementation of policy modifications, capturing pre-edit and post-edit details.

Secure Web Proxy audit logs follow the standard audit log structure. For information about the standard audit log format, see AuditLog.

Proxy transaction logs

Proxy transaction logs capture details about individual requests processed by the Secure Web Proxy. The logs include a detailed record of every transaction between the users and the internet that is mediated by Secure Web Proxy.

Proxy transaction log entries can be divided into the following types:

HttpRequest

HttpRequest log entries contain the following information:

Name Type Description
requestMethod String The request method. Examples: GET, HEAD, PUT, POST.
requestUrl String The scheme (http, https), the hostname, the path and the query portion of the URL that was requested. Example: "http://example.com/some/info?color=red".
requestSize

String (int64 format)

The size, in bytes, of the HTTP request message, including the request headers and the request body.

status Integer The HTTP or HTTPS status code indicating the response. Examples: 200, 404.
responseSize String (int64 format) The size, in bytes, of the HTTP response message sent back to the client, including the response headers and the response body.
userAgent String The user agent sent by the client. Example: "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461; .NET CLR 1.0.3705)".
remoteIp String The IP address (IPv4 or IPv6) of the client that issued the HTTP request. This field can include port information. Examples: 192.168.1.1, 10.0.0.1:80, FE80::0202:B3FF:FE1E:8329.
serverIp String The IP address (IPv4 or IPv6) of the origin server that the request was sent to. This field can include port information. Examples: 192.168.1.1, 10.0.0.1:80, FE80::0202:B3FF:FE1E:8329.
referrer String

The referer URL of the request, as defined in HTTP/1.1 Header Field Definitions.

latency String (Duration format) The request processing latency on the server, from the time the request was received until the response was sent.

A duration in seconds with up to nine fractional digits and ending with s. Example: 3.5s.

cacheLookup Boolean Whether a cache lookup was attempted.
cacheHit Boolean Whether or not an entity was served from cache (with or without validation).
cacheValidatedWithOriginServer Boolean Whether or not the response was validated with the origin server before being served from cache. This field is only meaningful if cacheHit is True.
cacheFillBytes String (int64 format) The number of HTTP response bytes inserted into cache. Only set when a cache fill is attempted.
protocol String Protocol used for the request. Examples: "HTTP/1.1", "HTTP/2", "websocket"

LoadBalancerLogEntry

The LoadBalancerLogEntry log entries contain the following information:

Name Type Description
insertId String The unique log ID.
jsonPayload.@type String The log type.

The log type value is always
type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry.

jsonPayload.enforcedGatewaySecurityPolicy.hostname String The hostname associated with the request.
jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.action String The action taken on the request.
jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.rule String The name of the rule applied to the request.

Gateway monitored resource

Gateway monitored resource log entries contain the following information:

Name Type Description
resource_container String The container associated with the gateway.
location String The name of the region in which the gateway is defined.
network_name String The name of the Virtual Private Cloud (VPC) network in which the gateway was created.
gateway_type String The type enum of the gateway.
gateway_name String The name of the gateway resource.

Logging examples

Secure Web Proxy generates detailed log entries whenever it processes a request, keeping track of its actions and applied policies. The following examples show how Secure Web Proxy logs work.

Example of an allow entry

The following log entry shows that the Secure Web Proxy intercepted and inspected the HTTPS traffic for [www.example.com](https://www.example.com/) and allowed it to proceed to the destination website. The policy and rule names are swp-policy and allow-port-443 respectively.

Field Values
enforcedGatewaySecurityPolicy "requestWasTlsIntercepted": true,
"hostname": "www.example.com",
"matchedRules": [
{
"action": "ALLOWED",
"name": "projects/76537/locations/us-central1/gatewaySecurityPolicies/swp-policy/rules/allow-port-443"
}
]
httpRequest "requestMethod": "GET",
"requestUrl": "https://www.example.com/",
"requestSize": "41",
"status": 200,
"responseSize": "1446",
"userAgent": "curl/7.74.0",
"remoteIp": "10.128.0.12:35418",
"serverIp": "93.184.216.34:443",
"latency": "0.051800s",
"protocol": "HTTP/2"
resource "type": "networkservices.googleapis.com/Gateway",
"labels": {
"gateway_name": "multi-level-tlds",
"network_name": "projects/76537/global/networks/default",
"location": "us-central1",
"resource_container": "",
"gateway_type": "SECURE_WEB_GATEWAY"
}
timestamp "2024-02-15T16:56:19.570534Z"
severity "INFO"
logName "projects/76537/logs/networkservices.googleapis.com%2Fgateway_requests"
receiveTimestamp "2024-02-15T16:56:20.714988329Z"

Example of a deny entry

This log entry shows that the Secure Web Proxy inspected the traffic for www.example.com:443 and denied the HTTPS request due to the default_denied rule in the Secure Web Proxy policy.

Field Values
enforcedGatewaySecurityPolicy "hostname": "www.example.com:443",
"matchedRules": [
{
"name": "default_denied",
"action": "DENIED"
}
]
httpRequest
"requestMethod": "CONNECT",
"requestSize": "122",
"status": 403,
"responseSize": "141",
"userAgent": "curl/7.74.0",
"remoteIp": "10.128.0.12:36338",
"latency": "0.000133s",
"protocol": "HTTP/1.1"
resource "type": "networkservices.googleapis.com/Gateway",
"labels": {
"gateway_type": "SECURE_WEB_GATEWAY",
"resource_container": "",
"location": "us-central1",
"network_name": "projects/gcp-1768/global/networks/default",
"gateway_name": "high-latency-repro"
}
timestamp "2024-02-15T16:55:00.089727Z"
severity "WARNING"
logName "projects/gcp-1768/logs/networkservices.googleapis.com%2Fgateway_requests"
receiveTimestamp "2024-02-15T16:55:04.456901833Z"

View logs in Cloud Logging

To view your Secure Web Proxy logs in the Logs Explorer, do the following:

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Select an existing Google Cloud project at the top of the page, or create a new project.

  3. Using the drop-down menus, select the resource networkservices.googleapis.com/Gateway or the Secure Web Proxy instance name.

For more information, see Using the Logs Explorer.