Console
    Contact Us Start free

    Access flow logs

    This page describes how to access flow logs by using Cloud Logging.

    Access flow logs in the Logs Explorer

    VPC Flow Logs writes logs to the Google Cloud project of the log reporter. You can view flow logs in the Logs Explorer . VPC Flow Logs uses the following logs to collect log entries:

    • The compute.googleapis.com/vpc_flows log collects log entries for subnets. View this log if you enabled VPC Flow Logs by using the Compute Engine API .
    • For all other VPC Flow Logs configurations, view the networkmanagement.googleapis.com/vpc_flows log. This log collects log entries for Virtual Private Cloud (VPC) networks ( Preview ), subnets ( Preview ), VLAN attachments for Cloud Interconnect, and Cloud VPN tunnels.

    Configure IAM

    To configure access control for logging, see the access control guide for Logging .

    View flow logs by using resource filters

    To view flow logs in a Google Cloud project by using resource filters, see the following sections. You can also view these logs by using Logs Explorer queries, as described in Filter flow logs by using queries .

    View flow logs for all subnets ( compute.googleapis.com/vpc_flows )

    1. In the Google Cloud console, go to the Logs Explorerpage.

      Go to Logs Explorer

    2. Click All resources.

    3. In the Select resourcelist, click Subnetworkand then click Apply.

    4. Click All log names.

    5. In the Select log nameslist, find Compute Engine, click vpc_flows, and then click Apply.

    View flow logs for a specific subnet ( compute.googleapis.com/vpc_flows )

    1. In the Google Cloud console, go to the Logs Explorerpage.

      Go to Logs Explorer

    2. Click All resources.

    3. In the Select resourcelist, click Subnetwork.

    4. In the Subnetwork IDlist, select the subnet and then click Apply.

    5. Click All log names.

    6. In the Select log nameslist, find Compute Engine, click vpc_flows, and then click Apply.

    View flow logs for all resources ( networkmanagement.googleapis.com/vpc_flows )

    1. In the Google Cloud console, go to the Logs Explorerpage.

      Go to Logs Explorer

    2. Click All resources.

    3. In the Select resourcelist, click VPC Flow Logs Configand then click Apply.

    View flow logs for a specific configuration ( networkmanagement.googleapis.com/vpc_flows )

    1. In the Google Cloud console, go to the Logs Explorerpage.

      Go to Logs Explorer

    2. Click All resources.

    3. In the Select resourcelist, click VPC Flow Logs Configand select the VPC Flow Logs configuration that you want to view.

    4. Click Apply.

    Filter flow logs by using queries

    1. In the Google Cloud console, go to the Logs Explorerpage.

      Go to Logs Explorer

    2. If you don't see the query editor field in the Querypane, click the Show querytoggle.

    3. In the query editor field, enter a query:

      • If you enabled VPC Flow Logs for a subnet by using the Compute Engine API, to view flow logs, the query must target compute.googleapis.com . For example, enter the following query, replacing PROJECT_ID with your Google Cloud project ID and SUBNET_NAME with your subnet:

        resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
resource.labels.subnetwork_name=" SUBNET_NAME 
"

      • For all other queries, the query must target networkmanagement.googleapis.com . For example, to view flow logs for a specific source Cloud VPN tunnel, enter the following query:

        resource.type="vpc_flow_logs_config"
logName="projects/ PROJECT_ID 
/logs/networkmanagement.googleapis.com%2Fvpc_flows"
jsonPayload.reporter="src_gateway"
labels.target_resource_name="projects/ PROJECT_ID 
/regions/ REGION 
/vpnTunnels/ NAME 
"

        Replace the following:

        • PROJECT_ID : the Google Cloud project ID
        • REGION : the region of the Cloud VPN tunnel
        • NAME : the name of the Cloud VPN tunnel

        For more examples of queries that you can run to view your flow logs, see Examples of Logs Explorer queries for VPC Flow Logs .

    4. Click Run query.

    Examples of Logs Explorer queries for VPC Flow Logs

    The following table provides examples of Logs Explorer queries that you can run to view your flow logs in a Google Cloud project.

    The examples in the Queries for the networkmanagement.googleapis.com/vpc_flows section assume that each resource is logged by a single VPC Flow Logs configuration. If you use multiple VPC Flow Logs configurations per resource, specify the configuration that you want to query to exclude duplicate logs from the query results. You can also specify multiple configurations in a query.

    Logs you want to view
    Query
    All flow logs
    resource.type=("gce_subnetwork" OR "vpc_flow_logs_config")
logName=("projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows" OR
"projects/ PROJECT_ID 
/logs/networkmanagement.googleapis.com%2Fvpc_flows")
    Queries for the compute.googleapis.com/vpc_flows log
    Logs for all subnets
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
    Logs for a specific subnet
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
resource.labels.subnetwork_name=" SUBNET_NAME 
"
    Logs for a specific virtual machine (VM) instance
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
(jsonPayload.src_instance.vm_name=" VM_NAME 
" OR
jsonPayload.dest_instance.vm_name=" VM_NAME 
")
    Logs for traffic to a specific subnet range
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
ip_in_net(jsonPayload.connection.dest_ip, SUBNET_RANGE 
)
    Logs for a specific Google Kubernetes Engine (GKE) cluster
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
(jsonPayload.src_gke_details.cluster.cluster_name=" CLUSTER_NAME 
" OR
jsonPayload.dest_gke_details.cluster.cluster_name=" CLUSTER_NAME 
")
    Logs for only egress traffic from a subnet
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows" AND
jsonPayload.reporter="SRC" AND
jsonPayload.src_vpc.subnetwork_name=" SUBNET_NAME 
" AND
(jsonPayload.dest_vpc.subnetwork_name!=" SUBNET_NAME 
"
 OR NOT jsonPayload.dest_vpc.subnetwork_name:*)
    Logs for all egress traffic from a Virtual Private Cloud (VPC) network
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows" AND
jsonPayload.reporter="SRC" AND
jsonPayload.src_vpc.vpc_name=" VPC_NAME 
" AND
(jsonPayload.dest_vpc.vpc_name!=" VPC_NAME 
" OR NOT jsonPayload.dest_vpc:*)
    Logs for an individual destination port
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.connection.dest_port= PORT 
jsonPayload.connection.protocol= PROTOCOL
    Logs for multiple destination ports
    resource.type="gce_subnetwork"
logName="projects/ PROJECT_ID 
/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.connection.dest_port=( PORT1 
OR PORT2 
)
jsonPayload.connection.protocol= PROTOCOL
    Queries for the networkmanagement.googleapis.com/vpc_flows log
    Logs for all VPC Flow Logs configurations
    resource.type="vpc_flow_logs_config"
logName="projects/ PROJECT_ID 
/logs/networkmanagement.googleapis.com%2Fvpc_flows"
    Logs for a specific VPC Flow Logs configuration
    resource.type="vpc_flow_logs_config"
logName="projects/ PROJECT_ID 
/logs/networkmanagement.googleapis.com%2Fvpc_flows"
resource.labels.name=" CONFIG_NAME 
"
    Logs for a specific source Cloud VPN tunnel
    resource.type="vpc_flow_logs_config"
logName="projects/ PROJECT_ID 
/logs/networkmanagement.googleapis.com%2Fvpc_flows"
jsonPayload.reporter="src_gateway"
labels.target_resource_name="projects/ PROJECT_ID 
/regions/ REGION 
/vpnTunnels/ NAME 
"
    Logs for all destination VLAN attachments
    resource.type="vpc_flow_logs_config"
logName="projects/ PROJECT_ID 
/logs/networkmanagement.googleapis.com%2Fvpc_flows"
jsonPayload.reporter="dest_gateway"
jsonPayload.dest_gateway.type="INTERCONNECT_ATTACHMENT"
    Logs for all destination VLAN attachments in a specific region
    resource.type="vpc_flow_logs_config"
logName="projects/ PROJECT_ID 
/logs/networkmanagement.googleapis.com%2Fvpc_flows"
jsonPayload.reporter="dest_gateway"
jsonPayload.dest_gateway.type="INTERCONNECT_ATTACHMENT"
jsonPayload.dest_gateway.location=" REGION 
"

    Replace the following:

    • PROJECT_ID : the project ID
    • SUBNET_NAME : the name of the subnet
    • VM_NAME : the name of the VM
    • SUBNET_RANGE : a CIDR range, such as 192.168.1.0/24
    • CLUSTER_NAME : the name of the GKE cluster
    • VPC_NAME : the name of the VPC network
    • PORT1 and PORT2 : the destination ports
    • PROTOCOL : the communication protocol
    • CONFIG_NAME : the name of the VPC Flow Logs configuration
    • REGION : the region of the VLAN attachment or Cloud VPN tunnel
    • NAME : the name of the Cloud VPN tunnel

    Route logs to BigQuery, Pub/Sub, and custom targets

    You can route flow logs from Logging to a destination of your choice as described in the Routing and storage overview in the Logging documentation. Refer to the previous section for example filters.

    Troubleshooting

    No vpc_flows appear in Logging for the gce_subnetwork resource

    • Confirm that logging is enabled for the given subnet.
    • VPC flows are only supported for VPC networks. If you have a legacy network , you don't see any logs.
    • In Shared VPC networks, logs only appear in the host project, not the service projects. Make sure that you look for the logs in the host project.
    • Logging exclusion filters block specified logs. Make sure that there are no exclusion rules that discard VPC Flow Logs:
      1. Go to Log router .
      2. In the More actionsmenu for your logging bucket, click View sink details.
      3. Make sure that there are no exclusion rules that might discard VPC Flow Logs.
    • Use the Google Cloud CLI or API to determine if a log filtering configuration is filtering all the traffic in a given subnet. For example, if filterExpr is set to false , you don't see any logs.

    No RTT or byte values on some of the logs

    • RTT measurements may be missing if not enough packets were sampled to capture RTT. This is more likely to happen for low volume connections.
    • RTT values are available only for TCP flows reported from VMs.
    • Some packets are sent with no payload. If header-only packets were sampled, the bytes value will be 0.

    Some flows are missing

    • Ingress packets are sampled after ingress VPC firewall rules . Make sure that there aren't any ingress firewall rules that deny the packets that you expect to be logged. If you're not sure whether VPC firewall rules are blocking ingress packets, you can enable Firewall Rules Logging and inspect the logs.
    • Only TCP, UDP, ICMP, ESP, and GRE protocols are supported. VPC Flow Logs does not support any other protocols.
    • Logs are sampled . Some packets in very low volume flows might be missed.

    Missing GKE annotations in some logs

    Make sure that your GKE cluster is a supported version .

    Missing logs for some GKE flows

    Make sure Intranode visibility is enabled in the cluster. Otherwise, flows between Pods on the same node are not logged.

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: