GCP Log Events

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Google Cloud Integrations in Graylog provide a reliable way to bring log data from your Google Cloud Platform (GCP) environment into your centralized logging and monitoring workflows. This feature connects directly to GCP services (Google Workspace, Gmail) and retrieves log records such as audit activity, security events, and application logs, ensuring critical data is captured without manual export or external forwarding. Once ingested, these logs can be processed, parsed, and enriched using Graylog’s pipelines, making them easier to analyze, correlate, and alert on.

This integration is particularly valuable for organizations running hybrid or multi-cloud architectures, as it unifies GCP logs with data from on-premises and other cloud environments into a single, searchable platform.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

Service Account and Logging Prerequisites

  1. Set up a new service account.

  2. Generate a key file for the service account and place it on the Graylog server so inputs can authenticate with Google’s APIs.

  3. Create and download a P12 key for the Google Workspace input.

  4. Open the Google Cloud Console and select your project. Note the Project ID for Graylog input setup.

  5. Note the service account Unique ID (required during input setup).

  6. Grant the service account the following roles to access and store logs in BigQuery:

    1. BigQuery Data Editor

    2. BigQuery Jobs User

    3. Logs Configuration Writer

  7. Enable logging where needed:

    1. For VPC flow logs, see Using VPC Flow Logs.

    2. For firewall logs, enable logging in the firewall configuration.

Workspace API Access

  1. Log in as a user with the Super Admin role in your Google Workspace domain.

    gcp-admin-roles-privileges

  2. In the Google Cloud Platform, create a new project or select an existing project that has a service account as described above.

  3. Go to APIs & Services > Library.

    gcp-api-library

  4. Search for Admin SDK API and click Enable.

    gcp-enable-sdk

  5. In the Google Workspace Admin console, go to Security > API Controls.

    gcp-api-config

  6. Select Manage Domain Wide Delegation, then add a new API client.

    gcp-add-api-client

  7. For Client ID, enter the numeric Unique ID of the service account.

  8. In OAuth Scopes, add the following (comma-separated):

    https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/iam

Both the GCP and Gmail plugins create log sinks to fetch logs. Log data is stored in Google BigQuery in your account. The Google inputs periodically clean up BigQuery tables, but additional Google Cloud charges for BigQuery usage may apply.

Like Okta and O365, Google inputs poll for data. Run them on a single node and avoid configuring Google inputs as global inputs.

Google Cloud Setup

  1. Choose a new or existing project in Google Cloud and ensure Cloud Billing is enabled.

  2. Create a new service account for the input.

  3. Grant the account the BigQuery Data Editor role.

  4. Create a key for the service account and export it in JSON format. This key authorizes the input to interact with BigQuery.

  5. Create a new BigQuery dataset for exported log messages.

Google Workspace Setup

  1. In the Google Workspace Admin console, enable the BigQuery export option. See the Google documentation for details.

Required Values

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

  • Service Account Key

  • BigQuery Dataset Name

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option Description

Input Name

Provide a unique name for your new input.
Service Account Key

The key JSON file exported in the Google Cloud setup steps above. This key is required to authorize the input to connect to BigQuery.

BigQuery Dataset Name

The dataset name configured in BigQuery.

Log Types to Collect

Select the desired Google Workspace log types here.

Polling Interval

Determines how often (in minutes) Graylog checks for new data in Big Query tables.
Enable Throttling Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.

Page size

Provide the maximum number of logs to return per page of query results. The default setting is 1000.

Lag time offset

Provide the lag time in hours as there is an initial delay in the logs for populating the activity data to BigQuery tables.

Store Full Message

Stores the full JSON workspace log message in the full_message field.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: