Access flow logs

This page describes how to access flow logs by using Cloud Logging.

Access flow logs in the Logs Explorer

You can view flow logs by using the Logs Explorer. In the Logs Explorer, you can use resource filters and queries to view your flow logs. Logs generated by VPC Flow Logs are grouped as follows:

  • Flow logs for subnets are available in the compute.googleapis.com/vpc_flows log.
  • Flow logs for VLAN attachments and Cloud VPN tunnels are available in the networkmanagement.googleapis.com/vpc_flows log (Preview).

Configure IAM

To configure access control for logging, see the access control guide for Logging.

Access flow logs by using resource filters

To view flow logs in a Google Cloud project by using resource filters, see the following sections. You can also view these logs by using Logs Explorer queries, as described in Access flow logs by using queries.

Access flow logs for all subnets

Console

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Click All resources.

  3. In the Select resource list, click Subnetwork and then click Apply.

  4. Click All log names.

  5. In the Select log names list, find Compute Engine, click vpc_flows, and then click Apply.

Access flow logs for a specific subnet

Console

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Click All resources.

  3. In the Select resource list, click Subnetwork.

  4. In the Subnetwork ID list, select the subnetwork and then click Apply.

  5. Click All log names.

  6. In the Select log names list, find Compute Engine, click vpc_flows, and then click Apply.

Access flow logs for all VLAN attachments and Cloud VPN tunnels

Console

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Click All resources.

  3. In the Select resource list, click VPC Flow Logs Config and then click Apply.

Access flow logs for a specific VLAN attachment or Cloud VPN tunnel

Console

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. Click All resources.

  3. In the Select resource list, click VPC Flow Logs Config and select the VPC Flow Logs configuration that collects flow logs for the VLAN attachment or Cloud VPN tunnel that you want to view.

  4. Click Apply.

Access flow logs by using queries

Console

  1. In the Google Cloud console, go to the Logs Explorer page.

    Go to Logs Explorer

  2. If you don't see the query editor field in the Query pane, click the Show query toggle.

  3. In the query editor field, enter a query:

    • To view flow logs for subnets, the query must target compute.googleapis.com. For example, to view flow logs for a specific subnet, enter the following query, replacing PROJECT_ID with your Google Cloud project ID and SUBNET_NAME with your subnetwork:

      resource.type="gce_subnetwork"
      logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
      resource.labels.subnetwork_name="SUBNET_NAME"
      
    • To view flow logs for VLAN attachments or Cloud VPN tunnels, the query must target networkmanagement.googleapis.com. For example, to view flow logs for a specific source Cloud VPN tunnel, enter the following query:

      resource.type="vpc_flow_logs_config"
      logName="projects/PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows"
      jsonPayload.reporter="src_gateway"
      labels.target_resource_name="projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME"
      

      Replace the following:

      • PROJECT_ID: the Google Cloud project ID
      • REGION: the region of the Cloud VPN tunnel
      • NAME: the name of the Cloud VPN tunnel

    For more examples of queries that you can run to view your flow logs, see Examples of Logs Explorer queries for VPC Flow Logs.

  4. Click Run query.

Examples of Logs Explorer queries for VPC Flow Logs

The following table provides examples of Logs Explorer queries that you can run to view your flow logs in a Google Cloud project.

Logs you want to view Query
All flow logs
resource.type=("gce_subnetwork" OR "vpc_flow_logs_config")
logName=("projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" OR
"projects/PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows")
Queries for subnets
Logs for all subnets
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
Logs for a specific subnet
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
resource.labels.subnetwork_name="SUBNET_NAME"
Logs for a specific virtual machine (VM) instance
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
(jsonPayload.src_instance.vm_name="VM_NAME" OR
jsonPayload.dest_instance.vm_name="VM_NAME")
Logs for traffic to a specific subnetwork range
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
ip_in_net(jsonPayload.connection.dest_ip, SUBNET_RANGE)
Logs for a specific Google Kubernetes Engine (GKE) cluster
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
(jsonPayload.src_gke_details.cluster.cluster_name="CLUSTER_NAME" OR
jsonPayload.dest_gke_details.cluster.cluster_name="CLUSTER_NAME")
Logs for only egress traffic from a subnetwork
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" AND
jsonPayload.reporter="SRC" AND
jsonPayload.src_vpc.subnetwork_name="SUBNET_NAME" AND
(jsonPayload.dest_vpc.subnetwork_name!="SUBNET_NAME"
 OR NOT jsonPayload.dest_vpc.subnetwork_name:*)
Logs for all egress traffic from a Virtual Private Cloud (VPC) network
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows" AND
jsonPayload.reporter="SRC" AND
jsonPayload.src_vpc.vpc_name="VPC_NAME" AND
(jsonPayload.dest_vpc.vpc_name!="VPC_NAME" OR NOT jsonPayload.dest_vpc:*)
Logs for an individual destination port
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.connection.dest_port=PORT
jsonPayload.connection.protocol=PROTOCOL
Logs for multiple destination ports
resource.type="gce_subnetwork"
logName="projects/PROJECT_ID/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.connection.dest_port=(PORT1 OR PORT2)
jsonPayload.connection.protocol=PROTOCOL
Queries for VLAN attachments for Cloud Interconnect and Cloud VPN tunnels (Preview)
Logs for all VLAN attachments and Cloud VPN tunnels
resource.type="vpc_flow_logs_config"
logName="projects/PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows"
Logs for a specific VPC Flow Logs configuration
resource.type="vpc_flow_logs_config"
logName="projects/PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows"
resource.labels.name="CONFIG_NAME"
Logs for a specific source Cloud VPN tunnel
resource.type="vpc_flow_logs_config"
logName="projects/PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows"
jsonPayload.reporter="src_gateway"
labels.target_resource_name="projects/PROJECT_ID/regions/REGION/vpnTunnels/NAME"
Logs for all destination VLAN attachments
resource.type="vpc_flow_logs_config"
logName="projects/PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows"
jsonPayload.reporter="dest_gateway"
jsonPayload.dest_gateway.type="INTERCONNECT_ATTACHMENT"
Logs for all destination VLAN attachments in a specific region
resource.type="vpc_flow_logs_config"
logName="projects/PROJECT_ID/logs/networkmanagement.googleapis.com%2Fvpc_flows"
jsonPayload.reporter="dest_gateway"
jsonPayload.dest_gateway.type="INTERCONNECT_ATTACHMENT"
jsonPayload.dest_gateway.location="REGION"

Replace the following:

  • PROJECT_ID: the Google Cloud project ID.
  • SUBNET_NAME: the name of the subnetwork.
  • VM_NAME: the name of the VM.
  • SUBNET_RANGE: a CIDR range, such as 192.168.1.0/24.
  • CLUSTER_NAME: the name of the GKE cluster.
  • VPC_NAME: the name of the VPC network.
  • PORT1 and PORT2: the destination ports.
  • PROTOCOL: the communication protocol.
  • CONFIG_NAME: the name of the VPC Flow Logs configuration for the VLAN attachment or Cloud VPN tunnel that you want to view.
  • REGION: the region of the VLAN attachment or Cloud VPN tunnel.
  • NAME: the name of the Cloud VPN tunnel.

Route logs to BigQuery, Pub/Sub, and custom targets

You can route flow logs from Logging to a destination of your choice as described in the Routing and storage overview in the Logging documentation. Refer to the previous section for example filters.

Troubleshooting

No vpc_flows appear in Logging for the gce_subnetwork resource

  • Confirm that logging is enabled for the given subnet.
  • VPC flows are only supported for VPC networks. If you have a legacy network, you don't see any logs.
  • In Shared VPC networks, logs only appear in the host project, not the service projects. Make sure that you look for the logs in the host project.
  • Logging exclusion filters block specified logs. Make sure that there are no exclusion rules that discard VPC Flow Logs:
    1. Go to Log router.
    2. In the More actions menu for your logging bucket, click View sink details.
    3. Make sure that there are no exclusion rules that might discard VPC Flow Logs.
  • Use the Google Cloud CLI or API to determine if a log filtering configuration is filtering all the traffic in a given subnet. For example, if filterExpr is set to false, you don't see any logs.

No RTT or byte values on some of the logs

  • RTT measurements may be missing if not enough packets were sampled to capture RTT. This is more likely to happen for low volume connections.
  • RTT values are available only for TCP flows reported from VMs.
  • Some packets are sent with no payload. If header-only packets were sampled, the bytes value will be 0.

Some flows are missing

  • Ingress packets are sampled after ingress VPC firewall rules. Make sure that there aren't any ingress firewall rules that deny the packets that you expect to be logged. If you're not sure whether VPC firewall rules are blocking ingress packets, you can enable Firewall Rules Logging and inspect the logs.
  • Only TCP, UDP, ICMP, ESP, and GRE protocols are supported. VPC Flow Logs does not support any other protocols.
  • Logs are sampled. Some packets in very low volume flows might be missed.

Missing GKE annotations in some logs

Make sure that your GKE cluster is a supported version.

Missing logs for some GKE flows

Make sure Intranode visibility is enabled in the cluster. Otherwise, flows between Pods on the same node are not logged.

What's next