This page describes the Logs Router in Stackdriver Logging.
How Stackdriver routes logs
In Stackdriver Logging, all logs, including audit logs, platform logs, and user logs, are sent to the Stackdriver Logging API where they pass through the Logs Router. The Logs Router checks each log entry against existing rules to determine which log entries to discard, which log entries to ingest (store) in Stackdriver Logging, and which log entries to include in exports.
The routing of log entries is illustrated in the following figure:
Each log entry that is received by Stackdriver Logging is compared against the exclusion filters and the inclusion filters. These comparisons are independent:
To determine if a log entry is exported to a destination, the log entry is compared to the log sink query of an inclusion filter. When a match occurs, the log entry is exported to the sink destination. A log entry might match multiple inclusion filters.
To determine if a log entry is discarded or saved in Stackdriver Logging storage, the log entry is compared to the exclusion filters. If it matches any exclusion filter, the log entry is discarded. Otherwise, the log entry is saved in Stackdriver Logging storage.
Logging supports three export destinations: BigQuery, Pub/Sub, and Cloud Storage. Exports can be set up at the Google Cloud project level, or at the organization or folder levels using aggregated exports.
To reliably export logs to Cloud Storage, the Logs Router also stores the logs temporarily, which buffers against temporary disruptions on any log sink. Note that the Logs Router's temporary storage is distinct from the longer term storage provided for included log entries.
You can enable customer-managed encryption keys (CMEK) for the Logs Router to help meet your organization's compliance needs. For details, go to Enabling customer-managed encryption keys for Logs Router.