Centralized monitoring solution in Google Cloud
Similar architecture monitoring we implemented in google cloud
Context: We have a single organization, having different folders and each folder has a single project in Google cloud. We want to have a centralized monitoring solution in GCP. We already set up the architecture shown in the picture. In the given picture let's assume:
Terminologies used
- 'blue' monitoring is our centralized project or a 'Scoping project'
- 'yellow' all other boxes are 'Monitoring projects'
Queries I have
- In the 'Scoping project' can we view and query the logs under a single dashboard or interface (I am aware we can view the logs independently for each project or a resource under this scoping project)?
- Can we stream logs from the 'Scoping project' to a third-party integration service like datadog from the 'scoping project'?
- Will that third-party integration have live streaming of logs in an external tool like Datadog?
- As we have centralized logs in the 'Scoping project', do we need to create a 'Log Router Sink' and 'Log Router Storage' under this 'Scoping project' to be able to stream the logs to third-party integration tools?
- In case we want to add a new project, do we need to create 'Log Router Sink' and 'Log Router Storage' in the 'NEW Monitoring project (to be newly added)' so that we stream logs to the 'Scoping project'?
As the person at least partially responsible for the image and the recommendation....
In the 'Scoping project' can we view and query the logs under a single dashboard or interface (I am aware we can view the logs independently for each project or a resource under this scoping project)?
No - logs aren't part of Monitoring Scopes. They're treated entirely separately. Have a look here.
Can we stream logs from the 'Scoping project' to a third-party integration service like datadog from the 'scoping project'?
Sure - you can do whatever you want with those logs.
Will that third-party integration have live streaming of logs in an external tool like Datadog?
Yes - use e.g the PubSub sink and consume them from there.
As we have centralized logs in the 'Scoping project', do we need to create a 'Log Router Sink' and 'Log Router Storage' under this 'Scoping project' to be able to stream the logs to third-party integration tools?
See above.
In case we want to add a new project, do we need to create 'Log Router Sink' and 'Log Router Storage' in the 'NEW Monitoring project (to be newly added)' so that we stream logs to the 'Scoping project'?
See above. Logs aren't subject to monitoring project configuration and are treated very differently.
Have a look at this video for a walkthrough of log storage and routing.
Additional info in response to comment below:
- Does the service account used for third-party integration, merely need to have permission on the 'Scoping proj'? BUT NOT on other 'Monitoring proj'?
To see monitoring data, the SA will need appropriate permissions. Have a look here: https://cloud.google.com/monitoring/access-control
- What's the key diff between 'Cloud Logging' and 'Cloud Monitoring', as seems both offer similar features and functionalities?
Well, Logging is all about logs :) And Monitoring is all about metric/time series data.
- What are the main advantages of having a 'Centralised Cloud monitoring' proj?
I think I answer this question in this video: https://youtu.be/pcMEFTxcco8?list=PLIivdWyY5sqLOiLXJDlN-wKd0g7hf_9vC
Generally, it's protection from accidental deletion and a single place to manage/control/set things up.
- How to achieve resilience in a 'Scoping proj'? if something goes wrong in scoping, whole monitoring will be stalled?
Good question - it's not really a problem I've seen anyone have. Remember that the metrics are just visible from the scoping project - they are still available in the actual resource project. So even if something goes wrong, you can just recreate the scoping project and still have all the data.
- Bash Indirect expansion doesn't seem to work in cloud build bash scripts?
- How do I list all the top-level folders in given GCS bucket?
- Trigger Google Cloud Build with Google Cloud Scheduler periodically
- Google Cloud Functions - ImportError: cannot import name 'InvalidKeyError' from 'jwt.exceptions'
- GCP - User ... does not have permission to access projects instance
- Google Cloud Compute Engine refusing connections despite firewall rule
- How to I return JSON from a Google Cloud Function
- Making Exact Copy of Server Google Cloud
- How to drop multiple tables in Big query using Wildcards TABLE_DATE_RANGE()?
- firebase, linkWithCredential to add new auth provider to an Account
- .NET Core Blazor Server cannot access to Cloud SQL in Cloud Run
- Google Compute Engine and ADC Application Default Credentials
- Is there a way to connect cloud firestore to realtime database using Cloud functions?
- Pyspark on GCP Dataproc - Partial reading of data for gzip encoded Cloud Storage files
- How to use GitHub immutable values (IDs) in Attribute Conditions?
- Cannot find the id using Firebase Firestore Database - Android kotlin
- _CHANGE_TYPE not working when streaming Google Big Query rows from Pub/Sub
- Realtime database `onValueWritten` event does not trigger in emulator
- Error 400: invalid_scope with Postman and Google OAuth2
- Firebase Firestore REST Request - Query and Filter
- `IAM_PERMISSION_DENIED` on a deployed service on GCP, but no errors on localhost
- Error 400 invalid JSON Payload Unknown name generationConfig on an AI API Curl command
- Restricting usage for an Android key for a Google API
- Google Cloud Function The request was aborted because there was no available instance
- How to properly create URL Masking for Cloud Functions to create a NEG?
- Deploying an Angular app on Google Cloud with minimal costs
- Cloud Run For Anthos With Terraform
- How to delete a key:value pair from Firebase map?
- Flagging a row in new column based on conditions on previous and current rows
- Cant access Firebase Admin SDK via Node.js on my VPS, but I can on my local machine