This chapter covers Cloud Logging exports and log sinks, a critical topic for the ACE exam (objective 4.1: Ensure successful operation of a Google Cloud environment). Log sinks enable you to route log entries from Cloud Logging to destinations like Cloud Storage, BigQuery, Pub/Sub, or another project for long-term retention, analysis, or real-time processing. Expect 3-5% of exam questions to touch on log sinks, focusing on sink types, filters, destinations, IAM permissions, and common misconfigurations. Mastering this chapter will help you answer questions about log management, compliance, and troubleshooting.
Jump to a section
Imagine a large company with a central mailroom that receives all incoming postal mail. The mailroom sorts every piece of mail, but the company has many departments that need copies of certain types of mail: accounting needs all invoices, legal needs all contracts, and HR needs all employee-related mail. Instead of manually copying each letter, the mailroom sets up forwarding rules. Each rule specifies a filter (e.g., 'if the envelope says 'Invoice' on it, send a copy to accounting') and a destination (e.g., accounting's mailbox). The mailroom doesn't stop delivering the original mail to the recipient; it just makes a copy and sends it to the forwarding address. If accounting wants to stop receiving invoices, the rule is deleted. If a new department needs mail, a new rule is added. The mailroom can forward to multiple destinations, and each destination can be internal (another department) or external (a different company's mailroom, like an auditor). The forwarding rules are independent — deleting one doesn't affect others. In Cloud Logging, log sinks work exactly like these forwarding rules: they take a subset of log entries (based on a filter), copy them, and route the copies to a destination (like Cloud Storage, BigQuery, Pub/Sub, or another project). The original logs remain in Cloud Logging. Each sink is independent, and you can have up to 200 sinks per project.
What Are Log Sinks and Why Do They Exist?
Cloud Logging collects logs from Google Cloud services, applications, and on-premises systems. By default, logs are retained in Cloud Logging for a limited period (30 days for most logs, 400 days for audit logs). For long-term retention, compliance, or analysis, you need to export logs to external destinations. Log sinks are the mechanism that performs this export. A log sink is a configuration object that defines a filter and a destination. When a log entry matches the filter, Cloud Logging writes a copy of that log entry to the destination. The original log remains in Cloud Logging.
How Log Sinks Work Internally
When a log entry is ingested into Cloud Logging, the logging pipeline evaluates all sinks in the project, folder, or organization. Each sink has a filter expression (using the Cloud Logging query language). If the log entry matches the filter, Cloud Logging creates a delivery task for that sink. The delivery task is processed asynchronously — there is no guarantee of real-time delivery, but typically logs arrive at the destination within seconds to minutes. For high-volume sinks, Google Cloud may batch entries before writing to the destination.
Key Components
- Sink ID: A user-defined name (e.g., "my-storage-sink"). Must be unique within the resource hierarchy level (project, folder, or organization).
- Filter: A string using Cloud Logging filtering syntax (e.g., severity>=ERROR). Filters can include log name, resource type, labels, and more. If empty, all logs are exported.
- Destination: The target resource. Supported destinations:
- Cloud Storage bucket: Must be in the same project or a different project. The bucket must exist and the sink's writer identity must have storage.objectCreator and storage.objectViewer roles on the bucket.
- BigQuery dataset: Must be in the same project or a different project. The dataset must exist and the writer identity must have bigquery.dataEditor role.
- Pub/Sub topic: Must be in the same project or a different project. The topic must exist and the writer identity must have pubsub.publisher role.
- Another Cloud Logging project (log bucket): The sink can route logs to a log bucket in a different project. This is useful for centralised log aggregation.
- Writer Identity: A service account automatically created by Cloud Logging when the sink is created. Format: p1234567890-123456@gcp-sa-logging.iam.gserviceaccount.com. This identity must have appropriate permissions on the destination.
- Exclusion Filters: You can create exclusion filters on log buckets to prevent certain logs from being ingested. Exclusions are applied before sinks are evaluated, so excluded logs are never exported.
Sink Types
Project-level sinks: Apply to logs from resources within a specific project.
Folder-level sinks: Apply to logs from all projects within a folder.
Organization-level sinks: Apply to logs from all projects in the organization.
Billing account sinks: Apply to logs related to billing.
Default Values and Limits
Maximum number of sinks per project: 200.
Maximum number of sinks per folder or organization: 200.
Filter string maximum length: 20,000 characters.
Sink name maximum length: 63 characters (must match regex [a-zA-Z0-9_-]+).
Logs are exported in near real-time, but batching may cause delays of up to a few minutes.
If the destination is unavailable (e.g., bucket deleted), the sink will fail silently — no error is logged by default. You can monitor sink health using the logging_sink_entries_delivered and logging_sink_entries_delivery_attempts metrics.
Configuration and Verification
#### Creating a sink via Console 1. Navigate to Logging > Log Router. 2. Click "Create Sink". 3. Provide a name, filter, and select destination type. 4. Choose or create the destination resource. 5. The console shows the writer identity; you must grant permissions on the destination.
#### Creating a sink via gcloud
gcloud logging sinks create my-sink \
storage.googleapis.com/my-bucket \
--log-filter='severity>=ERROR' \
--project=my-projectThis command creates a sink that exports all ERROR and higher severity logs to a Cloud Storage bucket named my-bucket. The command outputs the writer identity, which you must then authorize:
gsutil iam ch serviceAccount:WRITER_IDENTITY:objectCreator \
gs://my-bucket#### Verifying a sink
- List sinks: gcloud logging sinks list --project=my-project
- Describe a sink: gcloud logging sinks describe my-sink --project=my-project
- Check sink metrics: In Cloud Monitoring, use the logging.googleapis.com/sink/entries_delivered metric.
Interaction with Related Technologies
Log Buckets: Sinks can route logs to log buckets in other projects. This is used for centralised log storage across an organization.
Log Exclusions: Exclusions are defined on log buckets to drop logs before they are stored. Sinks evaluate after exclusions, so excluded logs are never exported.
Cloud Audit Logs: Admin Activity and Data Access logs are also subject to sinks. You can export audit logs to a separate destination for compliance.
Log Analytics: When logs are exported to BigQuery, you can use Log Analytics to query them with SQL.
Filter Syntax Examples
Export all logs: - empty filter
Export only compute engine logs: resource.type="gce_instance"
Export logs with severity ERROR or higher: severity>=ERROR
Export logs that contain a specific label: labels."compute.googleapis.com/resource_name"="my-instance"
Combine conditions: resource.type="gce_instance" AND severity>=ERROR
Important IAM Roles
Logs Configuration Writer (roles/logging.configWriter): Required to create, update, and delete sinks.
Logs View Accessor (roles/logging.viewAccessor): Required to view log entries, but not to create sinks.
On the destination, the writer identity needs:
Cloud Storage: roles/storage.objectCreator and roles/storage.objectViewer (or roles/storage.admin).
BigQuery: roles/bigquery.dataEditor.
Pub/Sub: roles/pubsub.publisher.
Common Pitfalls
Forgetting to grant permissions to the writer identity — the sink will be created but logs will not be delivered.
Using a filter that is too broad, causing high export costs (especially for Pub/Sub and BigQuery).
Using a filter that excludes all logs — no logs will be exported.
Deleting the destination resource without updating the sink — logs will be lost.
Assuming sinks are evaluated in order — they are not; each sink is independent.
Identify Export Requirements
Determine which logs need to be exported and why. For compliance, you may need to export all Admin Activity audit logs to a Cloud Storage bucket for 7-year retention. For operational analytics, you may export ERROR-level logs from Compute Engine to BigQuery. For real-time alerting, export critical logs to Pub/Sub. This step defines the filter and destination type.
Create Destination Resource
Create the destination resource (Cloud Storage bucket, BigQuery dataset, Pub/Sub topic, or another project's log bucket) in the desired project. Ensure the resource is in the same region or multi-region as needed for data residency. For Cloud Storage, consider setting a retention policy or lifecycle rule. For BigQuery, consider partitioning and expiration. The destination must exist before or at the time of sink creation.
Create Log Sink
Use the Console, gcloud, or API to create the sink. Specify a name, filter, and destination. The system automatically generates a writer identity (a service account). For example: `gcloud logging sinks create my-sink storage.googleapis.com/my-bucket --log-filter='severity>=ERROR'`. The sink will appear in the Log Router page.
Grant Permissions to Writer Identity
The writer identity must have write permissions on the destination. Without this step, the sink is created but no logs are delivered. For Cloud Storage, run: `gsutil iam ch serviceAccount:WRITER_IDENTITY:objectCreator gs://my-bucket`. For BigQuery: `bq show --format=prettyjson mydataset | jq` then add the identity to the dataset's access controls. For Pub/Sub: `gcloud pubsub topics add-iam-policy-binding my-topic --member=serviceAccount:WRITER_IDENTITY --role=roles/pubsub.publisher`.
Verify Log Delivery
After a few minutes, check the destination for log entries. For Cloud Storage, use `gsutil ls gs://my-bucket/` to see exported log files (organized by date). For BigQuery, query the dataset. For Pub/Sub, pull messages from the topic. Also, monitor the sink metrics in Cloud Monitoring: `logging.googleapis.com/sink/entries_delivered` should increase. If no logs appear, check the sink filter and permissions.
Enterprise Scenario 1: Compliance Archiving
A financial services company must retain all Admin Activity audit logs for 7 years to meet SEC regulations. They create an organization-level sink with an empty filter (to export all logs) to a Cloud Storage bucket in a locked-down project with a retention policy of 2555 days. The bucket uses the COLDLINE storage class to minimize cost. The sink's writer identity is granted storage.objectCreator on the bucket. At scale, the company exports millions of log entries per day; the bucket automatically organizes logs into folders by date. Misconfiguration: if the bucket is deleted, logs are silently dropped — the company must set up an alert on the sink's entries_delivered metric to detect delivery failures.
Enterprise Scenario 2: Centralised Log Analytics
A large e-commerce company with 500 projects wants to analyze ERROR-level logs across all projects in real-time. They create folder-level sinks in each folder (or a single organization-level sink) that export logs with severity>=ERROR to a central BigQuery dataset in a dedicated analytics project. Data analysts use SQL queries to identify patterns. Performance consideration: BigQuery streaming inserts are used for near-real-time ingestion, but there is a daily limit on streaming inserts (currently 2 TB per day for standard edition). The company partitions the table by day and sets a table expiration of 30 days. Common issue: if the dataset is deleted, logs are lost — the sink does not automatically recreate it.
Enterprise Scenario 3: Real-Time Alerting Pipeline
A gaming company needs to respond to critical errors (e.g., database connection failures) within minutes. They create a project-level sink with filter severity=CRITICAL to a Pub/Sub topic. A Cloud Function subscribes to the topic and sends alerts to PagerDuty. The sink must have pubsub.publisher permission. At scale, high volumes of critical logs can overwhelm the Pub/Sub topic; the company sets up a dead-letter queue and configures the Cloud Function to batch messages. Misconfiguration: if the Pub/Sub topic is deleted, logs are lost — the sink should be deleted or updated before the topic is removed.
What ACE Tests
Objective 4.1 covers log sinks and exports. Expect questions that ask:
How to create a sink (Console, gcloud, API).
How to grant permissions to the writer identity.
Which destinations are supported.
How filters work.
The difference between project-level, folder-level, and organization-level sinks.
How exclusions interact with sinks.
Common Wrong Answers and Why
"Logs are automatically exported to Cloud Storage for 30 days." Wrong. By default, logs are stored in Cloud Logging, not Cloud Storage. Sinks must be explicitly created.
"You need to create a service account manually for the sink." Wrong. Cloud Logging automatically creates a writer identity; you only need to grant permissions to it.
"Sinks are evaluated in order, and only the first matching sink exports the log." Wrong. All matching sinks independently export a copy of the log.
"You can export logs to any GCP resource without additional permissions." Wrong. The writer identity must have specific IAM roles on the destination.
Specific Numbers and Terms
Maximum sinks per project: 200.
Writer identity format: p<project-number>-<random>@gcp-sa-logging.iam.gserviceaccount.com.
Supported destinations: Cloud Storage, BigQuery, Pub/Sub, another project's log bucket.
Filter syntax: uses Cloud Logging query language.
Exclusion filters are evaluated before sinks.
Edge Cases
If a sink's destination is in a different project, the writer identity must be granted permissions in that project.
Organization-level sinks require organization-level IAM permissions to create (roles/logging.configWriter at org level).
If a sink filter is empty, all logs are exported — this can incur significant cost.
Deleting a sink does not affect previously exported logs.
How to Eliminate Wrong Answers
If an answer says "create a service account," it's likely wrong — the system creates one automatically.
If an answer says "logs are automatically exported," it's wrong — you must create a sink.
If an answer says "sinks are evaluated in order," it's wrong — they are independent.
If an answer says "export to any resource without permissions," it's wrong — permissions are required.
Log sinks are independent; all matching sinks export a copy of the log entry.
Writer identity is automatically created; you must grant it permissions on the destination.
Supported destinations: Cloud Storage, BigQuery, Pub/Sub, and another project's log bucket.
Exclusion filters are evaluated before sinks — excluded logs are never exported.
Maximum 200 sinks per project, folder, or organization.
Sink filter syntax uses Cloud Logging query language; empty filter exports all logs.
Deleting a sink does not affect previously exported logs.
Monitor sink health using `logging_sink_entries_delivered` metric.
These come up on the exam all the time. Here's how to tell them apart.
Project-Level Sink
Applies only to logs from resources within a single project.
Requires project-level IAM permissions to create.
Useful for project-specific compliance or analytics.
Does not affect other projects.
Maximum 200 sinks per project.
Organization-Level Sink
Applies to logs from all projects in the organization.
Requires organization-level IAM permissions (e.g., Organization Admin).
Useful for centralised compliance and auditing across the entire org.
Can be created only by users with org-level logging.configWriter role.
Maximum 200 sinks per organization.
Mistake
Log sinks automatically export all logs to Cloud Storage by default.
Correct
No sink is created by default. You must explicitly create a sink to export logs. Without a sink, logs remain only in Cloud Logging.
Mistake
You need to create a service account manually for each sink.
Correct
Cloud Logging automatically generates a unique writer identity (service account) for each sink. You only need to grant that identity permissions on the destination.
Mistake
If a sink's destination is deleted, the sink automatically redirects to a new destination.
Correct
The sink does not automatically update. It will fail silently, and logs will not be exported. You must manually update or delete the sink.
Mistake
Logs are exported in real-time with no delay.
Correct
Export is near real-time but may have delays of seconds to minutes due to batching and asynchronous processing. There is no SLA on delivery time.
Mistake
Exclusion filters are applied after sink filters.
Correct
Exclusion filters are applied before sink filters. If a log is excluded, it is never evaluated by sinks and cannot be exported.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
After creating a sink, note the writer identity (a service account). For Cloud Storage, use `gsutil iam ch serviceAccount:WRITER_IDENTITY:objectCreator gs://BUCKET_NAME`. For BigQuery, use `bq show --format=prettyjson DATASET`, then add the identity as `WRITER` role via `bq update`. For Pub/Sub, use `gcloud pubsub topics add-iam-policy-binding TOPIC --member=serviceAccount:WRITER_IDENTITY --role=roles/pubsub.publisher`. Without these permissions, logs will not be exported.
Yes. Create the sink with the destination as `bigquery.googleapis.com/projects/DEST_PROJECT/datasets/DATASET_ID`. The writer identity must have `bigquery.dataEditor` on the dataset in the destination project. This is commonly used for centralised log analytics across multiple projects.
The sink is removed and logs stop being exported to its destination. Previously exported logs remain in the destination. There is no impact on other sinks or on logs stored in Cloud Logging.
Use a filter like `logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"` for Admin Activity, or `logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"` for Data Access. Alternatively, use `resource.type="audited_resource"` to capture all audit logs.
Yes. Create a folder-level sink with the destination as `storage.googleapis.com/BUCKET_NAME`. The bucket can be in any project. The writer identity must have `storage.objectCreator` on the bucket. This is useful for aggregating logs from multiple projects in a folder.
A sink exports a copy of logs to an external destination. An exclusion filter prevents logs from being ingested into Cloud Logging at all. Exclusions are applied before sinks, so excluded logs are never exported. Sinks and exclusions are independent configurations.
Check (1) the sink filter may be too restrictive — test with a broader filter. (2) The writer identity may lack permissions on the destination — verify and grant the required roles. (3) The destination resource may have been deleted or renamed. (4) There may be an exclusion filter that drops the logs before they reach the sink. (5) Check the sink's metrics in Cloud Monitoring for delivery failures.
You've just covered Cloud Logging Exports and Log Sinks — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?