gcp-cloud-logging
GCP Cloud Logging
MCP Server
- Endpoint:
https://logging.googleapis.com/mcp(Streamable HTTP) - Auth: OAuth 2.0 via Google IAM — service account key (
GOOGLE_APPLICATION_CREDENTIALS) orgcloud auth application-default login - Requires:
GCP_PROJECT_IDenvironment variable
Available Tools (6)
| Tool | What It Does |
|---|---|
list_log_entries |
Search and retrieve log entries — the primary tool for debugging, error hunting, and audit |
list_log_names |
Discover what logs exist in a project — find available log sources |
get_bucket |
Get details of a specific log bucket (storage container for logs) |
list_buckets |
List all log buckets in a project |
get_view |
Get a specific log view (fine-grained access filter on a bucket) |
list_views |
List log views in a bucket |
Workflow: VPC Flow Log Analysis
When investigating GCP network traffic:
- Discover logs:
list_log_names— findcompute.googleapis.com/vpc_flows - Query flow logs:
list_log_entriesfiltered by:- Source/destination IP
- Port and protocol
- Action (ALLOWED/DENIED)
- Time range
- Denied traffic: Filter for
reporter="DEST"and denied connections - Top talkers: Aggregate by source/destination IP and bytes
- Cross-reference: Use
gcp-cloud-monitoringfor network metrics during the same period - Report: Traffic analysis with security findings
Workflow: Firewall Log Investigation
When investigating GCP firewall rule activity:
- Discover logs:
list_log_names— findcompute.googleapis.com/firewall - Query firewall logs:
list_log_entriesfiltered by:- Rule name
- Action (ALLOWED/DENIED)
- Source/destination IP
- Port
- Denied connections: Find blocked traffic patterns
- Rule effectiveness: Which rules are hitting most frequently?
- Report: Firewall activity summary with recommendations
Workflow: Audit Trail Investigation
When investigating GCP API activity (equivalent of AWS CloudTrail):
- Admin activity logs:
list_log_entriesforcloudaudit.googleapis.com/activity— who created/modified/deleted resources? - Data access logs:
list_log_entriesforcloudaudit.googleapis.com/data_access— who read what? - Filter by principal: Narrow to specific user or service account
- Filter by method: Narrow to specific API calls (e.g.,
compute.instances.delete) - Time window: Focus on the incident period
- Report: Audit timeline with responsible principals and actions
Workflow: Troubleshooting with Logs
When debugging a GCP issue:
- Application logs:
list_log_entriesfor the affected service - Error filtering: Filter by severity (ERROR, CRITICAL, EMERGENCY)
- Instance logs: Filter by
resource.labels.instance_idfor specific VMs - Correlate: Match timestamps with
gcp-cloud-monitoringalert violations - Bucket check:
list_bucketsto verify log retention settings - Report: Root cause analysis with log evidence
Common GCP Log Sources
| Log Name | What It Contains |
|---|---|
compute.googleapis.com/vpc_flows |
VPC flow logs — source/dest IP, port, bytes, packets, action |
compute.googleapis.com/firewall |
Firewall rule hits — allowed/denied connections with rule name |
cloudaudit.googleapis.com/activity |
Admin activity audit — resource create/modify/delete events |
cloudaudit.googleapis.com/data_access |
Data access audit — read operations on resources |
cloudaudit.googleapis.com/system_event |
System events — Google-initiated actions (live migration, etc.) |
compute.googleapis.com/shielded_vm_integrity |
Shielded VM boot integrity verification |
dns.googleapis.com/dns_queries |
Cloud DNS query logs |
loadbalancing.googleapis.com/requests |
Load balancer access logs |
networksecurity.googleapis.com/firewall_threat |
Cloud IDS / Firewall threat detection |
Log Query Filter Examples
# VPC flow logs — denied traffic to port 443
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=443
# Firewall — denied SSH attempts
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Ffirewall"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=22
# Audit — who deleted VMs in the last hour
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="compute.instances.delete"
timestamp>="2026-01-01T00:00:00Z"
# DNS queries from specific source
resource.type="dns_query"
jsonPayload.sourceIP="10.0.1.50"
Important Rules
- Remote MCP server — hosted by Google, no local install needed
- OAuth 2.0 authentication — uses IAM for access control
- Project-scoped — logs are scoped to the configured GCP project
- Log queries have cost implications — Cloud Logging charges for data scanned beyond free tier (50 GB/month free)
- Retention varies — Admin activity logs: 400 days, Data access logs: 30 days (default), VPC flow logs: depends on bucket config
- Record in GAIT — log all investigations for audit trail
Environment Variables
GCP_PROJECT_ID— Google Cloud project IDGOOGLE_APPLICATION_CREDENTIALS— Path to service account key JSON file
More from automateyournetwork/netclaw
drawio-diagram
Generate draw.io network diagrams — native .drawio files with CLI export (PNG/SVG/PDF), plus browser-based Mermaid/XML/CSV via MCP server. Use when creating network topology diagrams, generating architecture visuals, exporting diagrams to PNG or PDF, or building draw.io files from discovery data.
19aws-architecture-diagram
AWS architecture diagrams — generate visual network topology diagrams from live AWS infrastructure. Use when drawing AWS network diagrams, visualizing VPCs, mapping Transit Gateway topology, or generating architecture documentation.
19aws-security-audit
AWS security auditing — IAM users/roles/policies, CloudTrail API events, security posture analysis. Use when auditing IAM permissions, investigating security incidents, checking MFA compliance, or tracing API activity in CloudTrail.
16aws-cloud-monitoring
AWS CloudWatch monitoring — metrics, alarms, log queries, VPC flow log analysis, network performance. Use when checking AWS alarms, analyzing VPC flow logs, investigating network latency, or monitoring VPN and NAT Gateway metrics.
15pyats-routing
CCIE-level routing protocol analysis - OSPF, BGP, EIGRP, IS-IS, static routes, RIB/FIB verification, redistribution audit, and convergence validation. Use when analyzing routing tables, debugging OSPF neighbors, checking BGP peering, verifying route redistribution, or validating convergence after changes.
13junos-network
Juniper JunOS device automation via PyEZ/NETCONF — CLI execution, configuration management, Jinja2 template rendering, device facts, batch operations, config diff and rollback comparison (10 tools). Use when managing Juniper routers, pushing JunOS configs, running show commands on Juniper devices, or comparing rollback versions
10