GCP Cloud Logging
Connect Google Cloud Logging using a service account with read access
The GCP adapter uses the Cloud Logging API to query logs during
analyses. You'll need a service account with roles/logging.viewer
plus the JSON key.
Prerequisites
| Need | Notes |
|---|---|
| GCP project | The project where logs are stored |
| Service account | With roles/logging.viewer |
| JSON key | Service account key file |
| Log filter patterns | Cloud Logging filter expressions |
Setup walkthrough
Create a service account
In the GCP Console, go to IAM & Admin → Service Accounts → Create
Service Account. Name it something like sigsentry-logs-reader.
Grant the role:
| Role | Purpose |
|---|---|
roles/logging.viewer | Read access to logs |
Skip the "Grant users access to this service account" step — you don't need to delegate.
For tighter scoping, restrict via the Conditions field on the role binding — e.g. only logs from specific log names or resource types.
Generate a JSON key
On the service account's page, Keys → Add key → Create new key → JSON. Download the JSON file and keep it safe — there's no way to retrieve it again.
Add the log source in SigSentry
Project → Log Sources → Add log source. Pick GCP Cloud Logging
and name it gcp-prod or similar.
Enter credentials
| Field | Value |
|---|---|
| Project ID | The GCP project ID where logs live |
| Service account JSON | Paste the entire JSON key file content |
The JSON is encrypted at rest and only used for authenticating to the Cloud Logging API.
Add log filters
Paste Cloud Logging filter expressions, one per line:
resource.type="k8s_container" resource.labels.namespace_name="prod"
resource.type="cloud_run_revision" resource.labels.service_name="checkout-api"
logName="projects/my-project/logs/run.googleapis.com%2Fstderr"Each line is a complete filter expression and is queried independently.
Test and save
Click Test connection. You should see Connected plus sample log entries from a small recent window. Click Save.
What you'll see in results
Each GCP log entry shown in an analysis includes:
- Timestamp
- Log level (mapped from GCP
severity) - Service name (from
resource.labels.service_name,resource.labels.container_name, orresource.labels.namespace_name) - Message (from
textPayloadorjsonPayload.message) - Resource labels and full
jsonPayloadcarried through as metadata
Quirks
| Quirk | Notes |
|---|---|
| Severity values | GCP uses uppercase severity strings (ERROR, INFO); we lowercase them |
| Structured vs text payloads | Both are supported; structured payloads expose the full JSON in metadata |
| Log routing | If you've routed logs to a different project, point Project ID at the destination |
Troubleshooting
| Error | Fix |
|---|---|
401 PERMISSION_DENIED | Service account lacks roles/logging.viewer; re-grant |
403 forbidden | Logs may be in a different project than the JSON key's project |
Invalid filter | Filter syntax error — test the expression in the GCP Logs Explorer first |
| Empty results despite log activity | Filter too narrow or wrong project; verify in Logs Explorer with the same filter |