Google Workspace Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Google Workspace is a collection of cloud computing, productivity and collaboration tools, software, and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet, Chat, Drive, Google Docs and others.

This technology pack processes Google Workspace event log messages, providing normalization and enrichment of common events of interest.

Supported Versions

  • Google Workspace (current)

Requirements

  • Graylog 6.1.0+ with a valid Enterprise or Security license

  • Google Workspace subscription

  • Google Cloud subscription

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Google Workspace Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Google Workspace Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection and Delivery

Google Workspace utilizes the Google Workspace input that ingests multiple Google product type logs in JSON format.

  • Google Workspace Input

Google Workspace Input Configuration

  1. Create a Google Workspace Input in Graylog.

  2. Configure the input with your Google Workspace credentials and desired log types.

  3. The input will automatically collect and deliver logs from your Google Workspace environment.

Log Format Example

Google Workspace logs are delivered in JSON format via the Google Workspace input.

Login and Token Events

{"time_usec":1724422059754013,"email":"user@example.com","group_id":[],"org_unit_name_path":["Example Org"],"ip_address":"MTQxLjE1Ni4xODcuMTA5","event_type":"login","event_name":"login_success","record_type":"login","has_sensitive_content":false,"unique_identifier":"-229062299291613203","event_id":"97b9dd02","resource_ids":[],"resource_details":[],"login":{"is_suspicious":false,"login_type":"google_password","login_challenge_method":["password"]}} {"time_usec":1724422059778568,"email":"user@example.com","group_id":[],"org_unit_name_path":["Example Org"],"ip_address":"MTQxLjE1Ni4xODcuMTA5","event_type":"auth","event_name":"authorize","record_type":"token","has_sensitive_content":false,"unique_identifier":"-5056355255352872288","event_id":"222e57e5","resource_ids":[],"resource_details":[],"token":{"client_id":"77185425430.apps.googleusercontent.com","scope":["https://www.google.com/accounts/OAuthLogin"],"app_name":"Google Chrome","client_type":"NATIVE_DESKTOP"}}

What is Provided

  • Rules to normalize and enrich Google Workspace log messages

  • Graylog Information Model message categorization for login, token, and Gmail events

  • Illuminate spotlight dashboard and saved search

Events Processed by This Technology Pack

The content pack supports the following log types. Generic processing will be provided for log types not listed.

  • Gmail Logs

  • Chat Logs

  • Calendar Logs

  • Drive Logs

  • Mobile Logs

  • Token Logs

  • Login Logs

GIM Categorization

GIM categorization is provided for the following event types:

Event Type gim_event_type_code gim_event_category gim_event_subcategory gim_event_type
Login 100000 authentication authentication.logon logon
Token 100500 authentication authentication.credential validation credential validation
Gmail - Message sent 130000 messaging messaging.email email sent
Gmail - Message received 139999 messaging messaging.default message
Gmail - Message deleted 132000 messaging messaging.email email deleted
Gmail - Message quarantined 131500 messaging messaging.email email quarantined

Message Fields Included in This Pack

Parsed Fields

The following fields are extracted and normalized from Google Workspace logs across all event subtypes.

Field Name Example Value Description
application_name Google Chrome Application name (from token) or default placeholder
event_outcome success Normalized event outcome (success/failure/unknown)
event_source_product google_workspace Illuminate product identifier
event_uid -229062299291613203 Unique event identifier
gw_event_id 97b9dd02 Google Workspace event ID
gw_has_sensitive_content false Whether the event contains sensitive content
gw_org_unit_name_path Graylog 2 Google Workspace organizational unit path
source_ip 141.156.187.109 Source IP address (decoded from base64)
user_email dan@example.com User email address
user_name dan User name extracted from email
vendor_event_name login_success Vendor-specific event name
vendor_event_type login Vendor event type
vendor_subtype login Google Workspace log subtype (login, token, gmail, drive, etc.)
login_challenge_method password Login challenge method used
login_is_suspicious false Whether the login was flagged as suspicious
login_type google_password Login authentication type
token_app_name Google Chrome OAuth token application name
token_client_id 77185425430.apps.googleusercontent.com OAuth client ID
token_client_type NATIVE_DESKTOP OAuth client type
token_scope https://www.google.com/accounts/OAuthLogin OAuth scope requested
email_from user@example.com Gmail sender address
email_to recipient@example.com Gmail recipient address
email_subject Hello Gmail message subject
email_direction outbound Gmail message direction (inbound/outbound)
email_message_id <abc123@example.com> Gmail message ID
email_size 12345 Gmail message size in bytes

Google Workspace Content Pack

This spotlight offers a dashboard with 3 tabs:

Overview

Gmail

User Search