gcp-cloud-logging

$npx mdskill add automateyournetwork/netclaw/gcp-cloud-logging

Search and analyze Google Cloud Platform logs for troubleshooting and auditing

  • Investigate denied VPC traffic, audit VM deletions, and analyze firewall rule hits
  • Uses Google Cloud Logging API, VPC flow logs, audit logs, and firewall logs
  • Filters logs by project, time range, resource, and log severity or message content
  • Returns structured log entries, bucket details, and view configurations for analysis

SKILL.md

.github/skills/gcp-cloud-loggingView on GitHub ↗
---
name: gcp-cloud-logging
description: "Google Cloud Logging — log search, VPC flow logs, firewall logs, audit logs, log buckets and views. Use when searching GCP logs, investigating denied VPC flow traffic, checking who deleted a VM, analyzing firewall rule hits, or troubleshooting a GCP application error."
version: 1.0.0
license: Apache-2.0
tags: [gcp, cloud-logging, logs, flow-logs, audit, firewall-logs]
---

# GCP Cloud Logging

## MCP Server

- **Endpoint**: `https://logging.googleapis.com/mcp` (Streamable HTTP)
- **Auth**: OAuth 2.0 via Google IAM — service account key (`GOOGLE_APPLICATION_CREDENTIALS`) or `gcloud auth application-default login`
- **Requires**: `GCP_PROJECT_ID` environment variable

## Available Tools (6)

| Tool | What It Does |
|------|-------------|
| `list_log_entries` | Search and retrieve log entries — the primary tool for debugging, error hunting, and audit |
| `list_log_names` | Discover what logs exist in a project — find available log sources |
| `get_bucket` | Get details of a specific log bucket (storage container for logs) |
| `list_buckets` | List all log buckets in a project |
| `get_view` | Get a specific log view (fine-grained access filter on a bucket) |
| `list_views` | List log views in a bucket |

## Workflow: VPC Flow Log Analysis

When investigating GCP network traffic:

1. **Discover logs**: `list_log_names` — find `compute.googleapis.com/vpc_flows`
2. **Query flow logs**: `list_log_entries` filtered by:
   - Source/destination IP
   - Port and protocol
   - Action (ALLOWED/DENIED)
   - Time range
3. **Denied traffic**: Filter for `reporter="DEST"` and denied connections
4. **Top talkers**: Aggregate by source/destination IP and bytes
5. **Cross-reference**: Use `gcp-cloud-monitoring` for network metrics during the same period
6. **Report**: Traffic analysis with security findings

## Workflow: Firewall Log Investigation

When investigating GCP firewall rule activity:

1. **Discover logs**: `list_log_names` — find `compute.googleapis.com/firewall`
2. **Query firewall logs**: `list_log_entries` filtered by:
   - Rule name
   - Action (ALLOWED/DENIED)
   - Source/destination IP
   - Port
3. **Denied connections**: Find blocked traffic patterns
4. **Rule effectiveness**: Which rules are hitting most frequently?
5. **Report**: Firewall activity summary with recommendations

## Workflow: Audit Trail Investigation

When investigating GCP API activity (equivalent of AWS CloudTrail):

1. **Admin activity logs**: `list_log_entries` for `cloudaudit.googleapis.com/activity` — who created/modified/deleted resources?
2. **Data access logs**: `list_log_entries` for `cloudaudit.googleapis.com/data_access` — who read what?
3. **Filter by principal**: Narrow to specific user or service account
4. **Filter by method**: Narrow to specific API calls (e.g., `compute.instances.delete`)
5. **Time window**: Focus on the incident period
6. **Report**: Audit timeline with responsible principals and actions

## Workflow: Troubleshooting with Logs

When debugging a GCP issue:

1. **Application logs**: `list_log_entries` for the affected service
2. **Error filtering**: Filter by severity (ERROR, CRITICAL, EMERGENCY)
3. **Instance logs**: Filter by `resource.labels.instance_id` for specific VMs
4. **Correlate**: Match timestamps with `gcp-cloud-monitoring` alert violations
5. **Bucket check**: `list_buckets` to verify log retention settings
6. **Report**: Root cause analysis with log evidence

## Common GCP Log Sources

| Log Name | What It Contains |
|----------|-----------------|
| `compute.googleapis.com/vpc_flows` | VPC flow logs — source/dest IP, port, bytes, packets, action |
| `compute.googleapis.com/firewall` | Firewall rule hits — allowed/denied connections with rule name |
| `cloudaudit.googleapis.com/activity` | Admin activity audit — resource create/modify/delete events |
| `cloudaudit.googleapis.com/data_access` | Data access audit — read operations on resources |
| `cloudaudit.googleapis.com/system_event` | System events — Google-initiated actions (live migration, etc.) |
| `compute.googleapis.com/shielded_vm_integrity` | Shielded VM boot integrity verification |
| `dns.googleapis.com/dns_queries` | Cloud DNS query logs |
| `loadbalancing.googleapis.com/requests` | Load balancer access logs |
| `networksecurity.googleapis.com/firewall_threat` | Cloud IDS / Firewall threat detection |

## Log Query Filter Examples

```
# VPC flow logs — denied traffic to port 443
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=443

# Firewall — denied SSH attempts
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Ffirewall"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=22

# Audit — who deleted VMs in the last hour
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="compute.instances.delete"
timestamp>="2026-01-01T00:00:00Z"

# DNS queries from specific source
resource.type="dns_query"
jsonPayload.sourceIP="10.0.1.50"
```

## Important Rules

- **Remote MCP server** — hosted by Google, no local install needed
- **OAuth 2.0 authentication** — uses IAM for access control
- **Project-scoped** — logs are scoped to the configured GCP project
- **Log queries have cost implications** — Cloud Logging charges for data scanned beyond free tier (50 GB/month free)
- **Retention varies** — Admin activity logs: 400 days, Data access logs: 30 days (default), VPC flow logs: depends on bucket config
- **Record in GAIT** — log all investigations for audit trail

## Environment Variables

- `GCP_PROJECT_ID` — Google Cloud project ID
- `GOOGLE_APPLICATION_CREDENTIALS` — Path to service account key JSON file

More from automateyournetwork/netclaw

SkillDescription
aap-automationRed Hat Ansible Automation Platform — inventory management, job template execution, project SCM sync, ad-hoc commands, host management, Galaxy content discovery. Use when automating infrastructure with Ansible, running playbooks, managing inventories, or searching for Ansible collections and roles.
aap-edaEvent-Driven Ansible (EDA) — activation lifecycle, rulebook management, decision environments, event stream monitoring. Use when managing event-driven automation triggers, enabling/disabling activations, or reviewing EDA rulebooks.
aap-lintansible-lint playbook and role validation — syntax checking, best practice enforcement, project-wide analysis, rule filtering. Use when validating Ansible playbooks, checking code quality, or enforcing automation best practices before deployment.
aci-change-deploySafe ACI policy change deployment - ServiceNow CR lifecycle, pre/post-change fault baselines, APIC policy application, automatic rollback on fault delta, and GAIT audit trail. Use when deploying ACI policy changes, creating tenants or EPGs, pushing config to APIC, or running a change window with rollback protection.
aci-fabric-auditComprehensive Cisco ACI fabric health audit - node status, tenant/VRF/BD/EPG policy review, contract analysis, fault triage, and endpoint learning verification. Use when auditing ACI fabric health, checking for faults, reviewing tenant policies, or running pre/post-change baselines on APIC.
arista-cvpArista CloudVision Portal (CVP) automation via REST API — device inventory, events, connectivity monitoring, tag management (4 tools). Use when managing Arista devices, checking CloudVision events, monitoring network connectivity probes, or tagging devices in CVP.
aruba-cx-configView and manage Aruba CX switch configurations, perform ISSU upgrades, and firmware operations
aruba-cx-interfacesMonitor Aruba CX switch interface status, LLDP neighbors, and optical transceiver health
aruba-cx-switchingView and manage Aruba CX switch VLANs and MAC address tables for Layer 2 operations
aruba-cx-systemDiscover Aruba CX switch system information, firmware versions, and VSF topology