You can decide to not store logs in the _Default bucket to route them to a central networking bucket (or multiple buckets for larger organizations).
You can achieve this by performing any of the following:
- Use an aggregated sink configured at the folder or organization level. Optionally, such a sink allows intercept logs to avoid duplication.
- Manually configure sinks in projects to route traffic to specific buckets.
To analyze networking logs in the organization using Log Analytics, we recommend you route them to the central networking bucket before you enable VPC Flow Logs.
- Create a bucket.
- Route logs to the newly created bucket. For more information, see Route logs to supported destinations.
- Collate and route organization-level logs to supported destinations.
- Configure log routing for each project.
- Enable VPC Flow Logs for each resource.
Route logs from the projects to a central bucket
By default, Log Analytics lets you analyze the logs in a single log bucket. To view data from multiple projects, you must create a central log bucket and route logs to this central bucket.
The bucket that is used to store networking logs must be upgraded to support Log Analytics.