The Google Workspace managed log source allows you to collect logs from various Google Workspace audit, activity, and report endpoints into Matano. The managed log source collects and normalizes data and audit activity from all the Google Workspace Audit Reports API endpoints as well as alerts from the Google Alert Center API.
To get started with the Google Workspace managed log source, follow these steps:
- Have an existing administrator account.
- Create a service account using the administrator account.
- Authorize access to the Admin SDK API for the ServiceAccount.
- You will need to authorize the following OAuth scopes: https://www.googleapis.com/auth/admin.reports.audit.readonly, https://www.googleapis.com/auth/apps.alerts
- Enable domain-wide Delegation for your service account.
- Note your administrator email, service account email, and the private key for your credentials.
Use the Google Workspace managed log source by specifying the
managed.type property in your
For the tables you would like to enable for this managed log source, under a
tables/ subdirectory in your log source directory, create a file with the name
<table_name>.yml>. For example:
For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.
To finish onboarding the log source, populate the
private_key key in the secret generated by Matano in AWS Secrets Manager, with the value from the
private_key field in the credential key JSON generated for your service account.
The Google Workspace managed log source supports the following tables:
|Track sign-in activity from users to your domain.
|Information on the Admin console activities of all of your account's administrators.
|Alerts from Google Workspace Alert Center on potential security issues
Matano integrates with your Google Workspace account to automatically pull relevant logs on a regular basis (every 1 min).
Google Workspace data has documented delays/lag times that vary per table, Matano takes care of ensuring the source is being polled with the appropriate lag time.
Google Workspace event data is normalized to ECS fields. Custom fields are normalized into the
google_workspace field. You can view the complete mapping to see the full schema.