This page describes how to find and use Cloud Logging to view and query logs for your Cloud SQL instance.
Cloud SQL uses Cloud Logging. See the cloud logging documentation for complete information and review the Cloud SQL sample queries.
View logs
To view logs for your Cloud SQL instance log entries:
Console
-
In the Google Cloud console, go to the Cloud Logging page.
- Select an existing Cloud SQL project at the top of the page.
- In the Query builder, add the following:
- Resource: select Cloud SQL Database. In the dialog, select a Cloud SQL instance.
- Log names: scroll to the Cloud SQL section and select
appropriate log files for your instance. For example:
- cloudsql.googleapis.com/sqlagent.out
- cloudsql.googleapis.com/sqlserver.err
- Severity: select a log level.
- Time range: select a preset or create a custom range.
gcloud
Use the gcloud logging
command to view log entries. In the example below, replace PROJECT_ID
.
The limit
flag is an optional parameter that indicates the maximum number of entries to
return.
gcloud logging read "resource.type=cloudsql_database" \ --project=PROJECT-ID \ --limit=10 \ --format=json
View instance operations log
You can view the logs for an instance in the Operations pane. The Operations pane logs every operation performed on the instance with the following information:
- The time the operation completed, reported in your local time zone.
- The type of operation.
- The status of the operation.
- A message describing the outcome the operation.
If the operation fails, you can use the message to troubleshoot the problem.
To view an instance operations log:
-
In the Google Cloud console, go to the Cloud SQL Instances page.
- To open the Overview page of an instance, click the instance name.
- Click Operations to change to the pane showing the operation log.
View application logs
Applications that connect to Cloud SQL store their logs in different locations.
App Engine (flexible environment)
In Compute > App Engine > Services:
- In the list of services, find your service.
- Click on the Tools dropdown.
- Select logs
In the Operations > Logging > Logs explorer section of Google Cloud console, use the following query:
resource.type="gae_app"
resource.labels.module_id="default"
Cloud Run
View the logs in the Cloud Run Logs Explorer section of the Google Cloud console. Note that Cloud Run reports only error messages from the Cloud SQL Auth Proxy. Use a query like the following:
resource.type="cloud_run_revision"
resource.labels.service_name="$SERVICE_NAME"
resource.labels.revision_name="$REVISION_NAME"
Cloud SQL Auth Proxy
In Operations > Logging > Logs explorer, use the following query:
log_id("appengine.googleapis.com/cloud-sql-proxy")
View audit logs
You can view the following types of audit logs for your Cloud SQL instances:
- Admin Activity: include administrator operations that write metadata or configuration information. You can't deactivate these logs.
- Data Access: include administrator operations that read metadata or configuration information. These logs also include operations that read or write user-provided data. To receive Data Access audit logs, you must enable them explicitly.
- System Event: identify automated actions in Google Cloud that modify the configuration of resources. You can't deactivate these logs.
For more information about viewing Admin Activity, Data Access, and System Event audit logs, see View logs.
Pricing
For more information about Cloud Logging pricing, see Cloud Logging pricing summary.
Troubleshoot
Issue | Troubleshooting |
---|---|
Audit logs are not found. | Data-Access logs are only written if the operation is an authenticated user-driven API call that creates, modifies, or reads user-created data, or if the operation accesses configuration files or metadata of resources. |
Operations information is not found in logs. | You want to find more information about an operation.
For example, a user was deleted but you can't find out who did it. The logs show the operation started but don't provide any more information. You must enable audit logging for detailed and personal identifying information (PII) like this to be logged. |
Some logs are filtered from the error.log log of a
Cloud SQL for SQL Server instance.
|
Filtered logs include
AD logs without timestamps, and include:
Login failed for user 'x'. Reason: Token-based server access
validation failed with an infrastructure error. Login lacks connect endpoint
permission. [CLIENT: 127.0.0.1] . These logs are filtered because
they potentially can cause confusion.
|
Log files are hard to read. | You'd rather view the logs as json or text.You can use the
gcloud logging read
command along with linux post-processing commands to download the logs.
To download the logs as JSON: gcloud logging read \ "resource.type=cloudsql_database \ AND logName=projects/PROJECT_ID \ /logs/cloudsql.googleapis.com%2FLOG_NAME" \ --format json \ --project=PROJECT_ID \ --freshness="1d" \ > downloaded-log.json To download the logs as TEXT: gcloud logging read \ "resource.type=cloudsql_database \ AND logName=projects/PROJECT_ID \ /logs/cloudsql.googleapis.com%2FLOG_NAME" \ --format json \ --project=PROJECT_ID \ --freshness="1d"| jq -rnc --stream 'fromstream(1|truncate_stream(inputs)) \ | .textPayload' \ --order=asc > downloaded-log.txt |