IssueTracker

Problem you have encountered:
Customer has an organization that contains a lot of projects and a lot of buckets. Audit logging for bucket data access is enabled at the organization level. Customers would like to figure out a way to route audit logs for specific buckets to a Pub/Sub topic.

There are 3 ways that customer is considering but they have disadvantages so there are no optimal solutions:

1. If the buckets are named using a convention the sink can filter based on that convention - Suboptimal because they must know at bucket creation time whether or not they want logging for the bucket which they don't.
2. Put all projects with buckets they want to capture logs for in the same folder and set a sink on the folder - Suboptimal because they use folders for other things too and customer is afraid the purpose of the folder will be lost.
3. Create a sink on each project with buckets they want to capture logs for - Suboptimal because it would create many sinks they need to maintain.

What you expected to happen:

It would be great if labels on projects or buckets were available in the audit logs for filtering purposes or they can route logs based on some mutable attribute of a project or log bucket.

Other information (workarounds you have tried, documentation consulted, etc):

We have proposed to the customer to create a new project with a new bucket log (Pub/Sub) in this new project and then create an aggregate sink [1] at organizational level going to Log Router > Create Sink > Sink destination, choose the new bucket log created at project level and in "Choose logs to include in sink” > “Include logs ingested by this organizacion and all child resources''

But the customer wants to collect audit logs from many google buckets in his organization. He wants to be able to easily add more buckets to the list for which he wants to collect audit logs.

References [1] https://cloud.google.com/sdk/gcloud/reference/logging/sinks/create