Skip to content

Latest commit

 

History

History
223 lines (187 loc) · 13.4 KB

google-cloud-logging.md

File metadata and controls

223 lines (187 loc) · 13.4 KB
title keywords description
google-cloud-logging
Apache APISIX
API Gateway
Plugin
Google Cloud logging
This document contains information about the Apache APISIX google-cloud-logging Plugin.

Description

The google-cloud-logging Plugin is used to send APISIX access logs to Google Cloud Logging Service.

This plugin also allows to push logs as a batch to your Google Cloud Logging Service. It might take some time to receive the log data. It will be automatically sent after the timer function in the batch processor expires.

Attributes

Name Required Default Description
auth_config True Either auth_config or auth_file must be provided.
auth_config.client_email True Email address of the Google Cloud service account.
auth_config.private_key True Private key of the Google Cloud service account.
auth_config.project_id True Project ID in the Google Cloud service account.
auth_config.token_uri True https://oauth2.googleapis.com/token Token URI of the Google Cloud service account.
auth_config.entries_uri False https://logging.googleapis.com/v2/entries:write Google Cloud Logging Service API.
auth_config.scope False ["https://www.googleapis.com/auth/logging.read", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/logging.admin", "https://www.googleapis.com/auth/cloud-platform"] Access scopes of the Google Cloud service account. See OAuth 2.0 Scopes for Google APIs.
auth_config.scopes Deprecated ["https://www.googleapis.com/auth/logging.read", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/logging.admin", "https://www.googleapis.com/auth/cloud-platform"] Access scopes of the Google Cloud service account. Use auth_config.scope instead.
auth_file True Path to the Google Cloud service account authentication JSON file. Either auth_config or auth_file must be provided.
ssl_verify False true When set to true, enables SSL verification as mentioned in OpenResty docs.
resource False {"type": "global"} Google monitor resource. See MonitoredResource for more details.
log_id False apisix.apache.org%2Flogs Google Cloud logging ID. See LogEntry for details.
log_format False Log format declared as key value pairs in JSON format. Values only support strings. APISIX or Nginx variables can be used by prefixing the string with $.

NOTE: encrypt_fields = {"auth_config.private_key"} is also defined in the schema, which means that the field will be stored encrypted in etcd. See encrypted storage fields.

This Plugin supports using batch processors to aggregate and process entries (logs/data) in a batch. This avoids the need for frequently submitting the data. The batch processor submits data every 5 seconds or when the data in the queue reaches 1000. See Batch Processor for more information or setting your custom configuration.

Example of default log format

{
    "insertId": "0013a6afc9c281ce2e7f413c01892bdc",
    "labels": {
        "source": "apache-apisix-google-cloud-logging"
    },
    "logName": "projects/apisix/logs/apisix.apache.org%2Flogs",
    "httpRequest": {
        "requestMethod": "GET",
        "requestUrl": "http://localhost:1984/hello",
        "requestSize": 59,
        "responseSize": 118,
        "status": 200,
        "remoteIp": "127.0.0.1",
        "serverIp": "127.0.0.1:1980",
        "latency": "0.103s"
    },
    "resource": {
        "type": "global"
    },
    "jsonPayload": {
        "service_id": "",
        "route_id": "1"
    },
    "timestamp": "2024-01-06T03:34:45.065Z"
}

Metadata

You can also set the format of the logs by configuring the Plugin metadata. The following configurations are available:

Name Type Required Default Description
log_format object False Log format declared as key value pairs in JSON format. Values only support strings. APISIX or Nginx variables can be used by prefixing the string with $.

:::info IMPORTANT

Configuring the Plugin metadata is global in scope. This means that it will take effect on all Routes and Services which use the google-cloud-logging Plugin.

:::

The example below shows how you can configure through the Admin API:

:::note You can fetch the admin_key from config.yaml and save to an environment variable with the following command:

admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')

:::

curl http://127.0.0.1:9180/apisix/admin/plugin_metadata/google-cloud-logging -H "X-API-KEY: $admin_key" -X PUT -d '
{
    "log_format": {
        "host": "$host",
        "@timestamp": "$time_iso8601",
        "client_ip": "$remote_addr"
    }
}'

With this configuration, your logs would be formatted as shown below:

{"partialSuccess":false,"entries":[{"jsonPayload":{"client_ip":"127.0.0.1","host":"localhost","@timestamp":"2023-01-09T14:47:25+08:00","route_id":"1"},"resource":{"type":"global"},"insertId":"942e81f60b9157f0d46bc9f5a8f0cc40","logName":"projects/apisix/logs/apisix.apache.org%2Flogs","timestamp":"2023-01-09T14:47:25+08:00","labels":{"source":"apache-apisix-google-cloud-logging"}}]}

Enable Plugin

Full configuration

The example below shows a complete configuration of the Plugin on a specific Route:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
{
    "plugins": {
        "google-cloud-logging": {
            "auth_config":{
                "project_id":"apisix",
                "client_email":"your service account email@apisix.iam.gserviceaccount.com",
                "private_key":"-----BEGIN RSA PRIVATE KEY-----your private key-----END RSA PRIVATE KEY-----",
                "token_uri":"https://oauth2.googleapis.com/token",
                "scope":[
                    "https://www.googleapis.com/auth/logging.admin"
                ],
                "entries_uri":"https://logging.googleapis.com/v2/entries:write"
            },
            "resource":{
                "type":"global"
            },
            "log_id":"apisix.apache.org%2Flogs",
            "inactive_timeout":10,
            "max_retry_count":0,
            "buffer_duration":60,
            "retry_delay":1,
            "batch_max_size":1
        }
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "uri": "/hello"
}'

Minimal configuration

The example below shows a bare minimum configuration of the Plugin on a Route:

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
{
    "plugins": {
        "google-cloud-logging": {
            "auth_config":{
                "project_id":"apisix",
                "client_email":"your service account email@apisix.iam.gserviceaccount.com",
                "private_key":"-----BEGIN RSA PRIVATE KEY-----your private key-----END RSA PRIVATE KEY-----"
            }
        }
    },
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    },
    "uri": "/hello"
}'

Example usage

Now, if you make a request to APISIX, it will be logged in your Google Cloud Logging Service.

curl -i http://127.0.0.1:9080/hello

You can then login and view the logs in Google Cloud Logging Service.

Delete Plugin

To remove the google-cloud-logging Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.

curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
{
    "uri": "/hello",
    "plugins": {},
    "upstream": {
        "type": "roundrobin",
        "nodes": {
            "127.0.0.1:1980": 1
        }
    }
}'