Send Data to Google Cloud Logging

Configure Edge Delta to stream logs to Google Cloud Logging using the Google Cloud Logging destination node.

  3 minute read  

Overview

You can send logs from an Edge Delta pipeline to Google’s Cloud Logging by adding a Google Cloud Logging destination node. See Google Cloud Logging with OTTL for configuration details.

Note: This guide applies to the google_cloud_logging_with_ottl_output node, which replaces the legacy google_cloud_logging_output node. The new node supports dynamic field construction using OTTL expressions.

Configure Cloud Logging

  1. Service Account with JSON Credentials (Default Method):

    • Create a Service Account. Ensure that it has an IAM role that allows it to push to the Google Cloud API (Logging scope).
    • Add a new key for the newly created service account.
    • Download the credentials file containing the private key. Store it in a secure location. This is the path you specify with the credentials_path parameter when configuring the Edge Delta agent.

  2. Service Account with Workload Identity (Recommended for GKE):

    • If using GKE, configure Edge Delta to utilize Workload Identity for authentication:
      1. Follow the steps provided by Google in the Workload Identity documentation.
      2. Ensure that you create an IAM allow policy that references the Kubernetes ServiceAccount. Specifically, grant the role roles/logging.logWriter to the IAM allow policy you just created. Below is an example on how to do it: 
        gcloud projects add-iam-policy-binding projects/PROJECT_ID \
--role=roles/logging.logWriter \
--member=principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/PROJECT_ID.svc.id.goog/subject/ns/NAMESPACE/sa/KSA_NAME \
--condition=None

Configure Kubernetes

If the Edge Delta agents are installed in a Kubernetes environment, depending on the authentication method chosen:

  1. With JSON Credentials:

    • Create a secret using the credentials file you downloaded from Cloud Logging: 
      kubectl create secret generic secret-name --from-file /path/to/credentials-file.json

      Note: Replace /path/to/credentials-file.json with the location and name of the downloaded credentials file.

  2. Using Workload Identity:

    • Ensure that the necessary Kubernetes and IAM setup as detailed in the Workload Identity documentation is complete.
    • Omit the credentials_path parameter in the configuration.

Edge Delta Configuration

Next you configure the Google Cloud Logging destination node.

With JSON Credentials

nodes:
- name: google_cloud_logging_output
  type: google_cloud_logging_with_ottl_output
  log_name: attributes["log_name"]
  credentials_path: /etc/credentials/test-gcp-cl.json

Using Workload Identity

nodes:
- name: google_cloud_logging_output
  type: google_cloud_logging_with_ottl_output
  log_name: attributes["log_name"]
  # credentials_path: Not specified for Workload Identity

With Dynamic Resource Values

The resource_type_expression parameter is used to define an expression to fetch the resource type per incoming item dynamically. If not defined, "logging_log" will be used for all entries. In this example, the expression is configured as follows:

  1. Check for resource_type Attribute: The expression begins by checking if the item has an attributes field and if that field contains a resource_type key using the has(item.attributes.resource_type) function. This ensures that the expression only attempts to access resource_type if it actually exists within item.attributes.
  2. Check for Non-Empty resource_type: The expression further checks if item.attributes.resource_type is not an empty string item.attributes.resource_type != "". This ensures that the resource_type is not only present but also contains a meaningful value.
  3. Conditional Assignment: If both conditions are met the expression evaluates to item.attributes.resource_type, using the value from the item’s attributes. If either condition fails, the expression defaults to "default_resource_type".
  - name: my_google_cloud_logging_output
    type: google_cloud_logging_with_ottl_output
    log_name: projects/my-project/logs/my-log-bucket
    credentials_path: /path/to/credentials.json
    resource_type_expression: 'has(item.attributes.resource_type) && item.attributes.resource_type != "" ? item.attributes.resource_type : "default_resource_type"'