Google Workspace Audit Logs

Ingest Google Workspace Audit logs into Observe

To do this, you will need:

  • Administrator access to your Google Workspace instance

  • A GCP organization

  • A GCP user with logging.sinks.create create permissions for your GCP organization

  • GCP command line tools installed

  • An Observe ingest token

The following are the main steps to get Google Workspace Audit logs into Observe:

  1. Setup GSuite to send audit logs to GCP

  2. Create a PubSub Topic and Subscription to send logs to Observe

  3. Create a Sink to send Google Workspace Audit Logs from GCP Logging to PubSub

Detailed Steps

  1. Setup Google Workspace to send audit logs to GCP.

    1. Google Workspace can be configured to send the following logs to GCP, the specifics around which logs and events get send to GCP depend on your Google Workspace subscription, but in all case the steps to achieve this are the same.

    2. Follow the steps in Share data with Google Cloud Platform services

  2. Create a PubSub Topic and Subscription to send logs to Observe

    1. Log in to GCP

    2. Select a project, or create one

    3. Go to PubSub > Topics

    4. Create a new Topic, for example GWorkspaceTopic. Unselect the Add a default Subscription box

      GCP Topic creation for a channel called GWorkspaceTopic
    5. Create a subscription following the steps in Google Cloud Pub/Sub.

  3. Create a Sink to send Google Workspace Audit logs from GCP Logging to PubSub

    1. This operation has to be performed using the gcloud command. Google Workspace Audit logs are stored at the organization level and not at a project level, so can not be configured through the GCP console.

    2. As a user that has logging.sinks.create permissions execute this command, replacing:

    • <organization_id> with your GCP organization ID

    • <topic_project_id> with the project ID which contains the PubSub topic

    • <topic_name> with the name of the topic created earlier

    gcloud logging sinks create observe-audit-sink \
      pubsub.googleapis.com/projects/<topic_project_id>/topics/<topic_name> \
      --include-children --organization=<organization_id> \
      --log-filter='logName:”organizations/<organization_id>/logs/cloudaudit.googleapis.com”'
    

    For example, if:

    • organization_id is 123456789

    • topic_project_id is lunar-magic-24780

    • topic_name is GWorkspaceTopic

    The command would look as follows:

    gcloud logging sinks create observe-audit-sink \
      pubsub.googleapis.com/projects/lunar-magic-24780/topics/GWorkspaceTopic \
      --include-children --organization=123456789 \
      --log-filter='logName:”organizations/123456789/logs/cloudaudit.googleapis.com”'
    

Verify Google Workspace data is being ingested

  1. In the GCP console, go to Logging > Logs Exporter

  2. Filter Log Name in the dropdown to cloudaudit.googleapis.com, selected all files that have this prefix, regardless of suffix

  3. Check that new log lines have arrived in GCP

  4. Log into Observe and open the Observation event stream in a worksheet

  5. Open the OPAL console and apply the following filters. If GWorkspaceSubscription in the final line isn’t the name of the subscription above, change that to match.

    filter OBSERVATION_KIND = "http"
    filter (string(EXTRA.path) = "/pubsub")
    colmake subscription:string(string(FIELDS.subscription))
    filter contains(subscription, "GWorkspaceSubscription")
    
  6. Verify audit data exists