Ensure organization and folder log sinks include children and have a destination

Google Cloud Remediation

Service-wide fix (recommended): manage org-level or folder-level sinks centrally and export audit and security logs to a dedicated logging project, bucket, SIEM, BigQuery dataset, or Pub/Sub topic.

When to use service-wide remediation

Use the service-wide path when multiple folders or projects need the same forensic logging baseline.

Google Cloud console

1. Open Cloud Logging and switch scope to the organization or folder.
2. Open Logs Router.
3. Create a new sink or update the existing sink.
4. Enable Include logs ingested by children.
5. Point the sink to an approved destination.
6. Grant the sink writer identity permission to write to that destination.

Google Cloud CLI

Create an aggregated sink at organization scope:

gcloud logging sinks create <sink-name> <destination> \
  --organization=<org-id> \
  --include-children \
  --log-filter='<filter>'

Update an existing sink so it includes child resources:

gcloud logging sinks update <sink-name> <destination> \
  --organization=<org-id> \
  --include-children \
  --log-filter='<filter>'

Validate the sink:

gcloud logging sinks describe <sink-name> --organization=<org-id>

Operational notes

• If the sink writes to a destination outside the current project, grant the sink writerIdentity permission on that destination or export will fail.
• If no organization-level or folder-level sink exists yet, create one first instead of only fixing project-level logging.

References

• https://cloud.google.com/logging/docs/export/configure_export_v2
• https://cloud.google.com/logging/docs/export/aggregated_sinks
• https://cloud.google.com/sdk/gcloud/reference/logging/sinks/create
• https://docs.cloud.google.com/sdk/gcloud/reference/logging/sinks/update