For Cloud Platform to forward your logs to your destination service, you must have already installed a valid SSL certificate. When troubleshooting your SSL certificate, review the following SSL certificate issues and any returned HTTP response codes to address the most common problems with log forwarding:
Certificate expiration date: The certificate’s expiration must be set to a date at least one month in the future.
Valid public key: Confirm that you have provided the correct public key for the SSL certificate that you have uploaded to the log forwarding service.
Matching SSL certificates: Confirm the CA certificate you uploaded to the log forwarding destination infrastructure was signed with the same public key you uploaded to Cloud Platform.
Certificate order: If you are using bundled certificates, ensure the certificates in the chain are in the order they were generated. Your infrastructure’s certificate should be the first in the chain, and the final certificate in the chain should be the CA certificate for the signing authority. For more information, see About SSL certificates and chain certificates.
Private key: The private key and certificate signing request (CSR) must be generated on the infrastructure on which you are installing the certificate for the certificate to install correctly. If the private key has been lost, the certificate must be reissued with a new CSR.
Before you try to set up log forwarding:
Check if the destination is supported.
Ensure that there is no firewall that is blocking the flow of logs.
Log forwarding response codes
After uploading your certificate to the log forwarding service, Cloud Platform attempts to evaluate the connection, and returns an error message if it can’t. The details for each of the following response codes can help you diagnose problems with your log forwarding configuration:
Response code | Error | Description |
|---|---|---|
200 | (None) | The log forwarding service connected with the remote infrastructure. |
301 | SSL connection error | Cloud Platform couldn’t establish a SSL connection with the log forwarding service. The error message should contain a stack trace. |
302 | SSL verification error | SSL verification failed, the SSL certificate is invalid, or SSL is not
accepted by the infrastructure. For more information, see the
Diagnostics section
of the |
303 | Invalid key | The SSL certificate wasn’t signed with the same key as the infrastructure’s SSL certificate. |
401 | Connection timed out | The destination infrastructure hasn’t responded after a pre-determined period of time. The error message does not include information regarding the cause of the time out. |
402 | Connection refused | The remote infrastructure being accessed isn’t configured to listen at the requested port, or has a firewall installed that’s rejecting the connection request initiated from Cloud Platform. |
403 | Connection aborted | The client sent a TCP Reset ( |
404 | Connection reset | The destination infrastructure abruptly closed its end of the connection. Review the infrastructure logs on the destination infrastructure for application protocol errors and traffic spikes. |
405 | Socket error | Communication between the Cloud Platform and destination infrastructure was blocked (such as by antivirus software or a firewall), a previously established network connection is terminated, or the destination infrastructure crashed or rebooted. |
406 | Host unreachable | The log forwarding client cannot connect to the specified host. It might be that the host is on a private network. |
407 | Peer verification failed, please check the destination certificate chain matches the infrastructure certificate chain | The log forwarding client can’t verify the infrastructure’s identity.
Certificates are incorrect or missing. Use
Make sure you’ve included in the log forwarding destination’s certificate field all the CA certificates from the chain in the listed depth order (biggest depth is last). |
500 | Unknown | An error not matching any of the previously described conditions has occurred. |