Google Workspace
The Google Workspace managed log source allows you to collect logs from various Google Workspace audit, activity, and report endpoints into Matano. The managed log source collects and normalizes data and audit activity from all the Google Workspace Audit Reports API endpoints as well as alerts from the Google Alert Center API.
Prerequisites
To get started with the Google Workspace managed log source, follow these steps:
- Have an existing administrator account.
- Create a service account using the administrator account.
- Authorize access to the Admin SDK API for the ServiceAccount.
- You will need to authorize the following OAuth scopes: https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/apps.alerts
- Enable domain-wide Delegation for your service account.
- Note your administrator email, service account email, and the private key for your credentials.
Usage
Use the Google Workspace managed log source by specifying the managed.type property in your log_source as GOOGLE_WORKSPACE.
name: google_workspace
managed:
type: GOOGLE_WORKSPACE
properties:
admin_email: admin@example.com
client_email: service-acct@my-org.iam.gserviceaccount.com
For the tables you would like to enable for this managed log source, under a tables/ subdirectory in your log source directory, create a file with the name <table_name>.yml>. For example:
my-matano-dir/
└── log_sources/
└── google_workspace/
└── log_source.yml
└── tables/
└── login.yml
For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.
Secret
To finish onboarding the log source, populate the private_key key in the secret generated by Matano in AWS Secrets Manager, with the value from the private_key field in the credential key JSON generated for your service account.
Tables
The Google Workspace managed log source supports the following tables:
| Table | Identifier | Description |
|---|---|---|
| Login | login | Track sign-in activity from users to your domain. |
| Admin | admin | Information on the Admin console activities of all of your account's administrators. |
| Alert | alert | Alerts from Google Workspace Alert Center on potential security issues |
Ingest
Pull (default)
Matano integrates with your Google Workspace account to automatically pull relevant logs on a regular basis (every 1 min).
Google Workspace data has documented delays/lag times that vary per table, Matano takes care of ensuring the source is being polled with the appropriate lag time.
Schema
Google Workspace event data is normalized to ECS fields. Custom fields are normalized into the google_workspace field. You can view the complete mapping to see the full schema.