Integration with Google Workspace (formerly G Suite)¶
There are two options to integrate with Google Workspace - by sharing the Workspace logs with GCP and by directly fetching audit log reports from Workspace.
Integration with Google Workspace (formerly G Suite) through GCP¶
In order to have your organization's Google Workspace audit logs integrated you should:
- Enable sharing of your Google Workspace audit logs with your Google Cloud Platform as described in this Google support page
- Create a GCP pull integration (unless you already have one) as described in our documentation
Note that this option only shares Admin logs, Login logs and Enterprise Group logs. If you need specific logs for Drive, Meet and other services, see the section below.
Direct integration with Google Workspace¶
In order to directly collect logs from Workspace, you need to create a service account. To do that:
- Following this guide, create a service account. You may need to create a new project in the Google API console if you don't have one already.
- To create a service account, first enable the admin API for the workspace project
- Choose to create credentials and select "Application data" for the Admin SDK credentials. Also select "No, I'm not using them" for the Google infrastructure question.
- The wizard takes you to IAM & Admin -> Service Accounts. Create one with default permissions
- Edit the newly created service account
- Go to the Keys tab to create a new key
- Download the API key in JSON format
- On the "Details" check the "Enable Google Workspace domain-wide delegation (specify a produsct name, e.g. LogSentinel SIEM)
- Go to the Workspace admin console and choose Security -> API Controls. Then select "Manage domain-wide delegation"
- Grant access to the service account (follow this guide). For "scopes" specify "https://www.googleapis.com/auth/admin.reports.audit.readonly" and click Authorize
- Go to LogSentinel -> Sources & Integrations -> Integrations and create a new Google Workspace integration
- Paste the contents of the JSON key file
- Specify a user email. This email is different than the service account and needs to have permissions to access the Admin API.
- Save the integration