Console
    Start free

    View proxy transaction logs

    Proxy transaction logs provide detailed information about each request that Secure Web Proxy processes. These logs include a record of every transaction that Secure Web Proxy mediates between users and the internet. This page explains how to access and interpret the transaction logs that your Secure Web Proxy instances generate.

    Types of proxy transaction log entries

    Proxy transaction log entries are of three types:

    These logs are useful for the following actions:

    • Security analysis and threat detection
    • Troubleshooting connectivity and policy issues
    • Auditing web access
    • Secure Web Proxy performance analysis

    HttpRequest

    These log entries contain the following information:

    Name Type Description
    requestMethod
    		String Type of request method, such as GET , HEAD , PUT , or POST .
    requestUrl
    		String Scheme ( http or https ), hostname, path, and the query portion of the requested URL. For example, http://example.com/some/info?color=red .
    requestSize

    String ( int64 format)

    		 Size, in bytes, of the HTTP request message, including the request headers and request body.
    status
    		Integer HTTP or HTTPS status code that indicates the response. For example, 200 OK or 404 Not Found .
    responseSize
    		String ( int64 format) Size, in bytes, of the HTTP status code that's sent back to the client, including the headers and body.
    userAgent
    		String User agent that the client sends, such as Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461; .NET CLR 1.0.3705) .
    remoteIp
    		String IP address (IPv4 or IPv6) of the client that issued the HTTP request. This field can include port information. For example, 192.168.1.1 , 10.0.0.1:80 , and FE80::0202:B3FF:FE1E:8329 .
    serverIp
    		String IP address (IPv4 or IPv6) of the origin server to which the request was sent. This field can include port information. For example, 192.168.1.1 , 10.0.0.1:80 , and FE80::0202:B3FF:FE1E:8329 .
    referrer
    		String Referrer URL of the request, as defined in HTTP/1.1 Header Field Definitions .
    latency
    		String ( Duration format) Request processing latency on the server, from the time the request was received until the response was sent.

    Latency is a duration in seconds with up to nine fractional digits and ends with s , such as 3.5s .
    cacheLookup
    		Boolean Indicates whether a cache lookup was attempted.
    cacheHit
    		Boolean Indicates whether an entity was served from the cache (with or without validation).
    cacheValidatedWithOriginServer
    		Boolean Indicates whether the response was validated with the origin server before being served from the cache. This field is meaningful only if cacheHit is True .
    cacheFillBytes
    		String ( int64 format) Number of HTTP status code bytes that are inserted.
    protocol
    		String Protocol used for the request, such as HTTP/1.1 , HTTP/2 , and websocket .

    LoadBalancerLogEntry

    These log entries contain the following information:

    Name Type Description
    insertId
    		String Unique log ID.
    jsonPayload.@type
    		String Log type. The log type value is always type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry .
    jsonPayload.enforcedGatewaySecurityPolicy.hostname
    		String Hostname associated with the request.
    jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.action
    		String Action taken on the request.
    jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.rule
    		String Name of the rule applied to the request.
    jsonPayload.enforcedGatewaySecurityPolicy.clientServiceAccount
    		String Service account associated with the request.
    jsonPayload.enforcedGatewaySecurityPolicy.clientSecureTags
    		String Secure tags associated with the request.

    GatewayLogEntry

    These log entries contain the following information:

    Name Type Description
    resource_container
    		String Container associated with the gateway.
    location
    		String Name of the region in which the gateway is defined.
    network_name
    		String Name of the Virtual Private Cloud (VPC) network in which the gateway was created.
    gateway_type
    		String Enum type of the gateway. For Secure Web Proxy, the value must be SECURE_WEB_GATEWAY .
    gateway_name
    		String Name of the gateway resource.

    Format of proxy transaction logs

    Proxy transaction logs are written to Cloud Logging with the log name as projects/PROJECT_ID/logs/networksecurity.googleapis.com%2Fswg_policy_event .

    The JSON payload of each log entry contains detailed information about the transaction. Log entries contain the following key fields:

    Name Type Description
    destination_ip
    		String Resolved IP address of the destination.
    instance
    		String Name of the Secure Web Proxy instance that processed the request.
    mtls_info
    		Object Information about the mTLS handshake, if applicable.
    policy_evaluation_results
    		Object Information about which rules were matched and the resulting action, such as allow or deny .
    request_host
    		String Requested hostname.
    request_method
    		String HTTP method, such as GET or POST .
    request_path
    		String Path of the request.
    request_port
    		Integer Destination port.
    request_protocol
    		String HTTP protocol version.
    request_scheme
    		String Scheme of the URL request, such as http or https .
    request_time
    		Timestamp Date and time at which the proxy received the request. The timestamp is specified in ISO 8601 format: YYYY-MM-DDTHH:MM:SS.MsMsMsZoneOffset . For example, 2025-06-03T11:52:26.452Z .
    response_code
    		Integer HTTP status code that's returned to the client.
    response_size
    		Integer Size of the response body, measured in bytes.
    response_time
    		Timestamp Date and time at which the proxy sent the response to the client. The timestamp is specified in ISO 8601 format: YYYY-MM-DDTHH:MM:SS.MsMsMsZoneOffset . For example, 2025-06-03T11:52:26.452Z .
    source_ip
    		String Client IP address.
    source_port
    		Integer Client source port.
    tls_cipher_suite
    		String Cipher suite used for the TLS connection.
    tls_version
    		String TLS version used for the connection.

    Monitor proxy transaction logs

    1. In the Google Cloud console, go to the Logs Explorerpage.

      Go to Logs Explorer

    2. Select your Google Cloud project.

    3. Use the following query to view all Secure Web Proxy transaction logs:

      logName="projects/ PROJECT_ID 
/logs/networksecurity.googleapis.com%2Fswg_policy_event"

      Replace PROJECT_ID with the ID of your target Google Cloud project.

      Here are a few sample queries that you can use to view specific details:

      • Find all denied requests.

        logName="projects/ PROJECT_ID 
/logs/networksecurity.googleapis.com%2Fswg_policy_event"
jsonPayload.policy_evaluation_results.policy_action="DENY"

      • Find requests from a specific source IP address.

        logName="projects/ PROJECT_ID 
/logs/networksecurity.googleapis.com%2Fswg_policy_event"
jsonPayload.source_ip="192.0.2.1"

      • Find requests to a specific host.

        logName="projects/ PROJECT_ID 
/logs/networksecurity.googleapis.com%2Fswg_policy_event"
jsonPayload.request_host="example.com"

    Route proxy transaction logs

    You can route proxy transaction logs to other destinations like Cloud Storage, BigQuery, or Pub/Sub by using log sinks. For more information, see Route log entries .

    What's next?
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: