This procedure explains how to collect logs from G Suite and ingest them into Sumo Logic.
G Suite Apps each have a log that records actions in JSON format. The logs are all structurally similar—most have an ID, actor, and an IP Address. The differences are in the events section of the JSON where the actions are recorded.
G Suite Alert Center alerts are in JSON format. Most of the alerts have a few common fields. The differences are in the data section of the JSON where the alert type specific details are recorded. For more information, see this G Suite Alert document.
Configure log collection
You can configure two types of log collection:
- G Suite App—Monitors and analyzes the activity across all the G Suite Apps in one place. You can configure collection for each Google App for which you want to analyze events:
- Google Admin
- Google Drive
- Google Login
- Google Token
- G Suite Alert Center—Provides full visibility into alerts from G Suite apps, allowing you to investigate and correlate alerts and monitor potential threats. You can configure the list alerts to be collected. The alerts are forwarded to Sumo Logic’s HTTP endpoint in JSON format.