Some or all of the information on this page might not apply to Trusted Cloud by S3NS.

Store log entries

This document introduces log buckets, which are the containers that Cloud Logging uses to store your log data. It provides information about location, management of the encryption key, and data retention for log buckets. It also highlights where you can use organization policies or default resource settings to control the location and encryption for new log buckets in folders or organizations.

About log buckets

By default, Cloud Logging encrypts customer content stored at rest. Data stored in log buckets by Logging is encrypted using key-encryption keys, a process known as envelope encryption. Access to your logging data requires access to those key-encryption keys. By default, these are Google Cloud-powered encryption keys and they don't require any actions on your part.

Your organization might have regulatory, compliance-related, or advanced encryption requirements that our default encryption at rest doesn't provide. To meet your organization's requirements, instead of using Google Cloud-powered encryption keys, you can manage your own keys.

Log buckets are regional resources with a fixed location. Trusted Cloud by S3NS manages that infrastructure so that your applications are available redundantly across the zones within that region.

The retention period for the data stored by a log bucket depends on the log bucket. This document contains information about data retention.

You can create log views on a log bucket. A log view provides access to only a subset of the log data stored in a log bucket. For every log bucket, Cloud Logging automatically creates one log view that provides access to every log entry in the log bucket. You control access to a log view by using Identity and Access Management (IAM).

To query and view your log data, use the Logs Explorer. This page helps you troubleshoot and analyze the performance of your services and applications. You can view individual log entries and filter your log data. This interface has a scope setting, which lets you search for log data by project, log bucket, or log view.

To learn more, see Query and view log entries.

Support for organizations and folders

To help your organization meet compliance and regulatory needs, Logging supports both organization policies and default resource settings:

Default resource settings specify the location and how encryption keys are managed for system-created log buckets when new resources are created in a folder or organization. For example, you can force these system-created log buckets to be in a specific location.
An organization policy can restrict the location of new user-defined log buckets. Logging supports organization policies that specify regions where log buckets can, or can't, be created.

System-created log buckets

For each Trusted Cloud project, billing account, folder, or organization, Cloud Logging creates two log buckets, one named _Required and the other named _Default. Unless default resource settings are configured, for these log buckets, these buckets have Google Cloud-powered encryption keys and Cloud Logging selects their location.

You can't delete the system-created log buckets.

`_Required` log bucket

The _Required log bucket stores log entries that are required for compliance or auditing purposes. For this reason, you can't delete this log bucket and you can't modify which log entries are stored in this log bucket. Log entries in this log bucket are retained for 400 days; you can't change this retention period.

The log entries that are stored in the _Required log bucket for a resource also originate in that resource. That is, the _Required log bucket in a Trusted Cloud project can only store log entries that originate in that project.

The _Required log bucket stores the following types of log entries:

Admin Activity audit logs
System Event audit logs
Google Workspace Admin Audit logs
Enterprise Groups Audit logs
Login Audit logs

`_Default` log bucket

The _Default log bucket stores log entries that aren't automatically stored in the _Required log bucket. Because the _Default log bucket is system created, you can't delete it. However, you can modify which log entries are stored in this log bucket.

Cloud Logging retains the log entries in the _Default bucket for 30 days.

For example, this log bucket stores:

Data Access audit logs.
Policy Denied audit logs.
Logs generated by applications and Trusted Cloud by S3NS services.

User-defined log buckets

You can create user-defined log buckets in any Trusted Cloud project. When you create a user-defined log bucket, you select the location. You have the option to provide a customer-managed encryption key.

You can modify and delete user-defined log buckets. To protect against deleting a log bucket that stores log entries that are within their retention period, you can lock the log bucket against updates.

Control access to a log bucket

IAM permissions and roles control access to log data. For example, you can do all of the following:

Grant read and edit access to a log bucket.
Grant edit access to a log bucket based on group membership by using tags.
Control access to specific fields in a log entry by configuring field-level access on a log bucket.
Grant access to a subset of log entries in a log bucket by creating a log view on that log bucket.

Every log bucket has a default log view, which typically includes every log entry in the log bucket. For the _Default log bucket, the default log view excludes data access log entries.

To give a user the permissions they need to view and analyze log entries, typically one of the following IAM roles is granted:

Logs Viewer (roles/logging.viewer) role: Grants access to all log entries in the _Required bucket, and access to the default log view on the _Default bucket.
Private Logs Viewer (roles/logging.privateLogViewer) role: Grants access to all logs in the _Required and _Default buckets, including data access logs.

If you create user-defined log buckets or log views on log buckets, then additional permissions are required. For more information about roles, see Access control with IAM.

List of supported regions

Log buckets are regional resources. The infrastructure that stores, indexes, and searches your log entries is located in a specific geographical location. With the exception of log buckets in the global, eu, or us regions, Trusted Cloud by S3NS manages the infrastructure so that your applications are available redundantly across the zones within the region of the log bucket.

The following regions are supported by Cloud Logging:

Region name Region description

u-france-east1 France

Region name	Region description
`u-france-east1`	France
`global`	Logs stored in any data centers that are in any supported region. Logs might be moved to different data centers. No additional redundancy guarantees. If you want to choose the storage location for your log data, then use a regional log bucket.

global

Logs stored in any data centers that are in any supported region. Logs might be moved to different data centers. No additional redundancy guarantees.

If you want to choose the storage location for your log data, then use a regional log bucket.