Google Workspace Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Google Workspace is a collection of cloud computing, productivity and collaboration tools, software, and products developed and marketed by Google. It consists of Gmail, Google Contacts, Google Calendar, Google Meet, Google Chat, Google Drive, Google Docs, and more.

Requirement(s)

Minimum of Graylog 6.1 with a valid Enterprise license
Google Workspace subscription
Google Cloud subscription

Stream Configuration

This technology pack includes one stream:

“Illuminate:Google Workspace Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

“Google Workspace Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection

Google Workspace utilizes the Google Workspace input that ingests multiple Google product type logs in JSON format.

Configuration Example

See the input documentation for configuration details.

Log Format Example

{"time_usec":1724603503674757,"email":"somebody@somewhere.com","group_id":[],"org_unit_name_path":["Org Name"],"ip_address":"ABCDEFGHIJKLMNOPQR==","event_type":"delivery_type","event_name":"delivery","record_type":"gmail","has_sensitive_content":false,"unique_identifier":"-1294059893469656048","event_id":"b6c2d1fb","resource_ids":[],"resource_details":[],"gmail":{"event_info":{"timestamp_usec":1724603503674757,"elapsed_time_usec":1660649,"success":true,"mail_event_type":2},"message_info":{"action_type":3,"rfc2822_message_id":"<111273729@google.com>","subject":"Spotty connection? No worries. Work offline","payload_size":40973,"source":{"address":"googleworkspace-noreply@google.com","service":"smtp-inbound","from_header_address":"googleworkspace-noreply@google.com","from_header_displayname":"Google Workspace Team"},"destination":[{"address":"somebody@somewhere.com","service":"gmail-ui","selector":""}],"flattened_destinations":"gmail-ui::somebody@somewhere.com","description":"No Error","is_spam":false,"is_policy_check_for_sender":false,"num_message_attachments":0,"attachment":[],"connection_info":{"client_ip":"192.168.1.1","failed_smtp_out_connect_ip":[],"smtp_tls_state":1,"smtp_reply_code":0,"smtp_user_agent_ip":"192.168.1.1","is_intra_domain":false,"dmarc_pass":true,"dmarc_published_domain":"google.com","client_host_zone":"google.com","ip_geo_country":"US","authenticated_domain":[{"name":"google.com","type":2},{"name":"scoutcamp.bounces.google.com","type":6},{"name":"scoutcamp.bounces.google.com","type":1}],"is_internal":false,"dkim_pass":true,"spf_pass":true},"message_set":[{"type":9},{"type":15},{"type":1}],"triggered_rule_info":[],"smime_content_type":0,"link_domain":["google.com","w3.org"],"spam_info":{"disposition":1,"classification_reason":1,"ip_whitelist_entry":""}}}}

What is Provided

Rules to normalize and enrich Google Workspace log messages, a dashboard, and saved search.

Events Processed by This Technology Pack

The Google Workspace content pack supports the following logs types. Generic processing will be provided for log types not listed.

Gmail Logs
Chat Logs
Calendar Logs
Drive Logs
Mobile Logs
Token Logs
Login Logs

GIM Categorization

GIM categorization of the following messages:

Vendor Event Description	GIM Category	GIM Subcategory	GIM Event Type Code
Message sent	`messaging`	`messaging.email`	130000
Message received	`messaging`	`messaging.default`	139999
Message permanently deleted	`messaging`	`messaging.email`	132000
Message quarantined	`messaging`	`messaging.email`	131500

Google Workspace Spotlight Content Pack

Google Workspace Spotlight Content Pack offers a dashboard with two tabs, Google Workspace Overview and Gmail, and a parameter based saved search for information associated with a user e-mail address.