Configure default resource settings for Logging

This document describes how to configure default resource settings for Logging using the Google Cloud CLI.

Overview

The organization resource is at the highest level of the Google Cloud resource hierarchy. The organization resource is the parent of these child resources: Cloud projects, folders, billing accounts and, regarding Logging, buckets.

You can configure default resource settings for a Google Cloud organization so that the organization and all of its new child resources inherit the following conditions:

• A specific region for _Default and _Required buckets, which lets you control where your logs are stored.
• Disabled _Default sinks.

Before you begin

To get started with configuring default settings for your organization, do the following:

• Install and initialize the Google Cloud CLI.

• Verify that you have an Identity and Access Management role with the following permissions:

  • logging.cmekSettings.get
  • logging.cmekSettings.update

  For instructions about managing roles, see Access control with IAM.

• Understand the LogBucket formatting requirements, including the supported regions in which you can store your logs.

Specify storage region

Log buckets are the containers in your Cloud projects, billing accounts, folders, and organizations that store and organize your log data. For each Cloud project, billing account, folder, and organization, Logging automatically creates two log buckets: _Required and _Default, which are automatically stored in an unspecified global location.

You can specify a different storage location for the _Required and _Default buckets that are contained by your organization. For a list of the supported storage locations, see Data regionality: Supported regions.

Any default settings that you change apply only to resources that are created after the configuration is complete; the new settings don't apply to resources that already exist in the organization. After you configure the default storage region for an organization, the following happens:

• Existing _Required and _Default buckets in that organization maintain the storage region that was assigned to them at the time they were created.

• For any new Cloud projects, billing accounts, or folders created in the organization after the default region was configured, their _Required and _Default buckets inherit the default storage region.

To specify the storage location for the _Required and _Default buckets contained by your organization and its child resources, use the gcloud alpha logging settings update command and include the --organization and --storage-location flags:

gcloud alpha logging settings update --organization=ORGANIZATION_ID --storage-location=LOCATION

In the preceding command, replace the variables as follows:

• ORGANIZATION_ID refers to the ID of the Google Cloud organization for which you want to apply the default setting. To locate the ID, see Getting the organization ID.
• LOCATION refers to the region in which you want to store the data. For a list of the supported storage locations, see Data regionality: Supported regions.

If you want to see the settings for your organization, including the default storage location, use the gcloud alpha logging settings describe command:

gcloud alpha logging settings describe --organization=ORGANIZATION_ID

After you specify a storage location, you can change it by using the gcloud alpha logging settings update command again and updating the --storage-location flag with a new location:

gcloud alpha logging settings update --organization=ORGANIZATION_ID --storage-location=NEW_LOCATION

Disable the _Default sink

Logging provides a predefined _Default sink for each Cloud project, billing account, folder, and organization resource. Any log that is generated in the resource and that matches the _Default sink's inclusion criteria is routed and stored in resource's predefined, correspondingly named _Default bucket.

You can disable all of the organization's _Default sinks to stop logs from being ingested into its _Default buckets. If you stop ingestion into a resource's _Default bucket, the logs that would have been routed to that bucket are excluded from storage in Logging, unless those logs are explicitly included in another user-defined sink for that resource.

To disable the _Default sinks for your organization and any of its child resources, use the gcloud alpha logging settings update command and include the --organization and --disable-default-sink flags:

gcloud alpha logging settings update --organization=ORGANIZATION_ID --disable-default-sink

In the preceding command, replace ORGANIZATION_ID with the ID of the Google Cloud organization for which you want to apply the default setting. To locate the ID, see Getting the organization ID.

The disable-default-sink flag applies only to the _Default sink that routes logs into the _Default bucket.

If you want to see the settings for your organization, including whether the _Default sink is disabled, use the gcloud alpha logging settings describe command:

gcloud alpha logging settings describe --organization=ORGANIZATION_ID

If you want to re-enable the _Default sinks, use the gcloud alpha logging settings update command and include the --no-disable-default-sink flag:

gcloud alpha logging settings update --organization=ORGANIZATION_ID --no-disable-default-sink