Google Workspace Audit Logs
Connecting GSuite requires a GSuite administrator who:
- Can perform a domain wide delegation
- Create a new gcp project
You will also need to have the runreveal
CLI installed and a RunReveal account created before we can start receiving data from Google Workspace using this guide.
Step 1: Setup Google Cloud Project and Enable APIs
- Go to the Google Cloud Console.
- Create a new project or select an existing one.
- Navigate to the "APIs & Services" > "Dashboard" section.
- Click "+ ENABLE APIS AND SERVICES" and search for "Admin SDK API." Enable it.
- Go to "Credentials" > "+ CREATE CREDENTIALS" > "Service account" and follow the process to create a new service account.
- After creating the service account, click on it and go to "Keys" > "Add Key" > "Create new key" > "JSON". Download the JSON file; this will be your credentials file.
Step 2: Enable API Access in Google Admin Console
- Go to the Google Admin Console (opens in a new tab).
- Navigate to "Security" > "API controls."
- In the "Domain wide delegation" section, click "Manage Domain Wide Delegation."
- Click "Add new" and enter the Client ID of your service account (you can find this in your service account details in the Google Cloud Console).
- In the "OAuth Scopes" field, enter the following scope:
https://www.googleapis.com/auth/admin.reports.audit.readonly
- Save the configuration.
Step 3: Add the Google Workspace source to RunReveal
In the RunReveal dashboard, select "Google Workspace" in the sources page.
- Give your source a name.
- The
subject
must be an administrator of your google workspace account, usually it will be the email address of the person who performed the domain-wide delegation. - Either choose the
credential.json
file using the file picker, or paste the contents into theCredential
text area.
![](/google-workspace-logs-1.png)
Click "Verify Settings" and "Connect" to save your new source.
Query your logs
Once your source is created logs will begin flowing to RunReveal within 1 minute.
![](/google-workspace-logs-2.png)
You can find your google workspace source on the sources page and click Query
to see a sample result set of your logs, or navigate to the Explore page to see logs with the sourceType gsuite