This document introduceslog buckets, which are the containers thatCloud Logging uses to store your log data. It provides information aboutlocation, management of the encryption key, and data retention forlog buckets. It also highlights where you can use organization policies ordefault resource settings to control the location and encryption fornew log buckets in folders or organizations.

About log buckets

By default, Cloud Loggingencrypts customer content stored at rest.Data stored in log buckets by Logging is encryptedusing key-encryption keys,a process known asenvelope encryption.Access to your logging data requires access to those key-encryption keys.By default, these are Google-owned and Google-managed encryption keys and they don'trequire any actions on your part.

Your organization might have regulatory, compliance-related, oradvanced encryption requirements that our default encryption at restdoesn't provide. To meet your organization's requirements, instead of usingGoogle-owned and Google-managed encryption keys, you can manage your own keys.

Log buckets are regional resources with a fixed location. Google Cloud managesthat infrastructure so that your applications are available redundantly acrossthe zones within that region.

The retention period for the data stored by a log bucket depends on thelog bucket. This document contains information about data retention.

You can createlog views on a log bucket.Alog view provides access to only a subset of the log data stored in alog bucket. For every log bucket, Cloud Logging automatically createsone log view that provides access to every log entry in the log bucket.You control access to a log view by usingIdentity and Access Management (IAM).

To query and view your log data, use the Logs Explorer or the Log Analyticspages of the Google Cloud console:

• The Logs Explorer page helps you troubleshoot and analyze theperformance of your services and applications. You can view individuallog entries and filter your log data. This interface has a scopesetting, which lets you search for log data by project, log bucket, orlog view.

• The Log Analytics page offers a SQL interface that lets you perform aggregateanalysis on your log data that is stored in alog bucket upgraded to use analytics.For example, use this interface to compute and chart trends. You can querylog views andanalytics views.

To learn more, seeQuery and view log entries.

Support for organizations and folders

To help your organization meet compliance and regulatory needs,Logging supports both organization policies and defaultresource settings:

• Default resource settings specify the location and howencryption keys are managed forsystem-created log bucketswhen new resources are created in a folder or organization. For example,you can force these system-created log buckets to be in a specific location.

• Anorganization policy canrestrict the location of new user-defined log buckets.Logging supports organization policies that specify regionswhere log buckets can, or can't, be created.

System-created log buckets

For each Google Cloud project, billing account, folder, or organization,Cloud Logging creates two log buckets, one named_Required and theother named_Default. Unlessdefault resource settingsare configured, for these log buckets, these buckets haveGoogle-owned and Google-managed encryption keys and Cloud Logging selects theirlocation.

You can't delete the system-created log buckets.

You canupgrade system-created log buckets to use analytics.This upgrade lets you query your log data by using theLog Analytics page,which supports SQL.

_Required log bucket

The_Required log bucket stores log entries that are required for complianceor auditing purposes. For this reason, you can't delete this log bucket and youcan't modify which log entries are stored in this log bucket.Log entries in this log bucket are retained for400 days; you can't change this retention period.

The log entries that are stored in the_Required log bucket for a resourcealso originate in that resource. That is, the_Required log bucket ina Google Cloud project can only store log entries that originate in thatproject.

The_Required log bucket stores the following types of log entries:

• Admin Activity audit logs
• System Event audit logs
• Google Workspace Admin Audit logs
• Enterprise Groups Audit logs
• Login Audit logs

• Access Transparency logs.

_Default log bucket

The_Default log bucket stores log entries that aren't automaticallystored in the_Required log bucket. Because the_Default log bucket issystem created, you can't delete it. However, you canmodify which log entries are stored in this log bucket.

Cloud Logging retains the log entries in the_Default bucket for30 days, unless youconfigure custom retention for thebucket.

For example, this log bucket stores:

• Data Access audit logs.
• Policy Denied audit logs.
• Logs generated by applications and Google Cloud services.

User-defined log buckets

You can createuser-defined log buckets in anyGoogle Cloud project. When you create a user-defined log bucket, youselect the location and set thedata retentionperiod. You have the option to provide a customer-managed encryption key.

You canupgrade user-defined log buckets to use analytics.This upgrade lets you query your log data by using theLog Analytics page,which supports SQL.

You can modify and delete user-defined log buckets. To protect against deletinga log bucket that stores log entries that are within their retention period,you canlock the log bucket against updates.

Control access to a log bucket

IAM permissions and roles control accessto log data. For example, you can do all of the following:

• Grant read and edit access to a log bucket.
• Grant edit access to a log bucket based on group membership byusing tags.
• Control access to specific fields in a log entry byconfiguring field-level access on a log bucket.

• Grant access to a subset of log entries in a log bucket bycreating a log view on that log bucket.

  Every log bucket has adefault log view, which typicallyincludes every log entry in the log bucket. For the_Default log bucket,the default log view excludes data access log entries.

To give a user the permissions they need to view and analyze log entries,typically one of the following IAM roles is granted:

• Logs Viewer (roles/logging.viewer) role: Grants accessto all log entries in the_Required bucket, and access to the defaultlog view on the_Default bucket.

• Private Logs Viewer (roles/logging.privateLogViewer)role: Grants access to all logs in the_Required and_Default buckets,including data access logs.

If you create user-defined log buckets or log views on log buckets, thenadditional permissions are required. For more information about roles, seeAccess control with IAM.

List of supported regions

Log buckets are regional resources. The infrastructure that stores,indexes, and searches your log entries is located in a specific geographicallocation. With the exception of log buckets in theglobal,eu, orusregions, Google Cloud manages the infrastructure so that your applicationsare available redundantly across the zones within the region of the log bucket.

The followingregionsare supported by Cloud Logging:

Global

Note: If you want to choose the storage location for your log data orchoose where your log data is analyzed with Log Analytics, then don't createlog buckets in theglobal location. Instead, either use a regional log bucketor, if you have data in a BigQuery multi-region and want tocolocate your log data, then set the location of your log buckets to theappropriatemulti-region location.

Region name	Region description
global	Logs stored in any data centers in the world. Logs might be moved to different data centers. Unlike other global resources in Google Cloud, global log buckets in Cloud Logging don't provide additional redundancy guarantees compared to a regional log bucket.

Multi-regions: EU and US

Note: If you have data in aBigQuery multi-regionand want to colocate your log data with that other business datathen set the location of your log buckets to the appropriate multi-region.Alternatively, to control the storage location for yourlog data or where your log data is analyzed with Log Analytics,specify that location when you create the log bucket.Don't use theglobal location.

Region name	Region description
eu	Logs stored in any data centers within the European Union. Logs might be moved to different data centers. No additional redundancy guarantees.
us	Logs stored in any data centers within the United States. Logs might be moved to different data centers. No additional redundancy guarantees.

Africa

Region name	Region description
africa-south1	Johannesburg

Americas

Region name	Region description
northamerica-northeast1	Montréal
northamerica-northeast2	Toronto
northamerica-south1	Mexico
southamerica-east1	São Paulo
southamerica-west1	Santiago
us-central1	Iowa
us-east1	South Carolina
us-east4	North Virginia
us-east5	Columbus
us-south1	Dallas
us-west1	Oregon
us-west2	Los Angeles
us-west3	Salt Lake City
us-west4	Las Vegas

Asia Pacific

Region name	Region description
asia-east1	Taiwan
asia-east2	Hong Kong
asia-northeast1	Tokyo
asia-northeast2	Osaka
asia-northeast3	Seoul
asia-south1	Mumbai
asia-south2	Delhi
asia-southeast1	Singapore
asia-southeast2	Jakarta
australia-southeast1	Sydney
australia-southeast2	Melbourne

Europe

Region name	Region description
europe-central2	Warsaw
europe-north1	Finland
europe-north2	Stockholm
europe-southwest1	Madrid
europe-west1	Belgium
europe-west2	London
europe-west3	Frankfurt
europe-west4	Netherlands
europe-west6	Zurich
europe-west8	Milan
europe-west9	Paris
europe-west10	Berlin
europe-west12	Turin

Middle East

Region name	Region description
me-central1	Doha
me-central2	Dammam
me-west1	Tel Aviv

What's next

• Route log data.
• Query and view log entries.
• Configure and manage log buckets.
• Configure default settings for organizations and folders.