Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Use Cloud Logging for Cloud Tasks Queues

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that logging with Cloud Logging is enabled for your Cloud Tasks queues in order to facilitate monitoring and troubleshooting of task issues. Once the logging feature is enabled, the following operations are logged: "CreateTask", "DeleteTask", "AttemptDispatch", and "AttemptResponse".

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Enabling logging with Cloud Logging for Google Cloud Tasks queues allows you to monitor and troubleshoot task execution by providing detailed logs of task processing activities.

Audit

To determine if logging is enabled for your Google Cloud Tasks queues, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Click on the name (link) of the queue that you want to examine and select the LOGS tab to access the logging data available for the selected resource.

05 If there is no logging data available on the LOGS page, instead the ENABLE LOGS button is displayed, logging with Cloud Logging is not enabled for the selected Cloud Tasks queue.

06 Repeat steps no. 4 and 5 for each Cloud Tasks queue available within the selected GCP project.

07 Repeat steps no. 2 - 6 for each project deployed within your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-123123
cc-iot-project-112233

03 Run tasks queues list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the ID (i.e., fully qualified identifier) of each Cloud Tasks queue created for the selected project, in the specified region: 

gcloud tasks queues list
	--project="cc-web-project-123123"
	--location="us-central1"
	--format="default(name)"

04 The command output should return the requested queue IDs: 

---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-app-notification-queue
---
name: projects/cc-web-project-123123/locations/us-central1/queues/cc-invoice-release-queue

05 Run tasks queues describe command (Windows/macOS/Linux) with the ID of the Cloud Tasks queue that you want to examine as the identifier parameter, to describe the log sampling ratio configured the selected queue. The log sampling ratio represents the fraction of operations to write to Cloud Logging: 

gcloud tasks queues describe projects/cc-web-project-123123/locations/us-central1/queues/cc-app-notification-queue
	--format="default(stackdriverLoggingConfig.samplingRatio)"

06 The command output should return the "samplingRatio" attribute value: 

null

If the tasks queues describe command output returns null, as shown in the example above, logging with Cloud Logging is not enabled for the selected Cloud Tasks queue.

07 Repeat steps no. 5 and 6 for each Cloud Tasks queue available in the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To ensure that logging is enabled for your Google Cloud Tasks queues, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud Tasks Queues console available at https://console.cloud.google.com/cloudtasks to access the list of Cloud Tasks queues available for the selected GCP project.

04 Click on the name (link) of the queue that you want to configure and select the LOGS tab to access the logging settings available for the selected resource.

05 On the LOGS page, choose ENABLE LOGS to enable logging with Cloud Logging for the selected Cloud Tasks queue. Inside the Enable logs for this queue box, choose ENABLE for confirmation.

06 Repeat steps no. 4 and 5 for each Cloud Tasks queue that you want to configure, available within the selected GCP project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run tasks queues update command (OSX/Linux/UNIX) with the ID of the Cloud Tasks queue that you want to configure as the identifier parameter, to enable logging with Cloud Logging for the selected queue. To enable the logging feature, set the --log-sampling-ratio parameter to a value between 0.0 and 1.0, other than 0.0. With --log-sampling-ratio set to 0.0, no operations are logged: 

gcloud tasks queues update projects/cc-web-project-123123/locations/us-central1/queues/cc-app-notification-queue
	--log-sampling-ratio=1.0

02 The command output should return the update operation status: 

Updated queue [us-central1/cc-app-notification-queue].

03 Repeat steps no. 1 and 2 for each Cloud Tasks queue that you want to configure, available in the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Mar 27, 2025

Related CloudTasks rules