Proxy transaction logs provide detailed information about each request that Secure Web Proxy processes. These logs include a record of every transaction that Secure Web Proxy mediates between users and the internet. This page explains how to access and interpret the transaction logs that your Secure Web Proxy instances generate.
Types of proxy transaction log entries
Proxy transaction log entries are of three types:
These logs are useful for the following actions:
- Security analysis and threat detection
- Troubleshooting connectivity and policy issues
- Auditing web access
- Secure Web Proxy performance analysis
HttpRequest
These log entries contain the following information:
| Name | Type | Description |
|---|---|---|
requestMethod
|
String | Type of request method, such as GET, HEAD,
PUT, or POST.
|
requestUrl
|
String | Scheme (http or https), hostname, path,
and the query portion of the requested URL. For example,
http://example.com/some/info?color=red.
|
requestSize
|
String (int64 format) |
Size, in bytes, of the HTTP request message, including the request headers and request body. |
status
|
Integer | HTTP or HTTPS status code that indicates the response. For example,
200 OK or 404 Not Found.
|
responseSize
|
String (int64 format) | Size, in bytes, of the HTTP status code that's sent back to the client, including the headers and body. |
userAgent
|
String | User agent that the client sends, such as
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461;
.NET CLR 1.0.3705).
|
remoteIp
|
String | IP address (IPv4 or IPv6) of the client that issued the HTTP
request. This field can include port information. For example,
192.168.1.1, 10.0.0.1:80,
and FE80::0202:B3FF:FE1E:8329.
|
serverIp
|
String | IP address (IPv4 or IPv6) of the origin server to which the request
was sent. This field can include port information. For example,
192.168.1.1, 10.0.0.1:80, and
FE80::0202:B3FF:FE1E:8329.
|
referrer
|
String | Referrer URL of the request, as defined in HTTP/1.1 Header Field Definitions. |
latency
|
String (Duration format) | Request processing latency on the server, from the time the request
was received until the response was sent.
Latency is a duration in seconds with up to nine fractional
digits and ends with |
cacheLookup
|
Boolean | Indicates whether a cache lookup was attempted. |
cacheHit
|
Boolean | Indicates whether an entity was served from the cache (with or without validation). |
cacheValidatedWithOriginServer
|
Boolean | Indicates whether the response was validated with the origin server
before being served from the cache. This field is meaningful only if
cacheHit is True.
|
cacheFillBytes
|
String (int64 format) | Number of HTTP status code bytes that are inserted. |
protocol
|
String | Protocol used for the request, such as HTTP/1.1,
HTTP/2, and websocket.
|
LoadBalancerLogEntry
These log entries contain the following information:
| Name | Type | Description |
|---|---|---|
insertId
|
String | Unique log ID. |
jsonPayload.@type
|
String | Log type. The log type value is always
type.googleapis.com/google.cloud.loadbalancing.type.LoadBalancerLogEntry.
|
jsonPayload.enforcedGatewaySecurityPolicy.hostname
|
String | Hostname associated with the request. |
jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.action
|
String | Action taken on the request. |
jsonPayload.enforcedGatewaySecurityPolicy.matchedRules.rule
|
String | Name of the rule applied to the request. |
jsonPayload.enforcedGatewaySecurityPolicy.clientServiceAccount
|
String | Service account associated with the request. |
jsonPayload.enforcedGatewaySecurityPolicy.clientSecureTags
|
String | Secure tags associated with the request. |
GatewayLogEntry
These log entries contain the following information:
| Name | Type | Description |
|---|---|---|
resource_container
|
String | Container associated with the gateway. |
location
|
String | Name of the region in which the gateway is defined. |
network_name
|
String | Name of the Virtual Private Cloud (VPC) network in which the gateway was created. |
gateway_type
|
String | Enum type of the gateway. For Secure Web Proxy, the value must be
SECURE_WEB_GATEWAY.
|
gateway_name
|
String | Name of the gateway resource. |
Format of proxy transaction logs
Proxy transaction logs are written to Cloud Logging with the log name as
projects/PROJECT_ID/logs/networksecurity.googleapis.com%2Fswg_policy_event.
The JSON payload of each log entry contains detailed information about the transaction. Log entries contain the following key fields:
| Name | Type | Description |
|---|---|---|
destination_ip |
String | Resolved IP address of the destination. |
instance |
String | Name of the Secure Web Proxy instance that processed the request. |
mtls_info |
Object | Information about the mTLS handshake, if applicable. |
policy_evaluation_results |
Object | Information about which rules were matched and the resulting action,
such as allow or deny. |
request_host |
String | Requested hostname. |
request_method |
String | HTTP method, such as GET or POST. |
request_path |
String | Path of the request. |
request_port |
Integer | Destination port. |
request_protocol |
String | HTTP protocol version. |
request_scheme |
String | Scheme of the URL request, such as http or
https. |
request_time |
Timestamp | Date and time at which the proxy received the request. The timestamp
is specified in ISO 8601 format:
YYYY-MM-DDTHH:MM:SS.MsMsMsZoneOffset. For example,
2025-06-03T11:52:26.452Z. |
response_code |
Integer | HTTP status code that's returned to the client. |
response_size |
Integer | Size of the response body, measured in bytes. |
response_time |
Timestamp | Date and time at which the proxy sent the response to the client.
The timestamp is specified in ISO 8601 format:
YYYY-MM-DDTHH:MM:SS.MsMsMsZoneOffset. For example,
2025-06-03T11:52:26.452Z. |
source_ip |
String | Client IP address. |
source_port |
Integer | Client source port. |
tls_cipher_suite |
String | Cipher suite used for the TLS connection. |
tls_version |
String | TLS version used for the connection. |
Monitor proxy transaction logs
In the Google Cloud console, go to the Logs Explorer page.
Select your Google Cloud project.
Use the following query to view all Secure Web Proxy transaction logs:
logName="projects/PROJECT_ID/logs/networksecurity.googleapis.com%2Fswg_policy_event"
Replace
PROJECT_IDwith the ID of your target Google Cloud project.Here are a few sample queries that you can use to view specific details:
Find all denied requests.
logName="projects/PROJECT_ID/logs/networksecurity.googleapis.com%2Fswg_policy_event" jsonPayload.policy_evaluation_results.policy_action="DENY"
Find requests from a specific source IP address.
logName="projects/PROJECT_ID/logs/networksecurity.googleapis.com%2Fswg_policy_event" jsonPayload.source_ip="192.0.2.1"
Find requests to a specific host.
logName="projects/PROJECT_ID/logs/networksecurity.googleapis.com%2Fswg_policy_event" jsonPayload.request_host="example.com"
Route proxy transaction logs
You can route proxy transaction logs to other destinations like Cloud Storage, BigQuery, or Pub/Sub by using log sinks. For more information, see Route log entries.