Skip to content

Querying Peakhour Logs in Google Cloud Log Explorer#

This guide shows you how to query and analyse Peakhour security events using Google Cloud's Log Explorer. By mastering these techniques, you'll enhance your ability to monitor and respond to security incidents.

Accessing Log Explorer#

  1. Go to the Google Cloud Console
  2. Navigate to "Logging" > "Logs Explorer"
  3. Ensure you've selected the correct Google Cloud project

Understanding Peakhour Log Format#

Peakhour logs use a structured JSON format. Key fields include:

  • time: UTC timestamp of the event
  • client: Client's IP address
  • method: HTTP method of the request
  • path: Path of the requested resource
  • block.by: Type of block that occurred (e.g., WAF, IP threat list, custom rule)

For a full list of fields, refer to the Peakhour Event JSON Format documentation.

Basic Queries#

View All Peakhour Logs#

To see all Peakhour logs:

resource.type="global"
logName="projects/[PROJECT_ID]/logs/peakhour-logs"

Replace [PROJECT_ID] with your actual project ID.

Filter by Time Range#

Use the time range selector at the top of the Log Explorer to set your desired time range.

Filter by Block Type#

To see logs for a specific block type:

resource.type="global"
logName="projects/[PROJECT_ID]/logs/peakhour-logs"
jsonPayload.block.by="WAF"

Replace WAF with other block types like ip_threat_list, custom_rule, or rate_limit as needed.

Advanced Queries#

Top Attacking Countries#

To find the top countries generating blocked requests:

resource.type="global"
logName="projects/[PROJECT_ID]/logs/peakhour-logs"
| parse jsonPayload.geoip.country_code as country
| count(*) by country
| top 10

Requests from Known Threat Lists#

To see requests from IP addresses on threat lists:

resource.type="global"
logName="projects/[PROJECT_ID]/logs/peakhour-logs"
jsonPayload.blocklists:*

High-volume Attacks#

To identify potential DDoS attacks, look for high volumes of requests from a single IP:

resource.type="global"
logName="projects/[PROJECT_ID]/logs/peakhour-logs"
| parse jsonPayload.client as ip
| count(*) by ip
| filter f1 > 1000

This query finds IPs that have made more than 1000 requests.

Using Log-based Metrics#

You can create log-based metrics to track important trends over time:

  1. In Log Explorer, write a query that filters for the events you want to track
  2. Click "Create Metric"
  3. Give your metric a name and description
  4. Choose the metric type (counter or distribution)
  5. Click "Create Metric"

You can then use this metric in Cloud Monitoring dashboards and alerting policies.

Setting Up Alerts#

To create alerts based on your Peakhour logs:

  1. In Log Explorer, write a query that identifies the condition you want to alert on
  2. Click "Create Alert"
  3. Configure the alert conditions, notification channels, and other settings
  4. Click "Save Alert Policy"

Best Practices#

  1. Use indexed fields in your queries for better performance
  2. Start with broad queries and gradually refine them
  3. Use the "Show Logs" feature to verify your queries are capturing the right events
  4. Regularly review and update your queries as your security needs evolve

By leveraging these querying techniques in Google Cloud's Log Explorer, you can gain valuable insights from your Peakhour security events, enabling faster incident response and more effective threat detection.