I'm trying to export Google Cloud Organization's logs to the _Default log bucket from another project. It seems impossible right now. There's not a single clue or error telling me why. What I've tried so far is to:
The same behavior is observed in all those cases: no logs are exported at all.
I'm using Terraform for this task and everything seems fine in configurations. I'm giving also the correct IAM permissinons to the service account writer identity:
org-logs-role = {
members = [
google_logging_organization_sink.organization_sink.writer_identity
],
role_id = "roles/logging.bucketWriter"
}
And the sink code is:
resource "google_logging_organization_sink" "organization_sink" {
name = "gbl-snk-${var.project}-${var.environment}-3-gcp"
destination = "logging.googleapis.com/projects/${var.project}/locations/global/buckets/_Default"
org_id = local.organization_id
include_children = true
filter = "protoPayload.serviceName=\"admin.googleapis.com\" OR protoPayload.serviceName=\"cloudidentity.googleapis.com\" OR protoPayload.serviceName=\"login.googleapis.com\" OR protoPayload.serviceName=\"iam.googleapis.com\""
}
When listing the sink, it shows up in the organization, but no logs are arriving to the _Default bucket (I'm hiding the project real name)
gcloud logging sinks list --organization={organization_id}
NAME DESTINATION FILTER
gbl-snk-{project}-global-3-gcp logging.googleapis.com/projects/{project}/locations/global/buckets/_Default protoPayload.serviceName="admin.googleapis.com" OR protoPayload.serviceName="cloudidentity.googleapis.com" OR protoPayload.serviceName="login.googleapis.com" OR protoPayload.serviceName="iam.googleapis.com"
What am I doing wrong? I can see the logs in the Organization's Logging console, but they are not arriving to the {project} _Default bucket.
P.S.: I tried to copy/paste (just in case) this code (changing the bucket name and the org. id, of course) and the same happens. No errors, but no logs in the destination bucket. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink
The kind of logs I want to see are events like CreateUser or DeleteUser, from the filters specified.
Any help will be welcome.
I'd like to state that his is not (in my opinion) a duplicate of: Google Cloud Logs not exporting to storage
Because everything's right and no errors arise at all.
I guess it's a write permission issue. Can you perform this command
gcloud logging describe gbl-snk-{project}-global-3-gcp --organization={organization_id}
In the result, get the writerIdentity service account value. Go to your target project, in the IAM page grant it as Logs Writer or Logs Bucket Writer (see the difference here).
It should work better then.
In Terraform, you can get the writer Identity like that
google_logging_organization_sink.organization_sink.writer_identity