Exam Professional Cloud DevOps Engineer topic 1 question 87 discussion

D is correct as when you use buckets you can do log analysis

D is correct

Between options C and D, option C (Create an aggregated log sink associated with the production folder that uses a Pub/Sub topic as the destination) is the best choice for the requirement of "alerting and near-real-time analysis." This is because Pub/Sub can facilitate streaming of logs to other services like Cloud Functions, Cloud Run, or third-party services for immediate processing and alerting.

I will go for D. Aggregated log sinks allow you to collect logs from multiple projects (in this case, all projects within the production folder) and send them to a single destination. This is exactly what you need for centralized log analysis. Using a Cloud Logging bucket as the destination is efficient, cost-effective, and integrates seamlessly with other Google Cloud services. While using Pub/Sub as a destination is possible, it's generally more complex than using a Cloud Logging bucket for this specific use case. Pub/Sub is better suited for streaming logs to multiple destinations or for real-time processing. For simple centralized log storage and analysis, a Cloud Logging bucket is more straightforward and efficient. It also adds another component to manage

D doesn't have the option to analyze and wont let you able to do the real time analysis! But pub/Sub does

Many seem to getting confused with logging bucket and cloud storage buckets. Both are different things. Cloud storage is never an option for logs analysis but with custom logging bucket, you can analyze the logs and infact all logs that are seen in logs explorer are stored in default & required logging bucket. Coming to the Pub/Sub, it is messaging service & can be good option for near real time analysis when you are sending these logs to any other 3rd party tool like SIEM or Splunk analysis tool. You can't just analyze logs just from retrieving the logs from Pub/Sub topic. Unless there is another destination, Pub/Sub will be useless. In the question, it is not mentioned whether any 3rd part tool is being used, so D is correct option.

it is D, why should we use pub/sub for logs? are we crazy?

Customers would be very annoyed if they had to use an additional technology for something as simple as logs and analysis. Configuring pub/sub is foreign to a lot of orgs when they are used to tech like kafka. All you need is a sink to a Cloud Logging bucket. D

https://cloud.google.com/logging/docs/export/using_exported_logs#:~:text=Logs%20that%20you%20route%20to%20Cloud%20Logging%20buckets%20are%20available%20immediately.

So, after some research. The correct answer is D. There seems to be a lot of discussion, wether near-real time analysis is given or not. In Fact both C and D support near real-time analysis. https://cloud.google.com/logging/docs/export/using_exported_logs "Logs that you route to Cloud Logging buckets are available immediately." https://cloud.google.com/logging/docs/export/pubsub " Routed logs are generally available within seconds of their arrival to Logging, with 99% of logs available in less than 60 seconds." The main difference lays somewhere else. The question states that the logs are retrieved from different projects. And in fact for this use case Cloud Logging is the preffered option: https://cloud.google.com/logging/docs/export/configure_export_v2 Cloud Logging: " A log bucket can store logs that are received by multiple Google Cloud projects."

It clearly mentions here that "Sinks to Cloud Storage are processed hourly while other destination types are processed in real time." https://cloud.google.com/logging/docs/export/configure_export_v2#:~:text=New%20log%20sinks%20to%20Cloud%20Storage%20buckets%20might%20take%20several%20hours%20to%20start%20routing%20logs.%20Sinks%20to%20Cloud%20Storage%20are%20processed%20hourly%20while%20other%20destination%20types%20are%20processed%20in%20real%20time. D is eliminated

I would choose C ans to export the logs to a SIEM product, but if we can use a Cloud Logging bucket as a central repository I prefer and the statement doesn't say anything about exportation.

Answer is C. Cloud Logging includes the capability for log archival in Google Cloud Storage and the ability to send logs to Google BigQuery. In addition, Cloud Logging also allows you to forward these logs to any custom endpoint including third party log management services for advanced and tailored log analytics via the near real-time streaming Google Cloud Pub/Sub API.

By creating an aggregated log sink at the folder level for production, you can collect logs from all projects within that folder. Using a Cloud Logging bucket as the destination simplifies management and enables straightforward integration with Cloud Monitoring and alerting tools for security analysis.

I would vote C because from a security perspective it would be better to stream the logs to a SIEM or SOAR for near-real time analysis and alerting. A SIEM is not really mentioned here but streaming them to a bucket and analysing them from stackdriver would be nuts

I think D is correct

C seems an to be correct.