Google Workspace Input

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

The Google Workspace input supports collecting logs from Google BigQuery using the Google Workspace logs and reports in BigQuery export capability. As activities are performed within Google Workspace services (e.g. Docs, Gmail, Chat), the corresponding log messages are pushed to BigQuery where the input ingests them automatically. After ingestion, the input automatically deletes consumed logs.

Warning: The following existing enterprise Google inputs have been deprecated in Graylog:

Gmail Log Events

Google Workspace Log Events

The Google Workspace input replaces the deprecated inputs, supporting the retrieval of various types of Workspace logs, including those previously covered by the deprecated inputs. Follow these instructions to transition to the new Google Workspace input. We also recommend that you consider decommissioning any credentials and API access associated with the deprecated inputs to avoid potential security risks.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

You must have a Google Workspace and Google Cloud subscription.
Install Graylog Illuminate Google Workspace content pack.

Required Third-Party Setup

To enable integration, complete the following required setup with your third-party service:

Google Cloud Setup

Choose a new or existing project within Google Cloud. Ensure that Cloud Billing is enabled.
Create a new Service Account for the input.
Grant the account the BigQuery Editor role.
Create a key for the service account and export it in the JSON format. This key is needed to authorize the input to interact with BigQuery.
Create a new BigQuery dataset. Log messages will later be exported here.

Google Workspace Setup

With the above Google Cloud configuration complete, log in to the Google Workspace Admin console and enable the BigQuery export option. See the full Google documentation for more info.

Required Configuration Values

In your third-party configuration, make note of the following values that are required when configuring the input in Graylog:

Service Account Key
BigQuery Dataset Name

Input Type

This input is a pull input type. See Inputs to learn about input types.

Associated Illuminate Content Pack

This log source has associated Illuminate content:

Google Workspace

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Configuration

Follow the input setup instructions. During setup of this input, you can configure the following options:

Configuration Option	Description
Input Name	Provide a unique name for your new input.
Service Account Key	The key JSON file exported in the Google Cloud setup steps above. This key is required to authorize the input to connect to BigQuery.
BigQuery Dataset Name	The dataset name configured in BigQuery.
Log Types to Collect	Select the desired Google Workspace log types here.
Polling Interval	Determines how often (in minutes) Graylog checks for new data in Big Query tables.
Enable Throttling	Enables Graylog to stop reading new data for this input whenever the system falls behind on message processing and needs to catch up.
Page size	Provide the maximum number of logs to return per page of query results. The default setting is 1000.
Lag time offset	Provide the lag time in hours as there is an initial delay in the logs for populating the activity data to BigQuery tables.
Store Full Message	Stores the full JSON workspace log message in the full_message field.

Next Steps

After you complete input setup, visit Input Diagnosis for testing and validation of the new input. Use this functionality to help troubleshoot any connection issues.