Skip to main content
Sumo Logic

Collect Logs for Google Workspace

This procedure explains how to collect logs from Google Workspace and ingest them into Sumo Logic.

Log Types

Google Workspace Apps each have a log that records actions in JSON format. The logs are all structurally similar—most have an ID, actor, and an IP Address. The differences are in the events section of the JSON where the actions are recorded.

Google Workspace Alert Center alerts are in JSON format. Most of the alerts have a few common fields. The differences are in the data section of the JSON where the alert type specific details are recorded. For more information, see this Google Workspace Alert document.

Configure log collection

You can configure two types of log collection: 

  • Google Workspace: Monitors and analyzes the activity across all the Google Workspace Apps in one place. You can configure collection for each Google App for which you want to analyze events:
    • Google Admin
    • Google Drive
    • Google Login
    • Google Token
  • Google Workspace Alert Center: Provides full visibility into alerts from Google Workspace apps, allowing you to investigate and correlate alerts and monitor potential threats. You can configure the list alerts to be collected. The alerts are forwarded to Sumo Logic’s HTTP endpoint in JSON format.