// Copyright 2019 Google LLC. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // syntax = "proto3"; package google.logging.v2; import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/field_mask.proto"; import "google/protobuf/timestamp.proto"; import "google/api/annotations.proto"; import "google/api/client.proto"; option cc_enable_arenas = true; option csharp_namespace = "Google.Cloud.Logging.V2"; option go_package = "google.golang.org/genproto/googleapis/logging/v2;logging"; option java_multiple_files = true; option java_outer_classname = "LoggingConfigProto"; option java_package = "com.google.logging.v2"; option php_namespace = "Google\\Cloud\\Logging\\V2"; // Service for configuring sinks used to route log entries. service ConfigServiceV2 { option (google.api.default_host) = "logging.googleapis.com"; option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform," "https://www.googleapis.com/auth/cloud-platform.read-only," "https://www.googleapis.com/auth/logging.admin," "https://www.googleapis.com/auth/logging.read"; // Lists sinks. rpc ListSinks(ListSinksRequest) returns (ListSinksResponse) { option (google.api.http) = { get: "/v2/{parent=*/*}/sinks" additional_bindings { get: "/v2/{parent=projects/*}/sinks" } additional_bindings { get: "/v2/{parent=organizations/*}/sinks" } additional_bindings { get: "/v2/{parent=folders/*}/sinks" } additional_bindings { get: "/v2/{parent=billingAccounts/*}/sinks" } }; } // Gets a sink. rpc GetSink(GetSinkRequest) returns (LogSink) { option (google.api.http) = { get: "/v2/{sink_name=*/*/sinks/*}" additional_bindings { get: "/v2/{sink_name=projects/*/sinks/*}" } additional_bindings { get: "/v2/{sink_name=organizations/*/sinks/*}" } additional_bindings { get: "/v2/{sink_name=folders/*/sinks/*}" } additional_bindings { get: "/v2/{sink_name=billingAccounts/*/sinks/*}" } }; } // Creates a sink that exports specified log entries to a destination. The // export of newly-ingested log entries begins immediately, unless the sink's // `writer_identity` is not permitted to write to the destination. A sink can // export log entries only from the resource owning the sink. rpc CreateSink(CreateSinkRequest) returns (LogSink) { option (google.api.http) = { post: "/v2/{parent=*/*}/sinks" body: "sink" additional_bindings { post: "/v2/{parent=projects/*}/sinks" body: "sink" } additional_bindings { post: "/v2/{parent=organizations/*}/sinks" body: "sink" } additional_bindings { post: "/v2/{parent=folders/*}/sinks" body: "sink" } additional_bindings { post: "/v2/{parent=billingAccounts/*}/sinks" body: "sink" } }; } // Updates a sink. This method replaces the following fields in the existing // sink with values from the new sink: `destination`, and `filter`. // // The updated sink might also have a new `writer_identity`; see the // `unique_writer_identity` field. rpc UpdateSink(UpdateSinkRequest) returns (LogSink) { option (google.api.http) = { put: "/v2/{sink_name=*/*/sinks/*}" body: "sink" additional_bindings { put: "/v2/{sink_name=projects/*/sinks/*}" body: "sink" } additional_bindings { put: "/v2/{sink_name=organizations/*/sinks/*}" body: "sink" } additional_bindings { put: "/v2/{sink_name=folders/*/sinks/*}" body: "sink" } additional_bindings { put: "/v2/{sink_name=billingAccounts/*/sinks/*}" body: "sink" } additional_bindings { patch: "/v2/{sink_name=projects/*/sinks/*}" body: "sink" } additional_bindings { patch: "/v2/{sink_name=organizations/*/sinks/*}" body: "sink" } additional_bindings { patch: "/v2/{sink_name=folders/*/sinks/*}" body: "sink" } additional_bindings { patch: "/v2/{sink_name=billingAccounts/*/sinks/*}" body: "sink" } }; } // Deletes a sink. If the sink has a unique `writer_identity`, then that // service account is also deleted. rpc DeleteSink(DeleteSinkRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v2/{sink_name=*/*/sinks/*}" additional_bindings { delete: "/v2/{sink_name=projects/*/sinks/*}" } additional_bindings { delete: "/v2/{sink_name=organizations/*/sinks/*}" } additional_bindings { delete: "/v2/{sink_name=folders/*/sinks/*}" } additional_bindings { delete: "/v2/{sink_name=billingAccounts/*/sinks/*}" } }; } // Lists all the exclusions in a parent resource. rpc ListExclusions(ListExclusionsRequest) returns (ListExclusionsResponse) { option (google.api.http) = { get: "/v2/{parent=*/*}/exclusions" additional_bindings { get: "/v2/{parent=projects/*}/exclusions" } additional_bindings { get: "/v2/{parent=organizations/*}/exclusions" } additional_bindings { get: "/v2/{parent=folders/*}/exclusions" } additional_bindings { get: "/v2/{parent=billingAccounts/*}/exclusions" } }; } // Gets the description of an exclusion. rpc GetExclusion(GetExclusionRequest) returns (LogExclusion) { option (google.api.http) = { get: "/v2/{name=*/*/exclusions/*}" additional_bindings { get: "/v2/{name=projects/*/exclusions/*}" } additional_bindings { get: "/v2/{name=organizations/*/exclusions/*}" } additional_bindings { get: "/v2/{name=folders/*/exclusions/*}" } additional_bindings { get: "/v2/{name=billingAccounts/*/exclusions/*}" } }; } // Creates a new exclusion in a specified parent resource. // Only log entries belonging to that resource can be excluded. // You can have up to 10 exclusions in a resource. rpc CreateExclusion(CreateExclusionRequest) returns (LogExclusion) { option (google.api.http) = { post: "/v2/{parent=*/*}/exclusions" body: "exclusion" additional_bindings { post: "/v2/{parent=projects/*}/exclusions" body: "exclusion" } additional_bindings { post: "/v2/{parent=organizations/*}/exclusions" body: "exclusion" } additional_bindings { post: "/v2/{parent=folders/*}/exclusions" body: "exclusion" } additional_bindings { post: "/v2/{parent=billingAccounts/*}/exclusions" body: "exclusion" } }; } // Changes one or more properties of an existing exclusion. rpc UpdateExclusion(UpdateExclusionRequest) returns (LogExclusion) { option (google.api.http) = { patch: "/v2/{name=*/*/exclusions/*}" body: "exclusion" additional_bindings { patch: "/v2/{name=projects/*/exclusions/*}" body: "exclusion" } additional_bindings { patch: "/v2/{name=organizations/*/exclusions/*}" body: "exclusion" } additional_bindings { patch: "/v2/{name=folders/*/exclusions/*}" body: "exclusion" } additional_bindings { patch: "/v2/{name=billingAccounts/*/exclusions/*}" body: "exclusion" } }; } // Deletes an exclusion. rpc DeleteExclusion(DeleteExclusionRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/v2/{name=*/*/exclusions/*}" additional_bindings { delete: "/v2/{name=projects/*/exclusions/*}" } additional_bindings { delete: "/v2/{name=organizations/*/exclusions/*}" } additional_bindings { delete: "/v2/{name=folders/*/exclusions/*}" } additional_bindings { delete: "/v2/{name=billingAccounts/*/exclusions/*}" } }; } } // Describes a sink used to export log entries to one of the following // destinations in any project: a Cloud Storage bucket, a BigQuery dataset, or a // Cloud Pub/Sub topic. A logs filter controls which log entries are exported. // The sink must be created within a project, organization, billing account, or // folder. message LogSink { // Available log entry formats. Log entries can be written to // Logging in either format and can be exported in either format. // Version 2 is the preferred format. enum VersionFormat { // An unspecified format version that will default to V2. VERSION_FORMAT_UNSPECIFIED = 0; // `LogEntry` version 2 format. V2 = 1; // `LogEntry` version 1 format. V1 = 2; } // Required. The client-assigned sink identifier, unique within the // project. Example: `"my-syslog-errors-to-pubsub"`. Sink identifiers are // limited to 100 characters and can include only the following characters: // upper and lower-case alphanumeric characters, underscores, hyphens, and // periods. string name = 1; // Required. The export destination: // // "storage.googleapis.com/[GCS_BUCKET]" // "bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET]" // "pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]" // // The sink's `writer_identity`, set when the sink is created, must // have permission to write to the destination or else the log // entries are not exported. For more information, see // [Exporting Logs with Sinks](/logging/docs/api/tasks/exporting-logs). string destination = 3; // Optional. An [advanced logs filter](/logging/docs/view/advanced-queries). The only // exported log entries are those that are in the resource owning the sink and // that match the filter. For example: // // logName="projects/[PROJECT_ID]/logs/[LOG_ID]" AND severity>=ERROR string filter = 5; // Deprecated. The log entry format to use for this sink's exported log // entries. The v2 format is used by default and cannot be changed. VersionFormat output_version_format = 6 [deprecated = true]; // Output only. An IAM identity—a service account or group—under // which Logging writes the exported log entries to the sink's destination. // This field is set by // [sinks.create][google.logging.v2.ConfigServiceV2.CreateSink] // and // [sinks.update][google.logging.v2.ConfigServiceV2.UpdateSink] // based on the value of `unique_writer_identity` in those methods. // // Until you grant this identity write-access to the destination, log entry // exports from this sink will fail. For more information, // see [Granting Access for a // Resource](/iam/docs/granting-roles-to-service-accounts#granting_access_to_a_service_account_for_a_resource). // Consult the destination service's documentation to determine the // appropriate IAM roles to assign to the identity. string writer_identity = 8; // Optional. This field applies only to sinks owned by organizations and // folders. If the field is false, the default, only the logs owned by the // sink's parent resource are available for export. If the field is true, then // logs from all the projects, folders, and billing accounts contained in the // sink's parent resource are also available for export. Whether a particular // log entry from the children is exported depends on the sink's filter // expression. For example, if this field is true, then the filter // `resource.type=gce_instance` would export all Compute Engine VM instance // log entries from all projects in the sink's parent. To only export entries // from certain child projects, filter on the project part of the log name: // // logName:("projects/test-project1/" OR "projects/test-project2/") AND // resource.type=gce_instance bool include_children = 9; // Optional. Destination dependent options. oneof options { // Optional. Options that affect sinks exporting data to BigQuery. BigQueryOptions bigquery_options = 12; } // Output only. The creation timestamp of the sink. // // This field may not be present for older sinks. google.protobuf.Timestamp create_time = 13; // Output only. The last update timestamp of the sink. // // This field may not be present for older sinks. google.protobuf.Timestamp update_time = 14; // Do not use. This field is ignored. google.protobuf.Timestamp start_time = 10 [deprecated = true]; // Do not use. This field is ignored. google.protobuf.Timestamp end_time = 11 [deprecated = true]; } // Options that change functionality of a sink exporting data to BigQuery. message BigQueryOptions { // Optional. Whether to use [BigQuery's partition // tables](/bigquery/docs/partitioned-tables). By default, Logging // creates dated tables based on the log entries' timestamps, e.g. // syslog_20170523. With partitioned tables the date suffix is no longer // present and [special query // syntax](/bigquery/docs/querying-partitioned-tables) has to be used instead. // In both cases, tables are sharded based on UTC timezone. bool use_partitioned_tables = 1; } // The parameters to `ListSinks`. message ListSinksRequest { // Required. The parent resource whose sinks are to be listed: // // "projects/[PROJECT_ID]" // "organizations/[ORGANIZATION_ID]" // "billingAccounts/[BILLING_ACCOUNT_ID]" // "folders/[FOLDER_ID]" string parent = 1; // Optional. If present, then retrieve the next batch of results from the // preceding call to this method. `pageToken` must be the value of // `nextPageToken` from the previous response. The values of other method // parameters should be identical to those in the previous call. string page_token = 2; // Optional. The maximum number of results to return from this request. // Non-positive values are ignored. The presence of `nextPageToken` in the // response indicates that more results might be available. int32 page_size = 3; } // Result returned from `ListSinks`. message ListSinksResponse { // A list of sinks. repeated LogSink sinks = 1; // If there might be more results than appear in this response, then // `nextPageToken` is included. To get the next set of results, call the same // method again using the value of `nextPageToken` as `pageToken`. string next_page_token = 2; } // The parameters to `GetSink`. message GetSinkRequest { // Required. The resource name of the sink: // // "projects/[PROJECT_ID]/sinks/[SINK_ID]" // "organizations/[ORGANIZATION_ID]/sinks/[SINK_ID]" // "billingAccounts/[BILLING_ACCOUNT_ID]/sinks/[SINK_ID]" // "folders/[FOLDER_ID]/sinks/[SINK_ID]" // // Example: `"projects/my-project-id/sinks/my-sink-id"`. string sink_name = 1; } // The parameters to `CreateSink`. message CreateSinkRequest { // Required. The resource in which to create the sink: // // "projects/[PROJECT_ID]" // "organizations/[ORGANIZATION_ID]" // "billingAccounts/[BILLING_ACCOUNT_ID]" // "folders/[FOLDER_ID]" // // Examples: `"projects/my-logging-project"`, `"organizations/123456789"`. string parent = 1; // Required. The new sink, whose `name` parameter is a sink identifier that // is not already in use. LogSink sink = 2; // Optional. Determines the kind of IAM identity returned as `writer_identity` // in the new sink. If this value is omitted or set to false, and if the // sink's parent is a project, then the value returned as `writer_identity` is // the same group or service account used by Logging before the addition of // writer identities to this API. The sink's destination must be in the same // project as the sink itself. // // If this field is set to true, or if the sink is owned by a non-project // resource such as an organization, then the value of `writer_identity` will // be a unique service account used only for exports from the new sink. For // more information, see `writer_identity` in [LogSink][google.logging.v2.LogSink]. bool unique_writer_identity = 3; } // The parameters to `UpdateSink`. message UpdateSinkRequest { // Required. The full resource name of the sink to update, including the // parent resource and the sink identifier: // // "projects/[PROJECT_ID]/sinks/[SINK_ID]" // "organizations/[ORGANIZATION_ID]/sinks/[SINK_ID]" // "billingAccounts/[BILLING_ACCOUNT_ID]/sinks/[SINK_ID]" // "folders/[FOLDER_ID]/sinks/[SINK_ID]" // // Example: `"projects/my-project-id/sinks/my-sink-id"`. string sink_name = 1; // Required. The updated sink, whose name is the same identifier that appears // as part of `sink_name`. LogSink sink = 2; // Optional. See [sinks.create][google.logging.v2.ConfigServiceV2.CreateSink] // for a description of this field. When updating a sink, the effect of this // field on the value of `writer_identity` in the updated sink depends on both // the old and new values of this field: // // + If the old and new values of this field are both false or both true, // then there is no change to the sink's `writer_identity`. // + If the old value is false and the new value is true, then // `writer_identity` is changed to a unique service account. // + It is an error if the old value is true and the new value is // set to false or defaulted to false. bool unique_writer_identity = 3; // Optional. Field mask that specifies the fields in `sink` that need // an update. A sink field will be overwritten if, and only if, it is // in the update mask. `name` and output only fields cannot be updated. // // An empty updateMask is temporarily treated as using the following mask // for backwards compatibility purposes: // destination,filter,includeChildren // At some point in the future, behavior will be removed and specifying an // empty updateMask will be an error. // // For a detailed `FieldMask` definition, see // https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#google.protobuf.FieldMask // // Example: `updateMask=filter`. google.protobuf.FieldMask update_mask = 4; } // The parameters to `DeleteSink`. message DeleteSinkRequest { // Required. The full resource name of the sink to delete, including the // parent resource and the sink identifier: // // "projects/[PROJECT_ID]/sinks/[SINK_ID]" // "organizations/[ORGANIZATION_ID]/sinks/[SINK_ID]" // "billingAccounts/[BILLING_ACCOUNT_ID]/sinks/[SINK_ID]" // "folders/[FOLDER_ID]/sinks/[SINK_ID]" // // Example: `"projects/my-project-id/sinks/my-sink-id"`. string sink_name = 1; } // Specifies a set of log entries that are not to be stored in // Logging. If your GCP resource receives a large volume of logs, you can // use exclusions to reduce your chargeable logs. Exclusions are // processed after log sinks, so you can export log entries before they are // excluded. Note that organization-level and folder-level exclusions don't // apply to child resources, and that you can't exclude audit log entries. message LogExclusion { // Required. A client-assigned identifier, such as // `"load-balancer-exclusion"`. Identifiers are limited to 100 characters and // can include only letters, digits, underscores, hyphens, and periods. string name = 1; // Optional. A description of this exclusion. string description = 2; // Required. An [advanced logs filter](/logging/docs/view/advanced-queries) // that matches the log entries to be excluded. By using the // [sample function](/logging/docs/view/advanced-queries#sample), // you can exclude less than 100% of the matching log entries. // For example, the following query matches 99% of low-severity log // entries from Google Cloud Storage buckets: // // `"resource.type=gcs_bucket severity