This is a Graylog Enterprise feature and is only available since Graylog v3.3+. A valid Graylog Enterprise license is required.
Similar to O365 and Okta, Graylog can gather logs from Google Services. The process to launch inputs for services is described below:
- Google Cloud (GCP)
- Google Workspace
- Gmail
Depending on the integration, the steps differ by service. Each section is identified as:
- [All], if the instructions apply to all services mentioned above.
- [GCP], if the instructions only apply to the Google Cloud Platform.
- [Gmail], if the steps only apply to Gmail.
- [Workspace], if the steps apply to Google Workspace configuration.
Requirements
To successfully pull logs from these Google products into Graylog, you must have:
- a running instance of Graylog.
- Google Cloud account. See the Cloud subdomain.
[All] Caveats
Both the GPC and Gmail plugins create log sinks to fetch logs. Log data is then stored in Google BigQuery in your account. The Google inputs clean up the BigQuery tables periodically, but additional Google Cloud charges for BigQuery usage may apply.
Like Okta and O365, Google inputs poll for data. Therefore, run them on a single node. Avoid running Google inputs as global inputs.
[All] Service Account Creation
To collect logs for a project, enter the Google Cloud Console, and select the project. Note the Project ID, as it is required during Graylog input setup.
Set up a new service account.
- Select IAM & Admin > IAM from the cloud dashboard.
- Select Service Accounts from the menu on the left.
- Select +CREATE SERVICE ACCOUNT at the top of the page.
- Note the
Unique ID
associated with the service account, as it is needed to set up inputs.
[All] Generate Service Account Key
Generate a key file for the service account that will be placed on the Graylog server to allow inputs to authenticate with Google’s APIs.
- Navigate to the Service Accounts page. Select the intended service account.
- Click the KEYS tab on the sub-menu.
- Click on the ADD KEY button, and select Create a new key.
- Select JSON as the key type. Click CREATE.
- Save the key in a safe location for input setup.
- [Workspace] Create and download a P12 key for the Google Workspace input.
[All] Grant Permissions to the Service Account
The service account requires permissions to access log data and needs to store log data in Google BigQuery to allow Graylog to fetch the data.
- Click on the pencil icon to edit the Principal for the service account (found on the IAM page).
- Grant the service account the BigQuery Data Editor role.
- Grant the service account the BigQuery Jobs User role.
- Grant the service account the Logs Configuration Writer role.
[GCP] Enable Logging
To collect VPC flow logs, enable log. For more information, see Using VPC Flow Logs.
To collect firewall logs, enable them in the firewall configuration.
[Workspace] Enable API Access
To enable access to Workspace endpoints:
- Log in as a user account in the Google Workspace with the Super Admin role.
- Logged in as the super admin user, go to Google Cloud Platform to create a new project or select an existing project. The project will need a service account as described above.
- Navigate to APIs & Services > Library.
- Search for Admin SDK API. Click Enable.
- Return to the Google Workspace console. Navigate to Security > API Controls to link the service account to the API.
- Select Manage Domain Wide Delegation, and add a new API client.
- Use the numeric Unique ID of the service account for the Client ID, and add the following to the OAuth Scopes:
[GCP] Input Setup
Key | Value |
---|---|
Input name | < Add a unique name for the input > |
Project ID | Alphanumeric project ID for the Google Cloud project |
Application (client) ID | Unique numeric ID of the service account |
Service account key path | Path to .json file for the service account |
[Workspace] Input Setup
Key | Value |
---|---|
Input name | < Add a unique name for the input > |
Client ID | Unique numeric ID of the service account |
Service Account ID | Email address of the service account |
Account User Email | Workspace email address of the user that owns the project |
Service account key path | Path to .p12 file for the service account |
[Gmail] Input Setup
Key | Value |
---|---|
Input name | < Add a unique name for the input > |
Project ID | Alpha-numeric project ID for the Google Cloud project |
Application (client) ID | Unique numeric ID of the service account |
Service account key path | Path to .json file for the service account |