Logging architecture that supports audits without wrecking budgets

Centralise logs you actually use, set retention by need, and make sure you can answer audit questions without paying for noise.

Centralise with intent

Route to BigQuery or your SIEM with clear datasets and access controls. Don’t duplicate logs without reason.

Retention & cost

Short retention for verbose logs, longer for security‑relevant data. Document why you keep what you keep.

Findability

Create log‑based metrics and saved queries for events that matter: privilege changes, perimeter bypass attempts, SCC High/Medium.

This article is for engineering guidance. It is not legal advice.