Cyscale
Back to controls

Ensure sinks are configured for all Log entries

It is recommended to create a sink that will export copies of all the log entries. This can

Category

Controls

Low

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).

Rationale

Log entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.

Remediation guidance

From Console

  1. Go to Logs Router by visiting https://console.cloud.google.com/logs/router.

  2. Click on the arrow symbol with CREATE SINK text.

  3. Fill out the fields for Sink details.

  4. Choose Cloud Logging bucket in the Select sink destination drop down menu.

  5. Choose a log bucket in the next drop down menu.

  6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.

  7. Click Create Sink

For more information, see https://cloud.google.com/logging/docs/export/configure_export_v2#dest-create.

Using Command-Line

To create a sink to export all log entries in Google Cloud Storage bucket:

gcloud logging sinks create <sink-name> storage.googleapis.com/<destination_bucket-name>

Sinks can be created for a folder or organization, which will include all projects:

gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --
folder=FOLDER_ID | --organization=ORGANIZATION_ID

Note

  1. . A sink created by the command-line above will export logs in storage buckets. However, sinks can be configured to export logs into BigQuery, or Cloud Pub/Sub, or Custom Destination.
  2. While creating a sink, the sink option --log-filter is not used to ensure the sink exports all log entries.
  3. A sink can be created at a folder or organization level that collects the logs of all the projects underneath bypassing the option --include-children in the gcloud command.

Impact

There are no costs or limitations in Cloud Logging for exporting logs, but the export destinations charge for storing or transmitting the log data.

Default Value

By default, there are no sinks configured.

References

  1. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
  2. https://cloud.google.com/logging/quotas
  3. https://cloud.google.com/logging/docs/routing/overview
  4. https://cloud.google.com/logging/docs/export/using_exported_logs
  5. https://cloud.google.com/logging/docs/export/configure_export_v2
  6. https://cloud.google.com/logging/docs/export/aggregated_exports
  7. https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list

Additional Information

For Command-Line Audit and Remediation, the sink destination of type Cloud Storage Bucket is considered. However, the destination could be configured to Cloud Storage Bucket or BigQuery or Cloud Pub\Sub or Custom Destination. Command Line Interface commands would change accordingly.

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Google Cloud

Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Sinks are configured for all Log entries

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging2{...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon