Google Cloud Armor per-request logs for security policy name, match rule priority, associated action, and related information are logged as part of logging for external Application Load Balancers and external proxy Network Load Balancers. Logging for new backend services is disabled by default, so you must enable logging to record complete logging information for Google Cloud Armor.
Google Cloud Armor logs are part of the Cloud Load Balancing logs. This means that Google Cloud Armor log generation is subject to the log sampling rate configured for your load balancer. If you reduce the sampling rate for your load balancer, your Google Cloud Armor requests logs are sampled at that reduced rate. In addition, if you use cross-project service referencing, logs are generated under the host or service project that includes your load balancer's frontend and URL map. Therefore, we recommend that administrators in the frontend project grant permissions to read logs and metrics to administrators in the backend project.
Using logging, you can view every request evaluated by a Google Cloud Armor
security policy and the outcome or action taken based on the highest priority
matching rule. For example, to view denied requests, you can use filters such as
jsonPayload.enforcedSecurityPolicy.outcome="DENY"
or
jsonPayload.statusDetails="denied_by_security_policy"
.
To enable logging for an external Application Load Balancer, see External Application Load Balancer logging and monitoring. For the external proxy Network Load Balancer, you can use the Google Cloud CLI commands as listed in the previous External Application Load Balancer logging and monitoring page. You cannot enable logging for the external proxy Network Load Balancer using the Google Cloud console.
In addition, you can set different logging levels to help you evaluate whether your security policies and their rules are working as intended. For complete information, see Verbose logging.
Security policy log entries
The following log entries in the Logs Explorer are for Google Cloud Armor
security policy and rules logging. The entries include the following structure
in jsonPayload
. HTTP request details appear in the httpRequest
message.
statusDetails
(string): a textual description of the response code.redirected_by_security_policy
: the request was redirected by a redirect rule, eitherGOOGLE_RECAPTCHA
orEXTERNAL_302
.denied_by_security_policy
: a request was denied by the load balancer because of a Google Cloud Armor security policy.body_denied_by_security_policy
: a request body was denied by the load balancer because of a Google Cloud Armor security policy.
enforcedSecurityPolicy
: the security policy rule that was enforced.name
(string): the name of the security policy.priority
(number): the priority of the matching rule in the security policy.adaptiveProtection
: information about the automatically deployed Adaptive Protection rule, if applicable.autoDeployAlertId
: the alert ID of the events that Adaptive Protection detected.
configuredAction
(string): the name of the configured action in the matching rule—for example,ALLOW
,DENY
,GOOGLE_RECAPTCHA
,EXTERNAL_302
,THROTTLE
(for a throttle rule),RATE_BASED_BAN
(for a rate-based ban rule).rateLimitAction
: information about the rate limit action when a throttle rule or rate-based ban rule is matched.key
(string): rate limit key value (up to 32 bytes). This field is omitted if the key type isALL
, or if the key type isHTTP-HEADER
orHTTP-COOKIE
and the specified header or cookie is not present in the request.outcome
(string): possible values are as follows:"RATE_LIMIT_THRESHOLD_CONFORM"
if under the configured rate limit threshold."RATE_LIMIT_THRESHOLD_EXCEED"
if above the configured rate limit threshold."BAN_THRESHOLD_EXCEED"
if above the configured ban threshold.
outcome
(string): the outcome of executing the configured action—for example,ACCEPT
,DENY
,REDIRECT
,EXEMPT
.preconfiguredExprIds
(string): the IDs of all preconfigured WAF rule expressions that triggered the rule.threatIntelligence
: information about the matched IP address list(s) from Threat Intelligence, if applicable.categories
: (string) the matched IP address list name(s).
previewSecurityPolicy
: populated if a request matches a rule configured for preview (present only when a preview rule would have taken priority over the enforced rule).name
(string): the name of the security policypriority
(number): the priority of the matching rule in the security policy.configuredAction
(string): the name of the configured action in the matching rule—for example,ALLOW
,DENY
,GOOGLE_RECAPTCHA
,EXTERNAL_302
,THROTTLE
(for a throttle rule),RATE_BASED_BAN
(for a rate-based ban rule).rateLimitAction
: information about the rate limit action when a throttle rule or rate-based ban rule is matched.key
(string): rate limit key value (up to 32 bytes). This field is omitted if the key type isALL
, or if the key type isHTTP-HEADER
orHTTP-COOKIE
and the specified header or cookie is not present in the request.outcome
(string): possible values are as follows:"RATE_LIMIT_THRESHOLD_CONFORM"
if under the configured rate limit threshold."RATE_LIMIT_THRESHOLD_EXCEED"
if above the configured rate limit threshold."BAN_THRESHOLD_EXCEED"
if above the configured ban threshold.
outcome
(string): the outcome of executing the configured.outcome
(string): the outcome of executing the configured action—for example,ACCEPT
,DENY
,REDIRECT
,EXEMPT
.preconfiguredExprIds
(string): the IDs of all preconfigured WAF rule expressions that triggered the rule.threatIntelligence
: information about the matched IP address list(s) from Threat Intelligence, if applicable.categories
: (string) the matched IP address list name(s).
enforcedEdgeSecurityPolicy
(Preview): the edge security policy rule that was enforced.name
(string): the name of the security policy.priority
(number): the priority of the matching rule in the security policy.configuredAction
(string): the name of the configured action in the matching rule—for example,ALLOW
,DENY
.outcome
(string): the outcome of executing the configured action—for example,ACCEPT
,DENY
.
previewEdgeSecurityPolicy
(Preview): populated if a request matches an edge security policy rule configured for preview (present only when a preview rule would have taken priority over the enforced rule).name
(string): the name of the security policy.priority
(number): the priority of the matching rule in the security policy.configuredAction
(string): the name of the configured action in the matching rule—for example,ALLOW
,DENY
.outcome
(string): the outcome of executing the configured action—for example,ACCEPT
,DENY
.
Viewing logs
You can view the logs for a Google Cloud Armor security policy only in the Google Cloud console.
Console
In the Google Cloud console, go to Google Cloud Armor policies.
Click
Actions.Select View logs.
Request data logging
When used with Google Cloud Armor, jsonPayload
has the following additional
field:
securityPolicyRequestData
: data pertaining to the request while being processed by a security policy, regardless of which rule is matched eventually.recaptchaActionToken
: data related to a reCAPTCHA action-token.score (float)
: a user legitimacy score embedded in a reCAPTCHA action-token. Only present when a reCAPTCHA action-token is attached with the request and it is decoded successfully based on a security policy rule. For more information, see Enforce reCAPTCHA assessment.
recaptchaSessionToken
: data related to a reCAPTCHA session-token.score (float)
: a user legitimacy score embedded in a reCAPTCHA session-token. Only present when a reCAPTCHA session-token is attached with the request and it is decoded successfully based on a security policy rule.
tlsJa3Fingerprint
: a JA3 TTL/SSL fingerprint if the client connects usingHTTPS
,HTTP/2
, orHTTP/3
. Only present if the fingerprint is available and there is a security policy that evaluates the request (regardless of whether an expression in the policy matches on the request).
Log examples
The following is an example of log details for a throttle rule that blocks a request:
jsonPayload: { enforcedSecurityPolicy: { priority: 100 name: "sample-prod-policy" configuredAction: "THROTTLE" outcome: "DENY" rateLimitAction: { key:"sample-key" outcome:"RATE_LIMIT_THRESHOLD_EXCEED" } } @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry" statusDetails: "denied_by_security_policy" } httpRequest: {8} resource: {2} timestamp: "2021-03-17T19:16:48.185763Z"
The following is an example of log details for a rate-based ban rule that blocks a request:
jsonPayload: { @type: "type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry" enforcedSecurityPolicy: { priority: 150 name: "sample-prod-policy" outcome: "DENY" configuredAction: "RATE_BASED_BAN" rateLimitAction: { key:"sample-key" outcome:"BAN_THRESHOLD_EXCEED" } } statusDetails: "denied_by_security_policy" } httpRequest: {8} resource: {2} timestamp: "2021-03-17T19:27:17.393244Z"
What's next
Learn about Troubleshooting Google Cloud Armor issues.