Skip to main content

Google Workspace Apps Audit - Cloud SIEM

Google Workspace icon

Step 1: Configure collection​

In this step, you configure an Google Workspace Apps Audit Source to collect Google Workspace log messages. You can configure the source on an existing Hosted Collector or create a new collector. If you’re going to use an existing collector, jump to Configure Google Workspace Apps Audit Source below. Otherwise, create a new collector as described in Configure a hosted collector below, and then create the Google Workspace Apps Audit Source on the collector.

Configure a Hosted Collector​

  1. To create a new hosted collector, see Configure a Hosted Collector.
  2. Fields. 
    1. If you are planning that all the sources you add to this collector will forward log messages to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true. This will cause the collector to forward all of the logs collected by all of the sources on the collector to Cloud SIEM.
    2. If all sources in this collector will be Google Workspace Audit sources, add an additional field with key _parser and value /Parsers/System/Google/G Suite Audit.
    note

    It’s also possible to configure individual sources to forward to Cloud SIEM, as described in the following section.

Configure Google Workspace Apps Audit Source​

  1. To configure Google Workspace source, see Configure a Google Workspace Apps Audit Source.
  2. Fields.
    1. If you have not configured the Hosted Collector to forward all sources in the collector to Cloud SIEM, click the +Add Field link, and add a field whose name is _siemForward and value is true.
    2. If you are not parsing all sources in the hosted collector with the same parser, +Add Field named _parser with value /Parsers/System/Google/G Suite Audit.
  3. Sign in with Google. Click to give permission to Sumo Logic to set up watchpoints using the Google Workspace Apps Reports API. Click Accept.
  4. Click Save.

Step 2: Verify ingestion​

In this step, you verify that your logs are successfully making it into Cloud SIEM. 

  1. Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
    New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings.
  2. On the Log Mappings page search for "Google Workspace" and check under Record Volume.
    GSuite record volume
  3. For a more granular look at the incoming records, you can also search the Sumo Logic platform for Google Workspace security records.
    GSuite search
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.