Google Workspace Audit Logs

To ingest the Google Workspace Audit Logs, you need the following items:

  • Administrator access to your Google Workspace instance

  • A Google Cloud Platform (GCP) organization

  • A GCP user with permission to create logging.sinks.create for your GCP organization

  • GCP command line tools installed

  • An Observe Datastream token

Use the following steps to ingest Google Workspace Audit Logs into Observe:

  1. Configure GSuite to send audit logs to GCP.

  2. Create a PubSub Topic and Subscription to send logs to Observe.

  3. Create a Sink to send Google Workspace Audit Logs from GCP Logging to PubSub.

Configuration

  1. Set up a Google Workspace to send audit logs to GCP.

    a. Configure Google Workspace to send the following logs to GCP. The specific details around which logs and events get sent to GCP depend on your Google Workspace subscription, but in all cases, the steps to achieve this remain the same.

    b. Follow the steps in Share data with Google Cloud Platform services.

  2. Create a PubSub Topic and Subscription to send logs to Observe.

    a. Log in to GCP.

    b. Select a project, or create one.

    c. Go to PubSub > Topics.

    d. Create a new Topic, for example GWorkspaceTopic. Uncheck Add a default Subscription.

    GCP Topic creation for a channel called GWorkspaceTopic

    Figure 1 - Create a GCP Workspace Topic

    e. Create a subscription following the steps in Google Cloud Platform (GCP) App.

  3. Create a Sink to send Google Workspace Audit Logs from GCP Logging to PubSub.

    a. You must perform this operation using the gcloud command. Google Workspace Audit Logs are stored at the organization level, not at the project level, so you can not configure the sink through the GCP console.

    b. A user with logging.sinks.create permissions executes this command, replacing:

    • <organization_id> with your GCP organization ID

    • <topic_project_id> with the project ID which contains the PubSub topic.

    • <topic_name> with the name of the topic created earlier.

    gcloud logging sinks create observe-audit-sink \
  pubsub.googleapis.com/projects/<topic_project_id>/topics/<topic_name> \
  --include-children --organization=<organization_id> \
  --log-filter='logName:”organizations/<organization_id>/logs/cloudaudit.googleapis.com”'

    For example,

    • organization_id is 123456789

    • topic_project_id is lunar-magic-24780

    • topic_name is GWorkspaceTopic

    The command looks similar to the following:

    gcloud logging sinks create observe-audit-sink \
  pubsub.googleapis.com/projects/lunar-magic-24780/topics/GWorkspaceTopic \
  --include-children --organization=123456789 \
  --log-filter='logName:”organizations/123456789/logs/cloudaudit.googleapis.com”'

Verify Google Workspace Data Ingestion

  1. In the GCP console, go to Logging>Logs Exporter.

  2. Filter Log Name to cloudaudit.googleapis.com, and select all files with this prefix, regardless of the suffix.

  3. Check that new log lines arrived in GCP.

  4. Log into Observe and open the source dataset associated with your Datastream in a worksheet.

  5. Open the OPAL console and apply the following filters. If GWorkspaceSubscription in the final line isn’t the name of the subscription above, change it to match.

    filter OBSERVATION_KIND = "http"
filter (string(EXTRA.path) = "/pubsub")
colmake subscription:string(string(FIELDS.subscription))
filter contains(subscription, "GWorkspaceSubscription")

  6. Verify you can find audit data.