Configure default resource settings for Cloud Logging
This document describes how to configure default resource settings for Cloud Logging. These settingslet you control where new system-created log buckets are created, whether CMEKis required for log buckets, and the configuration of the_Default log sink.You can configure these settings for organizations and folders, and the settingsare inherited by child resources. You configure the default resource settings for Cloud Logging by usingtheGoogle Cloud CLI.
Overview
The organization resource is at the highest level of theGoogle Cloud resource hierarchy.The organization resource is the parent of these child resources:Google Cloud projects, folders, billing accounts and, regardingLogging,log buckets.
For organizations and folders, you can configure default resource settings for Cloud Logging. These settingslet you specify the location of log buckets, the encryption model, andthe configuration of the default log sink. Child resources inherit theirparent's default resource settings.
Note: Any default resource settings for Cloud Logging that you changeapply only to resources that are created after the configuration is complete;the new settings don't apply to resources that already exist.You can use default resource settings for Cloud Logging to configure the following:
Whether or not new log buckets in a resource are to be encrypted witha customer-managed key, and if so, the Cloud KMS key touse for encryption.
Note: If default resource settings for Cloud Logging have a CMEK setting, then thedefault resource settings must also set the storage location.
The storage location for new
_Defaultand_Requiredlog bucketscreated by child resources,and for queries saved by theLogs Explorer orLog Analytics pages.By setting the storage location, you cancontrol where your logs are stored.If a resource has default resource settings for Cloud Logging that specifies a storage location butdoesn't have a CMEK setting, then new log buckets in the resource don'trequire CMEK.
Whether the
_Defaultlog sinkis enabled or disabled for new projects in the resource.The inclusion filters or exclusion filters that are applied to all new
_Defaultsinks in the child resources.
Example configurations:
- For an organization, the default resource settings for Cloud Logging specifies a storage location.For new projects in the organization, the
_Defaultand_Requiredlog buckets are created in the specified location.Also, queries saved byLogs Explorer orLog Analytics pages are storedin the specified location. These queries include the recent queries that areautomatically saved after being run, and queries saved by members of theGoogle Cloud project.
For an organization, the default resource settings for Cloud Logging specifies a storage location.Additionally, for a folder in the organization, the default resource settings for Cloud Loggingspecifies a different storage location.For new projects that are in the folder, the
_Defaultand_Requiredbucketsare created in the location specified by the folder's settings. For projectsthat aren't in the folder, their_Defaultand_Requiredbucketsare created in the location specified by the organization's settings.For an organization, you configure the default resource settings for Cloud Logging to specify a locationand CMEK.For the folder named
Non-CMEK, you configure the default resource settings for Cloud Logging to onlyspecify a location. If you create a projectthat isn't in the folder namedNon-CMEK, then the_Defaultand_Requiredbuckets are created in the same location as theCloud Key Management Service key, and these log buckets are encrypted by that key.However, if you create a new project in the folder namedNon-CMEK,their log buckets are created in the locations specified by that folder'ssetting, and those log buckets aren't encrypted by CMEK.For an organization, you configure the default resource settings for Cloud Logging to apply anexclusion filter that applies to new
_Defaultsinks. The filter excludesData Access audit logs from beingrouted through the_Defaultsink in all child resources, which preventsthe Data Access audit logs from being stored in the_Defaultbucket.
Before you begin
This document doesn't contain information about how to configure thedefault resource settings for Cloud Logging to have a CMEK setting. For information about that topic, seeConfigure CMEK for Logging.
Do the following:
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Ensure that your Identity and Access Management role on the organization or folder includes thefollowing Cloud Logging permission:
logging.settings.getlogging.settings.update
Identify the location where you want to store your logs and queries.For a list of the supported storage locations, seeSupported regions.
View default resource settings for Cloud Logging
To view the default resource settings for Cloud Logging, use thegcloud logging settings describecommand:
FOLDER
gcloud logging settings describe --folder=FOLDER_ID
Before running the previous command, make the following replacement:
- FOLDER_ID: The unique numeric identifier of the folder. For information about using folders, seeCreating and managing folders.
ORGANIZATION
gcloud logging settings describe --organization=ORGANIZATION_ID
Before running the previous command, make the following replacement:
- ORGANIZATION_ID: The unique numericidentifier of the organization. For information about getting this identifier, seeGetting your organization ID.
The previous command returns information about the default resource settings for Cloud Logging.The following is an example response:
name: organizations/ORGANIZATION_ID/settingskmsKeyName:KMS_KEY_NAMEkmsServiceAccountId:SERVICE_ACCT_NAME@gcp-sa-logging.iam.gserviceaccount.comstorageLocation: europe-west1disableDefaultSink: false
The value of theSERVICE_ACCT_NAME might have the formatcmek-12345 orservice-12345@.... If you can't use the Google Cloud CLI, then run theCloud Logging API methodgetSettings.
Set the storage location
Note: If the default resource settings for Cloud Logging specify a location and have a CMEK setting,then the location you specify must match the location of theCloud KMS key. For more information, seeConfigure CMEK as a default resource settings for Cloud Logging.Log buckets are the containers in yourGoogle Cloud projects, billing accounts, folders, and organizations that storeand organize your log data. For each Google Cloud project, billing account,folder, and organization, Logging automatically creates two logbuckets:_Required and_Default, which are automatically stored intheglobal location.
For organizations and folders, the default resource settings for Cloud Logging control where new_Required and_Default log buckets are created,and where queries that you run in theLogs Explorer andLog Analyticspages are stored. The locations of existing queries and log buckets aren'tchanged.
For organizations and folders, the following occurs when you configurethe default resource settings for Cloud Logging to specify a location:
- For new child resources created in the organization or folder, their
_Requiredand_Defaultbuckets inherit their parent'sdefault resource settings.
- Specifies the storage location for new and recent queries that you run inLogs Explorer orLog Analytics pages.
When the default resource settings for Cloud Logging specify a location, that location doesn't apply touser-defined log buckets or to queries saved by using the Logging API.
Configure the organization policies
Note: You aren't required to configure an organization policy when you wantto configure default resource settings for Cloud Logging.For information about organization policies and how to configure them, seeIntroduction to the Organization Policy Service.Logging supports organization policies that canrestrict where data can be stored.If such a policy exists for your organization, then you can onlycreate log buckets in locations that are allowed by the policy.
When an organization policy that specifies a location constraint exists,the policy values for the constraint must include the location specified inthe default resource settings for Cloud Logging. Before you update default resource settings for Cloud Logging, review and, ifnecessary, update organization policies.
To view or update organization policies, do the following:
In the Google Cloud console, go to theOrganization Policies page:
If you use the search bar to find this page, then select the result whose subheading isIAM & Admin.
Select your organization.
View, and if necessary, update the constraint with the ID
constraints/gcp.resourceLocations. If this constraint isn't configured,then an update isn't required.For information about how to view specific constraints and how to editthese constraints, seeCreating and editing policies.
Set the storage location for new system-created log buckets
Note:: If your default resource settings for Cloud Logging have a CMEK setting, then you must also set astorage location. That location must match the location of the Cloud Key Management Service key.To configure the default resource settings for Cloud Logging to specify a location setting, run thegcloud logging settings updatecommand and include the--storage-location flag:
FOLDER
gcloud logging settings update --folder=FOLDER_ID--storage-location=LOCATION
Before running the previous command, make the following replacements:
- FOLDER_ID: The unique numeric identifier of the folder. For information about using folders, seeCreating and managing folders.
- LOCATION: The location where new
_Defaultand_Requiredlog buckets are created, and where queries are stored. For a list of supported locations, seeSupported regions.
ORGANIZATION
gcloud logging settings update --organization=ORGANIZATION_ID --storage-location=LOCATION
Before running the previous command, make the following replacements:
- ORGANIZATION_ID: The unique numericidentifier of the organization. For information about getting this identifier, seeGetting your organization ID.
- LOCATION: The location where new
_Defaultand_Requiredlog buckets are created, and where queries are stored. For a list of supported locations, seeSupported regions.
If you can't use the Google Cloud CLI, then run theCloud Logging API methodupdateSettings.
For information about resolving errors, seeTroubleshoot setting the location for new system-created log buckets.
Configure the_Default sink
Logging provides a predefined_Default sink for eachGoogle Cloud project, billing account, folder, and organization resource. Anylog that is generated in the resource that matches the inclusion filter andthat isn't excluded, is routed to the resource's predefined, correspondinglynamed_Default bucket.
For organizations and folders, the default resource settings for Cloud Logging let you configure thethe following behavior of the_Default sink:
You can disable the creation of a
_Defaultsink for new child resources.You can configure an inclusion filter or several exclusion filters that applyto the
_Defaultsinks of new projects.
Disable the_Default sink
You can disable the_Default sinks for all new resources inan organization or folder; disabling the_Default sinks preventslogs from being stored in the resource's_Default bucket.If you stop storing logs in aresource's_Default bucket, then the logs that would have been routed to thatbucket are excluded from storage in Logging, unless those logsare explicitly included in another user-defined sink for that resource.
To disable the_Default sinks for a resource and any of its childresources, run the followinggcloud logging settings updatecommand:
FOLDER
gcloud logging settings update --folder=FOLDER_ID--disable-default-sink
Before running the previous command, make the following replacement:
- FOLDER_ID: The unique numeric identifier of the folder. For information about using folders, seeCreating and managing folders.
ORGANIZATION
gcloud logging settings update --organization=ORGANIZATION_ID --disable-default-sink
Before running the previous command, make the following replacement:
- ORGANIZATION_ID: The unique numericidentifier of the organization. For information about getting this identifier, seeGetting your organization ID.
Thedisable-default-sink flag applies only to the_Default sink that routeslogs into the_Default bucket.
You can re-enable the_Default sinks by running the followinggcloud logging settings update command:
FOLDER
gcloud logging settings update --folder=FOLDER_ID--no-disable-default-sink
ORGANIZATION
gcloud logging settings update --organization=ORGANIZATION_ID --no-disable-default-sink
Configure the filters of_Default sinks
Note: default resource settings for Cloud Logging apply only to newly created resources.You can't use the process documented in this section to configure the filter ofan existing_Default sink.The predefined_Default sink routes any log entries that match the sinkcriteria to the corresponding_Default bucket. You can send anCloud Logging API command to override the built-ininclusion filterin the_Default sink or to append a filter.The built-in exclusion filter for the_Default sink is empty. However,the API command also lets youaddexclusion filters.
_Default log sink tobe listed on theLogs Router page, then you must specify a name for eachexclusion filter. If you omit thename field, then you must use theCloud Logging API or the Google Cloud CLI to view the details of the sink.In the following example, the exclusion filter is namedexclude-data-access.To specify an inclusion filter or exclusion filter that is applied to all_Default sinks of new resources in an organization or folder,run the Cloud Logging API methodupdateSettings andspecify thedefaultSinkConfig object.
You can execute theupdateSettings method by using theAPIs Explorer widget on the method's reference page. Thefollowing example illustrates sample parameters:
- name (URL):
organizations/ORGANIZATION_ID/settings - updateMask:
"default_sink_config" Request body, which contains an instance of
Settings:"defaultSinkConfig": { { "filter": "NOT LOG_ID(\"externalaudit.googleapis.com/activity\") " "AND NOT LOG_ID(\"cloudaudit.googleapis.com/system_event\") " "AND NOT LOG_ID(\"externalaudit.googleapis.com/system_event\") " "AND NOT LOG_ID(\"cloudaudit.googleapis.com/access_transparency\") " "AND NOT LOG_ID(\"externalaudit.googleapis.com/access_transparency\") ", "exclusions": [ { "name": "exclude-data-access", "description": "Prevents Data Access audit logs from being routed", "filter": "log_id(\"cloudaudit.googleapis.com/data_access\")", } ], "mode": OVERWRITE }}
The built-in inclusion filter for the_Default sink includes thestatementAND NOT LOG_ID("externalaudit.googleapis.com/activity"), whichprevents Admin Activity audit logs from being routed to the_Default log bucket. In the previous example, the inclusion filter ischanged so that Admin Activity audit logs are routed to the_Defaultlog bucket. The example also adds an exclusion filter that preventsData Access audit logs from being routed to the_Default bucket.In the previous example, the exclusion filter is namedexclude-data-access.
Troubleshoot configuration errors
For troubleshooting information, seeTroubleshoot CMEK and default resource settings for Cloud Logging.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.