Google Input
Introductionβ
Similar to O365 and Okta, you can configure Graylog to gather logs from Google Services. To that end, use this guide to help you through the process to launch inputs for the services below:
- Google Cloud (GCP)
- Google Workspace
- Gmail
Depending on the integration, the steps differ by service. Each section is identified as:
- [All], if the actions or instructions apply to all services mentioned above
- [GCP], if they only refer to Google Cloud Platform
- [Gmail], if the steps apply to Gmail only
- [Workspace], if the required steps apply to Google Workspace configuration
Requirementsβ
To successfully pull logs from these Google products into Graylog, you must have:
- a running instance of Graylog
- Google Cloud account. You can find details on the Cloud subdomain
[All] Caveatsβ
To fetch logs, both the GPC and Gmail plugins will create log sinks. They store log data in Google BigQuery in your account. The Google inputs will clean up the BigQuery tables periodically, but you could still incur additional Google Cloud charges for the BigQuery usage.
Like Okta and O365, Google inputs poll for data. Therefore, run them on a single node. We recommend that you avoid running them as global inputs.
[All] Service Account Creationβ
From the Google Cloud Console the user will need to select the project for which they would like to collect logs. Make a note of the Project ID. Itβs required when setting up your Graylog input.
Get started by setting up a new service account.
- Navigate to IAM & Admin > IAM from the cloud dashboard.
- Select Service Accounts from the menu on the left.
- Select +CREATE SERVICE ACCOUNT at the top of the page.
- Make a note of the
Unique IDassociated with the service account as it will be needed later when setting up inputs.
[All] Generate Service Account Keyβ
The user will need to generate a key file for the service account which will be placed on the Graylog server to allow the inputs to authenticate with Googleβs APIs.
- Navigate to the Service Accounts page, then select the service account you want to use.
- Click the KEYS tab on the sub-menu.
- Click on the ADD KEY button and select Create a new key.
- Select JSON as the key type, click CREATE.
- Save the key in a safe location. You will need this file later to set up your inputs.
- [Workspace] For the Google Workspace input, you need to create and download a P12 key as well.
[All] Grant Permissions to the Service Accountβ
The service account you just created requires permissions to access your log data. Additionally, this account needs to store that log data in Google BigQuery. This allows Graylog to fetch the data.
- Click the pencil icon to edit the Principal for your service account (found on the IAM page).
- Grant the service account the BigQuery Data Editor role.
- Grant the service account the BigQuery Jobs User role.
- Grant the service account the Logs Configuration Writer role.
[GCP] Enable Loggingβ
If you want to collect VPC flow logs, you will need to enable logs as described in Using VPC Flow Logs.
If you want to collect firewall logs, you will need to enable them in your firewall configuration.
[Workspace] Enable API Accessβ
To enable access to Workspace endpoints:
- Log in as a user account in the Google Workspace that has the Super Admin role.
- Go to Google Cloud Platform while logged in as the super admin user and create a new project or select an existing project. This project will need a service account as described above.
- Navigate to APIs & Services > Library.
- Search for Admin SDK API and enable it by clicking Enable.
- Return to the Google Workspace console and link the service account to the API by navigating to Security > API Controls.
- Select Manage Domain Wide Delegation and add a new API client.
- For the Client ID, use the numeric Unique ID of your service account and add the following to the OAuth Scopes:
[GCP] Input Setupβ
| Key | Value |
|---|---|
| Input name | < Add a unique name for the input > |
| Project ID | Alpha-numeric project ID for the Google Cloud project |
| Application (client) ID | Numeric unique ID of the service account |
| Service account key path | Path to .json file for the service account |
[Workspace] Input Setupβ
| Key | Value |
|---|---|
| Input name | < Add a unique name for the input > |
| Client ID | Numeric Unique ID of the service account |
| Service Account ID | Email address of the service account |
| Account User Email | Workspace email address of the user that owns the project |
| Service account key path | Path to .p12 file for the service account |
[Gmail] Input Setupβ
| Key | Value |
|---|---|
| Input name | < Add a unique name for the input > |
| Project ID | Alpha-numeric project ID for the Google Cloud project |
| Application (client) ID | Numeric unique ID of the service account |
| Service account key path | Path to .json file for the service account |
