Skip to main content
Sumo Logic

Google G Suite Apps Audit

Configure an G Suite Apps Audit Source to collect G Suite log messages to be parsed by CSE's system parser for G Suite Audit.

Step 1: Configure CIP collection

In this step, you configure an G Suite Apps Audit Source to collect G Suite log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure G Suite Apps Audit Source below. Otherwise, create a new collector as described in Configure a hosted collector below, and then create the G Suite Apps Audit Source on the collector.

Configure a Hosted Collector

  1. In Sumo Logic CIP, select Manage Data > Collection > Collection.
  2. Click Add Collector.
  3. Click Hosted Collector.
  4. The Add Hosted Collector popup appears.
    add-hosted-collector.png
  5. Name. Provide a Name for the Collector.
  6. Description. (Optional)
  7. Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory
  8. Fields
    1. If you are planning that all the sources you add to this collector will forward log messages to CSE, click the +Add Field link, and add a field whose name is _siemForward and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to CSE.
    2. If all sources in this collector will be G Suite Audit sources, add an additional field with key _parser and value /Parsers/System/Google/G Suite Audit

Configure G Suite Apps Audit Source

  1. In the Sumo Logic web app, select Manage Data > Collection > Collection
  2. Navigate to the Hosted Collector where you want to create the source.
  3. On the Collectors page, click Add Source next to the Hosted Collector.
  4. Select G Suite Apps Audit. 
  5. The page refreshes.
    gsuite-apps-audit-source.png
  6. Name. Enter a name for the source. 
  7. Description. (Optional) 
  8. Application. Select the G Suite app you wish to collect using this source. Steps may be repeated for each G Suite app you want to collect from.
  9. Source Category. Enter a string to tag the output collected from the source. The string that you supply will be saved in a metadata field called _sourceCategory.
  10. Fields.
    1. If you have not configured the Hosted Collector to forward all sources in the collector to CSE, click the +Add Field link, and add a field whose name is _siemForward and value is true.
    2. If you are not parsing all sources in the hosted collector with the same parser, +Add Field named _parser with value /Parsers/System/Google/G Suite Audit.
  11. Sign in with Google. Click to give permission to Sumo Logic to set up watchpoints using the G Suite Apps Reports API. Click Accept.
  12. Click Save.

Step 2: Verify ingestion

In this step, you verify that your logs are successfully making it into CSE. 

  1. Click the gear icon, and select Log Mappings under Incoming Data.
    log-mappings-link.png
  2. On the Log Mappings page search for "G Suite" and check under Record Volume.
    gsuite-record-volume.png
  3. For a more granular look at the incoming records, you can also use CIP to search for G Suite security records.
    gsuite-search.png