Cloud Logging: Log Router, Log Buckets, and Log-Based Metrics
A production-focused guide to Cloud Logging: Log Router, Log Buckets, and Log-Based Metrics on Google Cloud Platform..
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
- ✓Google Cloud project with billing enabled, basic familiarity with gcloud CLI, understanding of IAM roles, access to Cloud Logging and Cloud Monitoring APIs.
Cloud Logging: Log Router, Log Buckets, and Log-Based Metrics is like having a specialized tool that handles cloud logging so you don't have to build and manage it yourself โ it just works out of the box with Google Cloud's infrastructure.
| Chrome | Firefox | Safari | Edge |
|---|---|---|---|
| ✓ | ✓ | ✓ | ✓ |
You're paged at 3 AM because your API latency spiked. You SSH into a box, grep through gigabytes of logs, and find nothing. Meanwhile, your competitor's SRE already identified the root cause via a log-based metric that triggered an alert. That's the difference Cloud Logging makes. It's not just about storing logsโit's about turning them into actionable signals. In this post, we'll dissect the three pillars: Log Router to control log flow, Log Buckets for cost-effective storage, and Log-Based Metrics to create custom monitoring without code changes. By the end, you'll know how to build a logging pipeline that doesn't just collect data but actively helps you sleep better at night.
Log Router: The Traffic Cop for Your Logs
The Log Router is the entry point for all log entries in Cloud Logging. Every logโwhether from Compute Engine, Kubernetes, or your appโpasses through the router before being stored or excluded. Its primary job is to match logs against inclusion and exclusion filters, then route matched logs to one or more sinks. Sinks can be Log Buckets (default), Pub/Sub topics, BigQuery datasets, or Cloud Storage buckets. This is where you control costs: by excluding verbose logs (e.g., health checks) or routing audit logs to a cheap storage class. The router uses a first-match wins logic: if a log matches an exclusion filter, it's dropped; otherwise, it's evaluated against inclusion filters. Misconfiguring these filters is a common cause of missing logs during incidents. Always test filters with the Logs Explorer before deploying.
Log Buckets: Storage with Retention and Access Control
Log Buckets are the default storage destination for logs routed by the Log Router. Each bucket has a retention period (default 30 days, max 3650 days) and can be locked to prevent deletion. Buckets are regional, so choose a region close to your compute resources to reduce egress costs. You can create custom buckets with different retention policiesโfor example, a 7-day bucket for debug logs and a 365-day bucket for audit logs. Buckets also support CMEK (Customer-Managed Encryption Keys) for compliance. Access to bucket contents is controlled via IAM roles like Logs Viewer and Logs Bucket Writer. Important: deleting a bucket deletes all logs inside, even if retention hasn't expired. Always use retention policies and bucket locks for critical logs.
Log-Based Metrics: Turn Logs into Monitoring Signals
Log-Based Metrics allow you to count log entries matching a filter and expose them as Cloud Monitoring metrics. This is incredibly powerful because you can create custom metrics without modifying application code. For example, count every ERROR log line from your payment service and alert when the rate exceeds 5 per minute. There are two types: counter metrics (count of log entries) and distribution metrics (histogram of a numeric value extracted from logs). Distribution metrics require a label extractor using regular expressions. Metrics are created via the Logs Explorer or API, and they appear in Metrics Explorer within minutes. They incur no additional cost beyond the underlying log storage. However, beware of high-cardinality labels (e.g., request IDs) which can spike costs and degrade performance.
Routing Logs to Multiple Destinations
A single log entry can be routed to multiple sinks. This is useful when you need logs in both a Log Bucket for real-time analysis and BigQuery for long-term analytics. To achieve this, create multiple sinks with overlapping filters. However, be mindful of costs: each sink that matches a log entry incurs ingestion charges (though egress to BigQuery or Storage is free within the same region). You can also route logs to Pub/Sub for streaming to third-party tools like Splunk or Datadog. When routing to Pub/Sub, ensure the topic has sufficient quota and that subscribers are resilient to backpressure. A common pattern is to route all logs to a default bucket, then route a subset (e.g., errors) to a Pub/Sub topic for real-time alerting.
Exclusion Filters: Cutting Costs Without Losing Visibility
Exclusion filters are applied before any sink evaluation. If a log matches an exclusion filter, it is dropped entirely and never stored. This is the most effective way to reduce logging costs, but it's also dangerous. Common exclusions include health check logs, repetitive debug logs, and known benign errors. However, if you exclude too aggressively, you might miss anomalies. Best practice: exclude only after analyzing log patterns over a week, and always log excluded entries to a separate bucket for a trial period. You can also use exclusion filters with sampling: for example, exclude 90% of INFO logs but keep all ERROR logs. Exclusion filters are evaluated in order, and the first match wins.
IAM and Access Control for Logs
Access to Cloud Logging resources is governed by IAM roles. Key roles include: Logs Viewer (read logs), Logs Writer (write logs), Logs Bucket Writer (write to a specific bucket), and Logs Configuration Writer (manage sinks and metrics). For production, follow least privilege: give developers Logs Viewer on specific buckets, not the entire project. Service accounts that write logs (e.g., from GKE) need Logs Writer. Audit logs (Cloud Audit Logs) are stored in the _Required bucket and are accessible only to users with the Project Owner or Logs Viewer role at the organization level. Be careful with custom roles: missing permissions can cause silent log drops.
Logs Explorer: Querying Logs Efficiently
The Logs Explorer is the UI for searching and analyzing logs. It supports a SQL-like query language with operators like =, !=, AND, OR, and functions like timestamp() and severity(). You can filter by resource type, log name, or any structured field. For performance, always include a time range and avoid wildcard searches on large fields. Use the 'Show query' button to see the underlying filter syntax, which you can reuse in sinks and metrics. The Logs Explorer also supports histogram views to visualize log volume over time. For advanced analysis, you can export query results to BigQuery. Pro tip: save common queries as 'Saved Searches' for team reuse.
Monitoring and Alerting with Log-Based Metrics
Once a log-based metric is created, it appears in Cloud Monitoring as a custom metric. You can create alerting policies based on these metrics, such as 'alert if payment-error-rate > 10 per minute for 5 minutes'. The metric is available in Metrics Explorer and can be used in dashboards. Log-based metrics are real-time (latency < 1 minute) and incur no additional cost beyond the underlying log storage. However, be aware that metric creation is eventually consistentโit may take a few minutes for new logs to appear in the metric. Also, if you delete the log-based metric, the underlying logs are not deleted; only the metric stops updating.
Cost Management: Understanding Logging Pricing
Cloud Logging pricing is based on three components: ingestion (volume of log data), storage (retained data), and egress (data exported to other destinations). Ingestion is charged per GiB, with a free tier of 50 GiB per project per month. Storage costs depend on retention period and bucket location. Exclusions reduce ingestion costs, while shorter retention reduces storage costs. Log-based metrics and Logs Explorer queries are free. To optimize costs: exclude verbose logs, use shorter retention for debug buckets, and route audit logs to cheaper storage classes (e.g., Cloud Storage Nearline). Monitor your logging costs in the Billing console and set budget alerts.
Troubleshooting Common Logging Issues
Common issues include: logs not appearing in Logs Explorer, sinks not delivering logs, and log-based metrics not showing data. First, check if the log entry exists by using the Logs Explorer with a broad filter. If logs are missing, verify that the source (e.g., GKE, VM) has the correct IAM permissions to write logs. For sinks, check the sink's 'writer identity' and ensure the destination (e.g., BigQuery dataset) exists and has proper permissions. Use the 'Logs Router' page to see sink errors. For log-based metrics, ensure the metric filter matches the log entries and that the metric has been created in the correct project. Also, remember that metrics are eventually consistentโwait a few minutes.
logName="projects/my-project/logs/cloudaudit.googleapis.com%2Fdata_access" to see them.Best Practices for Production Logging Pipelines
- Use structured logging (JSON) to enable easy filtering and metric extraction. 2. Set log levels consistently across services. 3. Route audit logs to a locked bucket with long retention. 4. Exclude health check and verbose debug logs at the router level. 5. Create log-based metrics for all critical error conditions. 6. Monitor sink health and set alerts for sink failures. 7. Use IAM conditions to restrict access to sensitive logs. 8. Regularly review logging costs and adjust exclusions. 9. Test your logging pipeline during load testing to ensure it doesn't become a bottleneck. 10. Document your logging architecture, including sink configurations and metric definitions.
Observability Analytics: SQL Queries on Your Logs
The Logs Explorer is great for real-time debugging, but for complex analysis across large time ranges, you need SQL. Cloud Logging's Observability Analytics (powered by BigQuery) lets you upgrade a log bucket to enable SQL queries directly on your log data. Once enabled, you can run standard SQL queries against your logs using the Log Analytics page โ no need to export to BigQuery first. This enables joins across log types, aggregation windows, percentile calculations, and other SQL patterns that the Logs Explorer's filter language can't express. For example: 'What is the p99 latency of my payment service per deployment over the last 30 days?' or 'Which service has the highest error rate per region?' You can also create linked BigQuery datasets for deeper analysis or integration with existing BI tools. Upgrading a bucket to use Observability Analytics takes a few minutes and does not affect existing log ingestion. Only new logs after the upgrade are queryable via SQL. Use Observability Analytics for postmortem analysis, trend detection, and compliance reporting. In production, we run a weekly SQL query that compares error rates across all services โ it caught a gradual degradation that the Logs Explorer dashboard missed.
Log Views and Linked Datasets: Granular Access Control and Analytics
By default, anyone with Logs Viewer on a project can see all logs in all buckets. Log Views let you define subsets of logs within a bucket and grant access to specific views instead of the entire bucket. For example, create a view for 'payment-service-errors' that only includes ERROR logs from the payment service, then grant the payments team access to only that view. This enables multi-tenant log access without creating separate buckets. Additionally, you can create a linked dataset in BigQuery from an upgraded log bucket (one with Observability Analytics enabled). This creates a BigQuery dataset that mirrors your log bucket, allowing you to run BigQuery's full analytical capabilities (including federated queries, scheduled queries, and BI tool integration) without double storage costs. The linked dataset is read-only and stays in sync with the log bucket. In production, we use log views to give developers access to their service's logs without exposing other teams' data, and linked datasets for long-term compliance analytics in BigQuery.
| File | Command / Code | Purpose |
|---|---|---|
| create-sink.sh | gcloud logging sinks create my-bigquery-sink \ | Log Router |
| create-bucket.sh | gcloud logging buckets create audit-bucket \ | Log Buckets |
| create-metric.sh | gcloud logging metrics create payment-error-rate \ | Log-Based Metrics |
| create-multi-sink.sh | gcloud logging sinks create error-pubsub \ | Routing Logs to Multiple Destinations |
| create-exclusion.sh | gcloud logging sinks update _Default \ | Exclusion Filters |
| grant-logs-viewer.sh | gcloud projects add-iam-policy-binding my-project \ | IAM and Access Control for Logs |
| logs-query.sql | resource.type="k8s_container" | Logs Explorer |
| create-alert.sh | gcloud alpha monitoring policies create \ | Monitoring and Alerting with Log-Based Metrics |
| check-sink.sh | gcloud logging sinks describe my-sink \ | Troubleshooting Common Logging Issues |
| logging-pipeline.yaml | logging: | Best Practices for Production Logging Pipelines |
| observability_analytics.sql | SELECT | Observability Analytics |
| log_view_and_dataset.sh | gcloud logging views create payment-errors \ | Log Views and Linked Datasets |
Key takeaways
Common mistakes to avoid
3 patternsIgnoring gcp cloud logging best practices
Over-provisioning without rightsizing analysis
Skipping IAM least-privilege principles
Interview Questions on This Topic
What is Cloud Logging: Log Router, Log Buckets, and Log-Based Metrics and when would you use it in production?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
That's Google Cloud. Mark it forged?
6 min read · try the examples if you haven't