Viewing activity logs
Beta
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
Compute Engine activity logs aren't the same thing asaudit logs. Audit logs contain the same information aslegacy activity logs and more. We recommend you use audit logs instead ofactivity logs. If you are already using activity logs, readMigrating from activity logs to audit logs.
Compute Engine provides activity logs that let you track certainevents that affect your project, such as API calls and system events.Specifically, activity logs provide information about:
- Compute Engine API calls:
GCE_API_CALLevents areAPI calls that change the state of aresource. For example, API calls to create a disk, update instance metadata,create an instance group, change a machine type, are recorded in activitylogs. API calls that do not update a resource, such asgetandlistrequests aren't recorded. - Operation logs:
GCE_OPERATION_DONEevents are logged when an API callchanges the state of a resource finishes, Compute Engine returnsa completed operation event that is recorded in your activity logs. - System logs:
GCE_SYSTEM_EVENTevents are logged whenCompute Engine performs a system event, it is recorded in activitylogs. For example, a transparent maintenance event would be logged as asystem event.
For example, with an API event, an activity log provides details such asthe start and end time of an API request, the specifics of the request body,the authorized user who made the API request, and the request endpoint.You can download activity logs to search for specific API requests, orto review system events initiated by Compute Engine.
Activity logs do not provide billing or usage information abouta project, such as how long a virtual machine instance has been running or howmuch it costs. For billing logs, see thebilling export feature. Forusage logs, seeViewing usage reports.
Activity logs are provided as part of the Cloud Loggingservice. For more information about Logging in general, readtheCloud Logging documentation.
Before you begin
- Familiar withCloud Logging.
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Permissions required for this task
To perform this task, you must have the followingpermissions:
logging.logServiceIndexes.liston the projectlogging.logServices.liston the project
Viewing logs
Activity logging is enabled by default for all Compute Engineprojects.
You can see your project's activity logs through theLogs Explorerin theGoogle Cloud console:
- In the Google Cloud console, go to theLogging page.
- When in the Logs Explorer, select and filter your resource type from thefirst drop-down list.
- From theAll logs drop-down list, selectcompute.googleapis.com/activity_log to see Compute Engineactivity logs.
Routing logs
To learn how to export activity logs, readConfigure and manage sinks in theCloud Logging documentation.
Identifying log files
When you export logs into Cloud Storage, the log files are stored in thestructure described by theLog entry objectsdocumentation.
Compute Engine log files are stored with the following directorystructure:
<bucket>/compute.googleapis.com/activity_log/<year>/<month>/<day>The following is an example log filename stored in a Cloud Storagebucket namedmy-bucket:
my-bucket/compute.googleapis.com/activity_log/2014/10/31/20:00:00_20:59:59_S0.json
In BigQuery, activity logs are stored in a set of tables, one table foreach log type and day, and the tables are named using the following format:
<dataset>.compute_googleapis_com_activity_log_YYYYMMDD
For information about how to query activity logs in BigQuery, seeLog entries in BigQuery.
Reading activity logs
Note: Compute Engine recently updated the format of activity logsto useprotobuf format.This changes the format of your logs slightly, but the contentremains the same.Activity logs are structured as described in theLogEntry typedocumentation.
Compute Engine activity logs have:
compute.googleapis.com/activity_logas value of thelogfieldmetadata,which describes common information such as timestampstructPayload, which contains the specific contents of the log entry
You can get more details about the common fields provided with every logentry from theLogEntrydescription, but the payload contents of activity log entries are specific toCompute Engine and are described below.
Payload contents
The contents of a log entry are provided in JSON object format, and are storedin thestructPayload field. ThestructPayload field contains the followinginformation:
| Field | Type | Description |
|---|---|---|
actor | string | Email of user or service account performing the operation. This is thesame as theuser_id. |
error | string | Provides any error details if an error occurred during this event.This is omitted if there were no errors. Errors usually prevent a requestfrom completing successfully. You can use this field to debug a failed request. |
event_subtype | string | Describes the specific subtype as an API method. For example, a request toinsert a new instanceappears as See theAPI referencefor a comprehensive list of API methods. |
event_timestamp_us | timestamp | The timestamp, in microseconds, of the logged event since standard epoch.This is the same asmetadata.timestamp. |
event_type | string | Describes the general event type. This can be one of the following values:
|
info | string | An optional field with additional information, if applicable. This fieldis omitted if there is no additional information to show. |
operation | string | When an API request is made to update or change any resources, a corresponding operation object is created to track the request to completion. This property describes the operation object for this event, providing information such as the operation name, the zone or region of the operation, and the operation ID. Operations can be azone operation, aregion operation,or aglobal operation,depending on the resource the operation is modifying. |
request | JSON | Contains the original API request body.
|
resource | JSON | Describes the particular resource that is being modified by this event.For example, a virtual machine (VM) instance is considered a resource and anexample resource property for a VM looks like the following:"resource": { "type": "instance", "name": "example-instance", "id": "0", "zone": "us-central1-f"}A list of resource types is described in detail in theAPI reference. Note: If an action affects multiple resources,there may be multiple log entries with the same |
trace_id | string | A system-provided trace ID used to group related logs that are triggered bya single action. For example:trace_id: "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e" |
user_agent | string | Describes the client that performed this request. For example,if you used the Cloud Client Libraries for Java to make a request, the user agent would beGoogle-API-Java-Client. |
version | string | The current log format version indicates the Compute Enginelog schema. The current version is 1.2. Note: The Compute Engine APIversioning is separate from the log format versioning. |
warning | string | Provides any warning details if any warnings occurred during this event. Awarning is informational and does not affect the request, unlike errors. |
Sample log entry
For example, a sample log entry describing an API request to create aVM looks like the following:
{ "log": "compute.googleapis.com/activity_log", "insertId": "2015-09-16|13:49:42.532185-07|10.106.9.208|335899593", "metadata": { "severity": "INFO", "projectId": "835469197146", "serviceName": "compute.googleapis.com", "zone": "us-central1-f", "labels":{ "compute.googleapis.com/resource_id":"0", "compute.googleapis.com/resource_name":"example-instance", "compute.googleapis.com/resource_type":"instance", "compute.googleapis.com/resource_zone":"us-central1-f" }, "timestamp": "2015-09-16T20:49:42.423637Z" }, "structPayload": { "version": "1.2", "trace_id": "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e", "event_timestamp_us": "1442436582423637", "event_type": "GCE_API_CALL", "event_subtype": "compute.instances.insert", "resource": { "type": "instance", "name": "example-instance", "id": "0", "zone": "us-central1-f" }, "actor": { "user": "user@example.com" }, "ip_address": "", "user_agent": "apitools-client/1.0", "request": { "url": "https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/instances", "body": "{ \"canIpForward\":false, \"description\":\"\", \"disks\":[{ \"autoDelete\":true, \"boot\":true, \"deviceName\":\"example-instance\", \"initializeParams\":{ \"diskSizeGb\":\"10\", \"diskType\":\"https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/diskTypes/pd-standard\", \"sourceImage\":\"https://www.googleapis.com/compute/v1/projects/debian-cloud/global/images/debian-8-jessie-v20150818\" }, \"mode\":\"READ_WRITE\", \"type\":\"PERSISTENT\" }], \"machineType\":\"https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/machineTypes/n1-standard-1\", \"metadata\":{ \"items\":[] }, \"name\":\"example-instance\", \"networkInterfaces\":[{ \"accessConfigs\":[{ \"name\":\"External NAT\", \"type\":\"ONE_TO_ONE_NAT\" }], \"network\":\"https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default\" }], \"scheduling\":{ \"automaticRestart\":true, \"onHostMaintenance\":\"MIGRATE\", \"preemptible\":false }, \"serviceAccounts\":[{ \"email\":\"default\", \"scopes\":[ \"https://www.googleapis.com/auth/devstorage.read_only\", \"https://www.googleapis.com/auth/logging.write\" ] }], \"tags\":{ \"items\":[] }, \"zone\":\"https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f\" }" }, "operation": { "type": "operation", "name": "operation-1442436581415-51fe3700bd85a-7fd317e3-f1a3555e", "id": "291347737657178184", "zone": "us-central1-f" } }}Deprecated activity log entries
The following activity log entries will be discontinued, with no replacement,on June 1, 2020:
| Monitored Resource Type | Event SubType |
|---|---|
gce_backend_service | BackendServiceConfigProgramming |
gce_instance | RE_ENCRYPT_SSL_CERTIFICATE_FLOW |
gce_instance | addFirewallRuleToSecurityPolicy |
gce_instance | attachCloudLink |
gce_instance | attachFirewallSecurityPolicy |
gce_instance | compute.instanceGroupManagers.updateHealth |
gce_instance | compute.instanceGroups.detachHealthCheck |
gce_instance | compute.instanceNetworkConfig.updateName |
gce_instance | compute.regionInstanceGroups.attachHealthCheck |
gce_instance | compute.regionInstanceGroups.detachHealthCheck |
gce_instance | createFirewallSecurityPolicy |
gce_instance | deleteFirewallSecurityPolicy |
gce_instance | detachFirewallSecurityPolicy |
gce_instance | patchFirewallRuleInSecurityPolicy |
gce_instance | removeCloudLink |
gce_instance | removeFirewallRuleFromSecurityPolicy |
gce_instance | updateFirewallSecurityPolicy |
gce_instance | updateVpnTunnel |
gce_instance_group | compute.instanceGroups.attachHealthCheck |
gce_instance_group | compute.instanceGroups.attachNetworkInterfaces |
gce_instance_group | compute.instanceGroups.detachHealthCheck |
gce_instance_group | compute.regionInstanceGroups.attachHealthCheck |
gce_instance_group | compute.regionInstanceGroups.detachHealthCheck |
gce_instance_template | compute.zoneInstanceTemplates.insert |
gce_network | compute.networks.switchLegacyToCustomMode |
gce_project | compute.projects.moveProjectNetworking |
gce_reserved_address | compute.addresses.insertDnsForwarding |
gce_reserved_address | compute.addresses.insertNatAddress |
gce_ssl_certificate | RE_ENCRYPT_SSL_CERTIFICATE_FLOW |
gce_ssl_certificate | SslCertificateAddManagedCertificateChallenge |
gce_ssl_certificate | SslCertificateProvisionManagedCertificate |
gce_ssl_certificate | SslCertificateRemoveManagedCertificateChallenge |
gce_subnetwork | compute.subnetworks.createOrUpdateVirtualSubnetwork |
vpn_tunnel | updateVpnTunnel |
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.