The following tutorial demonstrates how to successfully integrate Google Workspace with Coralogix and send us your logs using Filebeat and Google report API.
This document includes cluster dependent URLs. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.
Elasticsearch-API | SSL Certificates | Cluster URL | |
---|---|---|---|
.com | https://coralogix-esapi.coralogix.com:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crt | coralogix.com |
.us | https://esapi.coralogix.us:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | coralogix.us |
.in | https://es-api.app.coralogix.in:9443 | https://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN.pem | app.coralogix.in |
.eu2. | https://es-api.eu2.coralogix.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | app.eu2.coralogix.com |
sg.com | https://es-api.coralogixsg.com:9443 | https://www.amazontrust.com/repository/AmazonRootCA1.pem | app.coralogixsg.com |
Follow the official Google tutorial for setting up a service account.
Follow the official Google Workspace tutorial for granting access to the Admin API.
Note: to gather Google Alert Center, enable the Google Workspace Alert Center API on the GCP project.
Once done with the configuration of Google Workspace, now we should start with filebeat.
Please follow the link for Coralogix filebeat setup (Make sure to use the latest version)
Please make sure to have at least version 7.12 and up for filebeat.
ignore_older: 3h
filebeat.modules:
- module: google_workspace
saml:
enabled: true
var.jwt_file: "path to the service accounts credentials file"
var.delegated_account: "email of the primary admin Google Workspace user"
user_accounts:
enabled: true
var.jwt_file: "path to the service accounts credentials file"
var.delegated_account: "email of the primary admin Google Workspace user"
login:
enabled: true
var.jwt_file: "path to the service accounts credentials file"
var.delegated_account: "email of the primary admin Google Workspace user"
admin:
enabled: true
var.jwt_file: "path to the service accounts credentials file"
var.delegated_account: "email of the primary admin Google Workspace user"
drive:
enabled: true
var.jwt_file: "path to the service accounts credentials file"
var.delegated_account: "email of the primary admin Google Workspace user"
groups:
enabled: true
var.jwt_file: "path to the service accounts credentials file"
var.delegated_account: "email of the primary admin Google Workspace user"
fields_under_root: true
fields:
PRIVATE_KEY: "your_company_private_key"
COMPANY_ID: your_company_Id
APP_NAME: "App_name for example google"
SUB_SYSTEM: "Sub_system_name"
processors:
- drop_fields:
fields:
- event.original
ignore_missing: true
logging:
level: debug
to_files: true
files:
path: /var/log/filebeat
name: filebeat.log
keepfiles: 10
permissions: 0644
output.logstash:
enabled: true
hosts: ["logstashserver.Cluster URL:5015"]
tls.certificate_authorities: ["/etc/filebeat/ssl/coralogix.crt"]
ssl.certificate_authorities: ["/etc/filebeat/ssl/coralogix.crt"]
After applying the changes. Start your filebeat service.
SAML | View users’ successful and failed sign-ins to SAML applications. |
User Accounts | Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment. |
Login | Track user sign-in activity to your domain. |
Admin | View administrator activity performed within the Google Admin console. |
Drive | Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files. |
Groups | Track changes to groups, group memberships and group messages. |
If you want to learn more about the Google Workspace plugin please see the link.
Please note that Google Workspace defaults to a 2-hour polling interval because Google reports can go from some minutes up to 3 days of delay.
For more details on this, you can read more here.