Google Workspace Audit Logs

Ingesting Google Workspace Audit logs into Observe

To ingest the audit logs, you need the following items:

  • Administrator access to your Google Workspace instance

  • A Google Cloud Platform (GCP) organization

  • A GCP user with logging.sinks.create create permissions for your GCP organization

  • GCP command line tools installed

  • An Observe data stream token

Use the following steps to ingest Google Workspace Audit logs into Observe:

  1. Set up GSuite to send audit logs to GCP.

  2. Create a PubSub Topic and Subscription to send logs to Observe.

  3. Create a Sink to send Google Workspace Audit Logs from GCP Logging to PubSub.

Detailed Steps

  1. Set up Google Workspace to send audit logs to GCP.

    1. Google Workspace can be configured to send the following logs to GCP. The specific details around which logs and events get send to GCP depend on your Google Workspace subscription, but in all case the steps to achieve this are the same.

    2. Follow the steps in Share data with Google Cloud Platform services.

  2. Create a PubSub Topic and Subscription to send logs to Observe.

    1. Log in to GCP.

    2. Select a project, or create one.

    3. Go to PubSub > Topics.

    4. Create a new Topic, for example GWorkspaceTopic. Uncheck Add a default Subscription.

      GCP Topic creation for a channel called GWorkspaceTopic

      Figure 1 - Create a GCP Workspace Topic

    5. Create a subscription following the steps in Google Cloud Pub/Sub.

  3. Create a Sink to send Google Workspace Audit logs from GCP Logging to PubSub.

    1. You must perform this operation using the gcloud command. Google Workspace Audit logs are stored at the organization level and not at a project level, so you can not configure the sink through the GCP console.

    2. A user with logging.sinks.create permissions executes this command, replacing:

    • <organization_id> with your GCP organization ID

    • <topic_project_id> with the project ID which contains the PubSub topic.

    • <topic_name> with the name of the topic created earlier.

    gcloud logging sinks create observe-audit-sink \
      pubsub.googleapis.com/projects/<topic_project_id>/topics/<topic_name> \
      --include-children --organization=<organization_id> \
      --log-filter='logName:”organizations/<organization_id>/logs/cloudaudit.googleapis.com”'
    

    For example,

    • organization_id is 123456789

    • topic_project_id is lunar-magic-24780

    • topic_name is GWorkspaceTopic

    The command looks similar to the following:

    gcloud logging sinks create observe-audit-sink \
      pubsub.googleapis.com/projects/lunar-magic-24780/topics/GWorkspaceTopic \
      --include-children --organization=123456789 \
      --log-filter='logName:”organizations/123456789/logs/cloudaudit.googleapis.com”'
    

Verify Google Workspace data ingestion

  1. In the GCP console, go to Logging>Logs Exporter.

  2. Filter Log Name in the dropdown to cloudaudit.googleapis.com, and select all files with this prefix, regardless of the suffix.

  3. Check that new log lines arrived in GCP.

  4. Log into Observe and open the Observation event stream in a worksheet.

  5. Open the OPAL console and apply the following filters. If GWorkspaceSubscription in the final line isn’t the name of the subscription above, change it to match.

    filter OBSERVATION_KIND = "http"
    filter (string(EXTRA.path) = "/pubsub")
    colmake subscription:string(string(FIELDS.subscription))
    filter contains(subscription, "GWorkspaceSubscription")
    
  6. Verify you can find audit data.