Google Workspace Input

The Google Workspace input supports collecting logs from Google BigQuery using the Google Workspace logs and reports in BigQuery export capability. As activities are performed within Google Workspace services (e.g. Docs, Gmail, Chat), the corresponding log messages are pushed to BigQuery where the input ingests them automatically. After ingestion, the input automatically deletes consumed logs.

Prerequisites

• A Google Workspace and Google Cloud subscription.

• Install Graylog Illuminate Google Workspace content pack.

Google Cloud Setup

1. Choose a new or existing project within Google Cloud. Ensure that Cloud Billing is enabled.

2. Create a new Service Account for the input.

3. Grant the account the BigQuery Editor role.

4. Create a key for the service account and export it in the JSON format. This key is needed to authorize the input to interact with BigQuery.

5. Create a new BigQuery dataset. Log messages will later be exported here.

Google Workspace Setup

With the above Google Cloud configuration complete, log in to the Google Workspace Admin console and enable the BigQuery export option. See the full Google documentation for more info.

Legacy Google Inputs

The following existing enterprise Google inputs have been deprecated in Graylog:

• Gmail Log Events

• Google Workspace Log Events

The Google Workspace input replaces the deprecated inputs, supporting the retrieval of various types of Workspace logs, including those previously covered by the deprecated inputs. Follow these instructions to transition to the new Google Workspace input. We also recommend that you consider decommissioning any credentials and API access associated with the deprecated inputs to avoid potential security risks.

Graylog Input Configuration

When launching a new input from the Graylog Inputs tab, the following options are available:

• Input Name

  • A user-defined name for the input.

• Service Account Key

  • The key JSON file exported in the Google Cloud setup steps above. This key is required to authorize the input to connect to BigQuery.

• BigQuery Dataset Name

  • The dataset name configured in BigQuery.

• Log Types to Collect

  • Select the desired Google Workspace log types here.

• Polling Interval

  • Determines how often (in minutes) Graylog checks for new data in Big Query tables.

  Advanced Options

• Enable Throttling

  • If enabled, no new messages are read from this input until Graylog catches up with its message load.

• Page size

  • Provide the maximum number of logs to return per page of query results. The default setting is 1000.

• Lag time offset

  • Provide the lag time in hours as there is an initial delay in the logs for populating the activity data to BigQuery tables.

• Store Full Message

  • Stores the full JSON workspace log message in the full_message field.