My question is kind of the Egg and Chicken problem, since I wanted to create an alert when this happens :
protoPayload.methodName=“google.logging.v2.ConfigServiceV2.DeleteSink” OR (
protoPayload.methodName:“ConfigServiceV2.UpdateSink”
protoPayload.request.sink.disabled:“true”
)
Which means when someone delete or update a existing log sink. The problem is that I cannot create alerts when in the ORG there is no way to create such Alert. Please correct me if I am wrong but to do this I would need to create a new Log Sink with those parameters and to assign a Log Bucket in a i.e. “Audit Log Project” when then in that project I could create the alert, right?
Is there a way to create an Alert when someone modifies or delete an Audit Log Sink from the entire ORG?
Hello @friveros , I think you are right about this as a workaround. I understand that you want to get notified each time someone deletes or updates a sink at ORG level. It seems that creation of the log-based alerts at ORG level is not supported. I will check with product managers about it and will get back to you.
I’ve got a confirmation from Product Manager that the ability to create alerts from Log Explorer at ORG level is not implemented at the moment in UI. I am following up to create a feature request.
A quick look into alerting interface shows that this UI is a convenience for hiding two API calls: creating log-based metric and an alert policy. The APIs (also exposed via gcloud alpha monitoring policies create and gcloud alpha logging metrics create should support doing this for ORG.