Google Workspace Audit Logs
Connecting GSuite requires a GSuite administrator who:
- Can perform a domain wide delegation
- Create a new gcp project
You will also need to have the runreveal
CLI installed and a RunReveal account created before we can start receiving data from Google Workspace using this guide.
Step 1: Setup Google Cloud Project and Enable APIs
- Go to the Google Cloud Console.
- Create a new project or select an existing one.
- Navigate to the "APIs & Services" > "Dashboard" section.
- Click "+ ENABLE APIS AND SERVICES" and search for "Admin SDK API." Enable it.
- Go to "Credentials" > "+ CREATE CREDENTIALS" > "Service account" and follow the process to create a new service account.
- After creating the service account, click on it and go to "Keys" > "Add Key" > "Create new key" > "JSON". Download the JSON file; this will be your credentials file.
Step 2: Enable API Access in Google Admin Console
- Go to the Google Admin Console (opens in a new tab).
- Navigate to "Security" > "API controls."
- In the "Domain wide delegation" section, click "Manage Domain Wide Delegation."
- Click "Add new" and enter the Client ID of your service account (you can find this in your service account details in the Google Cloud Console).
- In the "OAuth Scopes" field, enter the following scope:
https://www.googleapis.com/auth/admin.reports.audit.readonly
- Save the configuration.
Step 3: Add the Google Workspace source to RunReveal
In the RunReveal dashboard, select "Google Workspace" in the sources page.
- Give your source a name.
- The
subject
must be an administrator of your google workspace account, usually it will be the email address of the person who performed the domain-wide delegation. - Either choose the
credential.json
file using the file picker, or paste the contents into theCredential
text area.
Click "Verify Settings" and "Connect" to save your new source.
Query your logs
Once your source is created logs will begin flowing to RunReveal within 1 minute.
You can find your google workspace source on the sources page and click Query
to see a sample result set of your logs, or navigate to the Explore page to see logs with the sourceType gsuite