Version:

Configuring GSuite

To fetch Google Workspace logs in Logpoint, you will first need to create a service account in the Google Cloud console and give authorization to your project in Google Admin to get the Google Workspace service account’s private key JSON file. Then, upload it to Logpoint to establish a connection with the Google Cloud Console and fetch logs from Google Workspace. You’ll also need to configure how the logs should be managed, processed, and stored. This ensures effective log management by facilitating accurate log collection, proper formatting, and timely analysis, which are crucial for identifying security incidents and maintaining compliance. All these are done in Configuring Gsuite.

Note

While we provide GSuite specific instructions in this guide, it’s important to be aware that the Gsuite interface may change over time. To ensure you have the most up-to-date information and to navigate any potential changes in the Gsuite interface, we recommend referring to the official GSuite documentation.

Creating a Service Account for Gsuite

  1. Go to the Cloud Console page and enter your credentials.

  2. Click IAM & Admin > Manage Resources.

_images/gsuite-manageresources.png

Manage Resources

  1. Click Create Project.

_images/gsuite-createproject.png

Create Project

  1. Enter a project name.

  2. Click Create.

_images/gsuite-newproject.png

New Project

  1. Click Select Project.

  2. Click APIs and services > Library.

_images/gsuite-services.png

APIs and Services

  1. Search for Admin SDK API and Gmail API in the search bar and enable them both.

  2. Click APIs and services > Credentials from the navigation bar.

_images/gsuite-credentials.png

APIs and Services

  1. Click Create Credentials and select Service account.

_images/gsuite-account.png

Service Account

  1. Enter a Service account name and click Create and Continue.

_images/gsuite-accountname.png

Service Account Name

  1. Select a role and click Continue.

  2. Click Done.

  3. Go back to APIs and services > Credentials and select the created Service Account.

_images/gsuite-accountname1.png

Service Account

  1. Click Keys > Add Key > Create new key.

  2. Select JSON as Key type and click Create.

The G Suite service account’s private key JSON file is downloaded to your computer.

Authorizing Projects

  1. Go to the Google Admin page and enter your credentials.

  2. Click Security > API Controls.

  3. Click Manage Domain Wide Delegation.

_images/gsuite-domain.png

Manage Domain Wide Delegation

  1. Click Add new.

  2. Enter the Client ID from the previously downloaded JSON file.

  3. In One or More API Scopes, enter:

    https://www.googleapis.com/auth/admin.reports.audit.readonly

    https://www.googleapis.com/auth/admin.reports.usage.readonly

    https://www.googleapis.com/auth/gmail.readonly

  4. Click Authorize.

Configuring the GSuite Fetcher from Devices

Adding a Normalization Policy

Normalization policies normalize and standardize logs for efficient storage, analysis, and retrieval. It can also be used in the processing policy to process GSuite logs.

  1. Click Configure in the navigation bar.

  2. Under Entities, click Normalization Policies.

  3. Select a Logpoint to create the normalization policy. You can select multiple Logpoint of different pools.

  4. Click Next.

_images/gsuite_dcui_configure_normpolicy_select_lp.png

Selecting Logpoint

  1. Enter a Name.

  2. Select GSuiteCompiledNormalizer from the list of compiled normalizers, and click Add to List.

  3. Click Next.

_images/gsuite_dcui_configure_normpolicy.png

Adding a Normalization Policy

  1. Review your changes. You can go Back to make changes.

  2. Click Finish and click OK to confirm. Click Download Report to get the summary as a PDF.

_images/gsuite_dcui_configure_normpolicy_confirm.png

Confirming the Changes

Adding a Processing Policy

Processing policy manages how GSuite logs are handled, processed, and stored to enhance their usability and accessibility for monitoring, reporting, and alerting purposes.

  1. Click Configure in the navigation bar.

  2. Under Entities, click Processing Policies.

  3. Select a Logpoint to create the processing policy. You can select multiple Logpoint of different pools.

  4. Click Next.

_images/policy_select_lp1.png

Selecting Logpoint

  1. Enter a Name.

  2. Select the Enrichment Policy and Routing Policy.

  3. Select the previously created Normalization Policy.

  4. Click Next.

_images/configure_policy.png

Adding a Processing Policy

  1. Review your changes. You can go Back to make changes.

  2. Click Finish and click OK to confirm. Click Download Report to get the summary as a PDF.

_images/processpolicy3.png

Confirming the Changes

Configuring the Gsuite Fetcher

  1. Click Configure in the navigation bar of the Director Console.

  2. Under Settings, click Plugins.

  3. Select GSuite Fetcher from the Select Plugin Type drop-down.

  4. Select Logpoint to configure the GSuite Fetcher. You can select multiple Logpoint of different pools.

  5. Click Next.

_images/gsuite_dcui_configure_selecting_lp.png

Selecting Logpoint

  1. Select Create.

  2. Upload the Google Workspace service account’s private key JSON file in Key File.

The Project ID, Private Key ID, Private Key, Client Email, and Client ID fields are auto-filled after you upload the credential file.

  1. Enter the Google Workspace admin users’ email ID in User Email.

  2. Select the frequency at which logs are retrieved in Fetch Interval (minutes).

  3. Select the Charset.

  4. Select the previously created Processing Policy.

_images/gsuite_dcui_configure.png

Configuring the GSuite Fetcher

  1. Select Enable Proxy to use a proxy server.

  2. In Proxy Configuration:

    13.1. Enter the proxy server IP address and Port number.

    13.2. Select HTTP or HTTPS protocol as required.

  3. Click Next.

_images/gsuite_dcui_configure_enable.png

Enabling Proxy

  1. Review your changes. You can go Back to make changes.

  2. Click Finish and click OK to confirm. Click Download Report to get the summary as a PDF.

_images/gsuite_dcui_edit_confirm12.png

Confirming the Changes

Editing a GSuite Fetcher Configuration

  1. Click Configure in the navigation bar of the Director Console..

  2. Under Settings, click Plugins.

  3. Select GSuite Fetcher from the Select Plugin Type drop-down.

  4. Select the Logpoint where GSuite Fetcher is configured. You can select multiple Logpoint of different pools.

  5. Click Next.

_images/gsuite_dcui_configure_selecting_lp.png

Selecting Logpoint

  1. Select List. You can find the configurations that are common to all the selected Logpoint.

  2. Click the Edit icon from Action.

_images/gsuite_dcui_edit_list.png

Editing the GSuite Fetcher Configuration

  1. Make the changes and click Edit.

_images/gsuite_dcui_edit.png

Editing a GSuite Fetcher Configuration

The Action Status of the configuration changes to Changed. You can click the Undo icon from Action to undo the changes.

  1. Click Next.

_images/gsuite_dcui_edit_review.png

Verifying the Action Status

  1. Review your changes. You can go Back to make changes.

  2. Click Finish and click OK to confirm. Click Download Report to get the summary as a PDF.

_images/gsuite_dcui_edit_confirm.png

Confirming the Changes

Deleting a GSuite Fetcher Configuration

  1. Click Configure in the navigation bar of the Director Console..

  2. Under Settings, click Plugins.

  3. Select GSuite Fetcher from the Select Plugin Type drop-down.

  4. Select the Logpoint where GSuite Fetcher is configured. You can select multiple Logpoint of different pools.

  5. Click Next.

_images/gsuite_dcui_configure_selecting_lp.png

Selecting Logpoint

  1. Select List. You can find the configurations that are common to all the selected Logpoint.

  2. Click the Delete icon from Action.

_images/gsuite_dcui_delete_list.png

Deleting the GSuite Fetcher Configurations

The Action Status of the configuration changes to Delete. You can click the Undo icon from Action to undo the deletion.

  1. Click Next.

_images/gsuite_dcui_delete_review.png

Verifying the Action Status

  1. Review your changes. You can go Back to make changes.

  2. Click Finish and click OK to confirm. Click Download Report to get the summary as a PDF.

_images/gsuite_dcui_delete_confirm.png

Confirming the Changes

Configuring the GSuite Fetcher from Log Sources

You can configure Gsuite using the Gsuite log source template, which has predefined settings and configurations to fetch Gsuite logs. However, some fields must be entered manually.

  1. Click Configure in the navigation bar.

  2. Under Entities, click LOG SOURCES.

  3. Click Create Log Source.

  4. Select Gsuite Fetcher.

  5. Select a Pool and Logpoint to configure the fetcher.

  6. Click Next.

Source

In source, you can add details about the Google Workspace from where Gsuite fetches logs.

  1. Click Source.

  2. Enter the Log Source’s Name.

  3. Select the frequency at which logs are retrieved in Fetch Interval (minutes).

  4. Select Charset and Time Zone.

_images/Gsuite_Source_Configuration.png

Configuring Source

Connector

In connector, you can configure how Gsuite and the Gsuite Workspace communicate with each other.

  1. Upload the Google Workspace service account’s private key JSON file in Key File.

The Project ID, Private Key ID, Private Key, Client Email, and Client ID fields are auto-filled after you upload the credential file.

  1. Enter the Google Workspace admin users email ID in User Email.

  2. If you use a Distributed Logpoint, select a collector from the Distributed Collector drop-down.

  3. Select Enable Proxy to use a proxy server.

    4.1. Select either HTTP or HTTPS protocol.

    4.2. Enter the proxy server IP address and the PORT number.

_images/G_suite1.png

Configuring Connector

Routing

In routing, you define repositories (repos) and set routing criteria for the Gsuite fetcher. Repos store the incoming logs, and the routing criteria determine the conditions for forwarding logs to specific repositories.

To create a repo:

  1. Click Routing and + Create Repo.

  2. Enter a Repo name.

  3. In Path, enter the location to store the incoming logs.

  4. In Retention (Days), enter the number of days logs are kept in a repository before they are automatically deleted.

  5. In Availability, select the Remote logpoint and Retention (Days).

  6. Click Create Repo.

_images/createrepo.png

Creating a Repo

In Repo, select the created repo to store logs.

To create Routing Criteria:

  1. Click + Add row.

  2. Enter a Key and Value. The routing criteria is only applied to those logs which have this key-value pair.

  3. Select an Operation for logs that have this key-value pair.

    3.1. Select Store raw message to store both the incoming and the normalized logs in the selected repo.

    3.2. Select Discard raw message to discard the incoming logs and store the normalized ones.

    3.3. Select Discard entire event to discard both the incoming and the normalized logs.

  4. In Repository, select a repo to store logs.

_images/createrepository.png

Creating a Routing Criteria

Click the (uninstall) icon under Action to delete the created routing criteria.

Normalization

In normalization, you can select normalizers for the incoming logs. Normalizers transform incoming logs into a standardized format for consistent and efficient analysis.

  1. Click Normalization.

  2. Select a Normalizer from the list and click the swap(Swap) icon or a select a Normalization Policy from the dropdown.

_images/Gsuite_norm11.png

Adding Normalizers

Enrichment

In enrichment, you can select an enrichment policy for the incoming logs. Enrichment policies are used to add additional information to a log, such as user information, device type or geolocation.

  1. Click Enrichment.

  2. Select an Enrichment Policy.

Click Create Log Source to save the configurations of Source, Connector, Routing, Normalization, and Enrichment.

You are redirected to Tasks, which displays the log source setup progress.

Editing GSuite

  1. Click CONFIGURATION from the left navigation bar.

  2. Under Settings, click PLUGINS.

  3. Select GSuite Fetcher from the Select Plugin Type drop-down.

  4. Select Logpoint to edit the GSuite Fetcher configuration. Multiple Logpoint can be selected from different pools.

_images/select_pool.png

Selecting Logpoint

  1. Click NEXT.

  2. Select List. The page lists the configurations that are common to all the selected Logpoint.

  3. Click the Edit icon under ACTION.

  4. Make the changes and click EDIT.

The Action Status of the configuration changes to Changed. To undo changes, click the Undo icon from Action.

  1. Click NEXT.

  2. Review your changes. Click BACK to make more changes. Click DOWNLOAD REPORT to get a summary as a PDF.

  3. Click FINISH and click OK to confirm.

You are redirected to TASKS, which displays the GSuite Fetcher edit progress.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support