1

I'm trying to export Google Cloud Organization's logs to the _Default log bucket from another project. It seems impossible right now. There's not a single clue or error telling me why. What I've tried so far is to:

  • Export to pub/sub topic
  • Export to custom GCS bucket
  • Export to _Default logging bucket from another project. // THIS is the case I'd lake to work on.
  • Export to custom logging bucket from another project.

The same behavior is observed in all those cases: no logs are exported at all.

I'm using Terraform for this task and everything seems fine in configurations. I'm giving also the correct IAM permissinons to the service account writer identity:

org-logs-role = {
  members = [
    google_logging_organization_sink.organization_sink.writer_identity
  ],
  role_id = "roles/logging.bucketWriter"
}

And the sink code is:

resource "google_logging_organization_sink" "organization_sink" {
  name = "gbl-snk-${var.project}-${var.environment}-3-gcp"
  destination = "logging.googleapis.com/projects/${var.project}/locations/global/buckets/_Default"
  org_id = local.organization_id
  include_children = true
  filter = "protoPayload.serviceName=\"admin.googleapis.com\" OR protoPayload.serviceName=\"cloudidentity.googleapis.com\" OR protoPayload.serviceName=\"login.googleapis.com\" OR protoPayload.serviceName=\"iam.googleapis.com\""
}

When listing the sink, it shows up in the organization, but no logs are arriving to the _Default bucket (I'm hiding the project real name)

gcloud logging sinks list --organization={organization_id}

NAME                            DESTINATION                                                                           FILTER
gbl-snk-{project}-global-3-gcp  logging.googleapis.com/projects/{project}/locations/global/buckets/_Default           protoPayload.serviceName="admin.googleapis.com" OR protoPayload.serviceName="cloudidentity.googleapis.com" OR protoPayload.serviceName="login.googleapis.com" OR protoPayload.serviceName="iam.googleapis.com"

What am I doing wrong? I can see the logs in the Organization's Logging console, but they are not arriving to the {project} _Default bucket.

P.S.: I tried to copy/paste (just in case) this code (changing the bucket name and the org. id, of course) and the same happens. No errors, but no logs in the destination bucket. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink

The kind of logs I want to see are events like CreateUser or DeleteUser, from the filters specified.

Any help will be welcome.

I'd like to state that his is not (in my opinion) a duplicate of: Google Cloud Logs not exporting to storage

Because everything's right and no errors arise at all.

cabreracanal
  • 924
  • 1
  • 14
  • 36

1 Answers1

2

I guess it's a write permission issue. Can you perform this command

gcloud logging describe gbl-snk-{project}-global-3-gcp --organization={organization_id}

In the result, get the writerIdentity service account value. Go to your target project, in the IAM page grant it as Logs Writer or Logs Bucket Writer (see the difference here).

It should work better then.

In Terraform, you can get the writer Identity like that

google_logging_organization_sink.organization_sink.writer_identity
guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76
  • Assigning the role logging.logWriter made it all work! It is explained in the link you provided. I'm adding the anchor: https://cloud.google.com/logging/docs/buckets#writing. I don't know why I didn't see this initially. Both Logs Writer and Logs Bucket Writer roles seem to be needed. Thank you very much, Guillaume. – cabreracanal Apr 24 '21 at 06:12