Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

automateyournetwork/gcp-cloud-logging

Name: gcp-cloud-logging
Author: automateyournetwork

workspace/skills/gcp-cloud-logging/SKILL.md

npx skillsauth add automateyournetwork/netclaw gcp-cloud-logging

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

GCP Cloud Logging

MCP Server

Endpoint: https://logging.googleapis.com/mcp (Streamable HTTP)
Auth: OAuth 2.0 via Google IAM — service account key (GOOGLE_APPLICATION_CREDENTIALS) or gcloud auth application-default login
Requires: GCP_PROJECT_ID environment variable

Available Tools (6)

| Tool | What It Does | |------|-------------| | list_log_entries | Search and retrieve log entries — the primary tool for debugging, error hunting, and audit | | list_log_names | Discover what logs exist in a project — find available log sources | | get_bucket | Get details of a specific log bucket (storage container for logs) | | list_buckets | List all log buckets in a project | | get_view | Get a specific log view (fine-grained access filter on a bucket) | | list_views | List log views in a bucket |

Workflow: VPC Flow Log Analysis

When investigating GCP network traffic:

Discover logs: list_log_names — find compute.googleapis.com/vpc_flows
Query flow logs: list_log_entries filtered by:
- Source/destination IP
- Port and protocol
- Action (ALLOWED/DENIED)
- Time range
Denied traffic: Filter for reporter="DEST" and denied connections
Top talkers: Aggregate by source/destination IP and bytes
Cross-reference: Use gcp-cloud-monitoring for network metrics during the same period
Report: Traffic analysis with security findings

Workflow: Firewall Log Investigation

When investigating GCP firewall rule activity:

Discover logs: list_log_names — find compute.googleapis.com/firewall
Query firewall logs: list_log_entries filtered by:
- Rule name
- Action (ALLOWED/DENIED)
- Source/destination IP
- Port
Denied connections: Find blocked traffic patterns
Rule effectiveness: Which rules are hitting most frequently?
Report: Firewall activity summary with recommendations

Workflow: Audit Trail Investigation

When investigating GCP API activity (equivalent of AWS CloudTrail):

Admin activity logs: list_log_entries for cloudaudit.googleapis.com/activity — who created/modified/deleted resources?
Data access logs: list_log_entries for cloudaudit.googleapis.com/data_access — who read what?
Filter by principal: Narrow to specific user or service account
Filter by method: Narrow to specific API calls (e.g., compute.instances.delete)
Time window: Focus on the incident period
Report: Audit timeline with responsible principals and actions

Workflow: Troubleshooting with Logs

When debugging a GCP issue:

Application logs: list_log_entries for the affected service
Error filtering: Filter by severity (ERROR, CRITICAL, EMERGENCY)
Instance logs: Filter by resource.labels.instance_id for specific VMs
Correlate: Match timestamps with gcp-cloud-monitoring alert violations
Bucket check: list_buckets to verify log retention settings
Report: Root cause analysis with log evidence

Common GCP Log Sources

| Log Name | What It Contains | |----------|-----------------| | compute.googleapis.com/vpc_flows | VPC flow logs — source/dest IP, port, bytes, packets, action | | compute.googleapis.com/firewall | Firewall rule hits — allowed/denied connections with rule name | | cloudaudit.googleapis.com/activity | Admin activity audit — resource create/modify/delete events | | cloudaudit.googleapis.com/data_access | Data access audit — read operations on resources | | cloudaudit.googleapis.com/system_event | System events — Google-initiated actions (live migration, etc.) | | compute.googleapis.com/shielded_vm_integrity | Shielded VM boot integrity verification | | dns.googleapis.com/dns_queries | Cloud DNS query logs | | loadbalancing.googleapis.com/requests | Load balancer access logs | | networksecurity.googleapis.com/firewall_threat | Cloud IDS / Firewall threat detection |

Log Query Filter Examples

# VPC flow logs — denied traffic to port 443
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=443

# Firewall — denied SSH attempts
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Ffirewall"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=22

# Audit — who deleted VMs in the last hour
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="compute.instances.delete"
timestamp>="2026-01-01T00:00:00Z"

# DNS queries from specific source
resource.type="dns_query"
jsonPayload.sourceIP="10.0.1.50"

Important Rules

Remote MCP server — hosted by Google, no local install needed
OAuth 2.0 authentication — uses IAM for access control
Project-scoped — logs are scoped to the configured GCP project
Log queries have cost implications — Cloud Logging charges for data scanned beyond free tier (50 GB/month free)
Retention varies — Admin activity logs: 400 days, Data access logs: 30 days (default), VPC flow logs: depends on bucket config
Record in GAIT — log all investigations for audit trail

Environment Variables

GCP_PROJECT_ID — Google Cloud project ID
GOOGLE_APPLICATION_CREDENTIALS — Path to service account key JSON file

automateyournetwork/gcp-cloud-logging

workspace/skills/gcp-cloud-logging/SKILL.md

Google Cloud Logging — log search, VPC flow logs, firewall logs, audit logs, log buckets and views. Use when searching GCP logs, investigating denied VPC flow traffic, checking who deleted a VM, analyzing firewall rule hits, or troubleshooting a GCP application error.

433 stars

development

Updated Apr 20, 2026

$ install --global

skillsauth

npx skillsauth add automateyournetwork/netclaw gcp-cloud-logging

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 20, 2026, 3:29 AM5.0s1 file scanned

SKILL.md

name:: gcp-cloud-logging
description:: Google Cloud Logging — log search, VPC flow logs, firewall logs, audit logs, log buckets and views. Use when searching GCP logs, investigating denied VPC flow traffic, checking who deleted a VM, analyzing firewall rule hits, or troubleshooting a GCP application error.
version:: 1.0.0
license:: Apache-2.0
tags:: [gcp, cloud-logging, logs, flow-logs, audit, firewall-logs]

GCP Cloud Logging

MCP Server

Endpoint: https://logging.googleapis.com/mcp (Streamable HTTP)
Auth: OAuth 2.0 via Google IAM — service account key (GOOGLE_APPLICATION_CREDENTIALS) or gcloud auth application-default login
Requires: GCP_PROJECT_ID environment variable

Available Tools (6)

Workflow: VPC Flow Log Analysis

When investigating GCP network traffic:

Discover logs: list_log_names — find compute.googleapis.com/vpc_flows
Query flow logs: list_log_entries filtered by:
- Source/destination IP
- Port and protocol
- Action (ALLOWED/DENIED)
- Time range
Denied traffic: Filter for reporter="DEST" and denied connections
Top talkers: Aggregate by source/destination IP and bytes
Cross-reference: Use gcp-cloud-monitoring for network metrics during the same period
Report: Traffic analysis with security findings

Workflow: Firewall Log Investigation

When investigating GCP firewall rule activity:

Discover logs: list_log_names — find compute.googleapis.com/firewall
Query firewall logs: list_log_entries filtered by:
- Rule name
- Action (ALLOWED/DENIED)
- Source/destination IP
- Port
Denied connections: Find blocked traffic patterns
Rule effectiveness: Which rules are hitting most frequently?
Report: Firewall activity summary with recommendations

Workflow: Audit Trail Investigation

When investigating GCP API activity (equivalent of AWS CloudTrail):

Admin activity logs: list_log_entries for cloudaudit.googleapis.com/activity — who created/modified/deleted resources?
Data access logs: list_log_entries for cloudaudit.googleapis.com/data_access — who read what?
Filter by principal: Narrow to specific user or service account
Filter by method: Narrow to specific API calls (e.g., compute.instances.delete)
Time window: Focus on the incident period
Report: Audit timeline with responsible principals and actions

Workflow: Troubleshooting with Logs

When debugging a GCP issue:

Application logs: list_log_entries for the affected service
Error filtering: Filter by severity (ERROR, CRITICAL, EMERGENCY)
Instance logs: Filter by resource.labels.instance_id for specific VMs
Correlate: Match timestamps with gcp-cloud-monitoring alert violations
Bucket check: list_buckets to verify log retention settings
Report: Root cause analysis with log evidence

Common GCP Log Sources

Log Query Filter Examples

# VPC flow logs — denied traffic to port 443
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Fvpc_flows"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=443

# Firewall — denied SSH attempts
resource.type="gce_subnetwork"
logName="projects/PROJECT/logs/compute.googleapis.com%2Ffirewall"
jsonPayload.disposition="DENIED"
jsonPayload.connection.dest_port=22

# Audit — who deleted VMs in the last hour
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="compute.instances.delete"
timestamp>="2026-01-01T00:00:00Z"

# DNS queries from specific source
resource.type="dns_query"
jsonPayload.sourceIP="10.0.1.50"

Important Rules

Remote MCP server — hosted by Google, no local install needed
OAuth 2.0 authentication — uses IAM for access control
Project-scoped — logs are scoped to the configured GCP project
Log queries have cost implications — Cloud Logging charges for data scanned beyond free tier (50 GB/month free)
Retention varies — Admin activity logs: 400 days, Data access logs: 30 days (default), VPC flow logs: depends on bucket config
Record in GAIT — log all investigations for audit trail

Environment Variables

GCP_PROJECT_ID — Google Cloud project ID
GOOGLE_APPLICATION_CREDENTIALS — Path to service account key JSON file

Related Skills

automateyournetwork/humanrail-escalation

testing

VerifiedTrustedCommunity

Human-in-the-loop escalation via HumanRail — route low-confidence agent decisions, pre-destructive operation approvals, and ambiguous incident tickets to real human engineers. Human answers are verified and returned as structured output. Workers are paid via Lightning Network. Use when the agent is uncertain, when a destructive change needs explicit human sign-off beyond a ServiceNow CR, or when an ambiguous ticket requires human triage before automated handling.

491SKILL.mdUpdated May 12, 2026

automateyournetwork/humanrail-escalation

automateyournetwork/eve-ng-node-operations

testing

VerifiedTrustedCommunity

Manage EVE-NG node lifecycle. Use when listing nodes, checking runtime state, creating or deleting nodes, starting or stopping nodes or whole labs, verifying node details, or wiping node NVRAM back to factory defaults.

491SKILL.mdUpdated May 12, 2026

automateyournetwork/eve-ng-node-operations

automateyournetwork/eve-ng-lab-management

development

VerifiedTrustedCommunity

Manage EVE-NG labs and platform inventory. Use when listing labs, checking lab metadata, creating or deleting labs, importing or exporting lab archives, checking EVE-NG health or auth, or verifying available node images before build work.

491SKILL.mdUpdated May 12, 2026

automateyournetwork/eve-ng-lab-management

automateyournetwork/eve-ng-console-ops

tools

VerifiedTrustedCommunity

Execute live CLI commands on running EVE-NG nodes over telnet console. Use when running show commands, making live config changes, verifying protocol state, testing connectivity, checking console readiness, or interacting with IOS, Junos, VPCS, EOS, or NX-OS nodes.

491SKILL.mdUpdated May 12, 2026

automateyournetwork/eve-ng-console-ops

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/automateyournetwork/netclaw.git

# Copy into Claude Code skills folder (global)
cp -r netclaw/workspace/skills/gcp-cloud-logging ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

automateyournetwork/netclaw

433 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT