Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add table gcp_logging_log_entry Closes #462 #463

Merged
merged 13 commits into from
Jul 20, 2023
Merged

Add table gcp_logging_log_entry Closes #462 #463

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
6ee8481
Add table gcp_logging_log_entry Closes #462
ParthaI Jun 30, 2023
4651584
Removed the get config
ParthaI Jun 30, 2023
23b021f
Added optional quals
ParthaI Jun 30, 2023
8498e26
Added insert_id as optional quals
ParthaI Jun 30, 2023
a2d9d44
Added get config
ParthaI Jun 30, 2023
d193f47
Updated the title filter
ParthaI Jun 30, 2023
f13e9db
Added doc for the table
ParthaI Jul 3, 2023
9ea35c7
Updated the comment and added the log statement
ParthaI Jul 3, 2023
9f22821
Made changes as per review comments
ParthaI Jul 5, 2023
c6c43b8
Added more optional quals to query this table
ParthaI Jul 6, 2023
2ed32d1
Added log_entry_operation_id as optional quals
ParthaI Jul 6, 2023
b87a6fe
Added filter as optional quals and updated the doc with more example …
ParthaI Jul 12, 2023
f3e663f
Formated the doc
ParthaI Jul 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
176 changes: 176 additions & 0 deletions docs/tables/gcp_logging_log_entry.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,176 @@
# Table: gcp_logging_log_entry

In Google Cloud Platform (GCP), a logging log entry represents a single log event captured by GCP's logging service. It contains information about a specific occurrence or action that took place within a GCP resource or service. Each log entry contains various metadata and data fields that provide details about the event, such as the log severity, timestamp, log message, log name, resource information, and any additional structured data associated with the event.

**Important notes:**

- For improved performance, it is advised that you use the optional qual `timestamp` to limit the result set to a specific time period.
- This table supports optional quals. Queries with optional quals are optimised to use Logging filters. Optional quals are supported for the following columns:
- `resource_type`
- `severity`
- `log_name`
- `span_id`
- `text_payload`
- `receive_timestamp`
- `timestamp`
- `trace`
- `log_entry_operation_id`
- `filter`

## Examples

### Basic info

```sql
select
log_name,
insert_id,
log_entry_operation_first,
log_entry_operation_id,
receive_timestamp
from
gcp_logging_log_entry;
```

### Get log entries by resource type

```sql
select
log_name,
insert_id,
log_entry_operation_first,
log_entry_operation_last,
resource_type,
span_id,
text_payload
from
gcp_logging_log_entry
where
resource_type = 'audited_resource';
```

### List log entries with NOTICE severity

```sql
select
log_name,
insert_id,
resource_type,
severity,
span_id,
timestamp
from
gcp_logging_log_entry
where
severity = 'NOTICE';
```

### List log entries in last 30 days

```sql
select
log_name,
insert_id,
receive_timestamp,
trace_sampled,
span_id,
timestamp
from
gcp_logging_log_entry
where
timestamp >= now() - interval '30' day;
```

### List log entries that occurred between five to ten minutes ago

```sql
select
log_name,
insert_id,
receive_timestamp,
trace_sampled,
severity,
resource_type
from
gcp_logging_log_entry
where
log_name = 'projects/parker-abbb/logs/cloudaudit.googleapis.com%2Factivity'
and
timestamp between (now() - interval '10 minutes') and (now() - interval '5 minutes')
order by
receive_timestamp asc;
```

### Get the last log entries

```sql
select
log_name,
insert_id,
log_entry_operation_last,
receive_timestamp,
resource_type,
severity,
text_payload
from
gcp_logging_log_entry
where log_entry_operation_last;
```

### Filter log entries by log name

```sql
select
log_name,
insert_id,
log_entry_operation_first,
log_entry_operation_last,
receive_timestamp,
resource_type,
severity
from
gcp_logging_log_entry
where
log_name = 'projects/parker-abbb/logs/cloudaudit.googleapis.com%2Factivity';
```

## Filter examples

For more information on Logging log entry filters, please refer to [Filter Pattern Syntax](https://cloud.google.com/logging/docs/view/logging-query-language).

### List log entries of Compute Engine VMs with serverity error

```sql
select
log_name,
insert_id,
log_entry_operation_first,
log_entry_operation_last,
receive_timestamp,
resource_type,
severity
from
gcp_logging_log_entry
where
filter = 'resource.type = "gce_instance" AND (severity = ERROR OR "error")';
```

### List events originating from a specific IP address range that occurred over the last hour

```sql
select
log_name,
insert_id,
receive_timestamp,
resource_type,
severity,
timestamp,
resource_labels
from
gcp_logging_log_entry
where
filter = 'logName = "projects/my_project/logs/my_log" AND ip_in_net(jsonPayload.realClientIP, "10.1.2.0/24")'
and timestamp >= now() - interval '1 hour'
order by
receive_timestamp asc;
```
1 change: 1 addition & 0 deletions gcp/plugin.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ func Plugin(ctx context.Context) *plugin.Plugin {
"gcp_kubernetes_node_pool": tableGcpKubernetesNodePool(ctx),
"gcp_logging_bucket": tableGcpLoggingBucket(ctx),
"gcp_logging_exclusion": tableGcpLoggingExclusion(ctx),
"gcp_logging_log_entry": tableGcpLoggingLogEntry(ctx),
"gcp_logging_metric": tableGcpLoggingMetric(ctx),
"gcp_logging_sink": tableGcpLoggingSink(ctx),
"gcp_monitoring_alert_policy": tableGcpMonitoringAlert(ctx),
Expand Down
Loading