Integrations

Gsuite Integration

Coralogix can ingest Gsuite logs using filebeat and Google report API. Please follow the steps below to successfully integrate Gsuite with Coralogix.

This document includes cluster dependent URL’s. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.

 .com.in
Elasticsearch-APIhttps://coralogix-esapi.coralogix.com:9443https://es-api.app.coralogix.in:9443
SSL Certificateshttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crthttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN
.pem
Cluster URLcoralogix.comapp.coralogix.in

Set up a Gsuite Service Account.

Follow the official G Suite tutorial for setting up a service account.

Grant access to the Admin SDK API

Follow the official G Suite tutorial for granting access to the Admin API.

Delegate domain-wide authority to your service account
  • Go to your G Suite domain’s Admin console.
  • Go to Main menu > Security > API controls.
  • Under  the Domain-wide delegation pane, select Manage Domain Wide Delegation.
  • Click Add new, and fill in the details:
    • Client ID – Enter the service account’s Client ID – you can find it in the service account’s details under Unique ID. It is also found in the client_id field of the credentials file that was auto-downloaded when you created a new key for your service account.
    • OAuth Scopes – Enter https://www.googleapis.com/auth/admin.reports.audit.readonly
    • Click Authorize to confirm your changes.

Once done with the configuration of Gsuite, now we should start with filebeat.

Filebeat Setup.

Please follow the link for Coralogix filebeat setup (Make sure to use the latest version)

Filebeat Gsuite Configuration.

ignore_older: 3h
filebeat.modules:
- module: gsuite
  saml:
    enabled: true
    var.jwt_file: "path to the credentials file"
    var.delegated_account: "email address of the admin G Suite user"
  user_accounts:
    enabled: true
    var.jwt_file: "path to the credentials file"
    var.delegated_account: "email address of the admin G Suite user"
  login:
    enabled: true
    var.jwt_file: "path to the credentials file"
    var.delegated_account: "email address of the admin G Suite user"
  admin:
    enabled: true
    var.jwt_file: "path to the credentials file"
    var.delegated_account: "email address of the admin G Suite user"
  drive:
    enabled: true
    var.jwt_file: "path to the credentials file"
    var.delegated_account: "email address of the admin G Suite user"
  groups:
    enabled: true
    var.jwt_file: "path to the credentials file"
    var.delegated_account: "email address of the admin G Suite user"

fields_under_root: true
fields:
  PRIVATE_KEY: "your_company_private_key"
  COMPANY_ID: your_company_Id
  APP_NAME: "App_name for example google"
  SUB_SYSTEM: "Sub_system_name"

processors:
- drop_fields:
    fields:
    - event.original
    ignore_missing: true

logging:
  level: debug
  to_files: true
  files:
  path: /var/log/filebeat
  name: filebeat.log
  keepfiles: 10
  permissions: 0644

output.logstash:
  enabled: true
  hosts: ["logstashserver.Cluster URL:5015"] 
  tls.certificate_authorities: ["/etc/filebeat/ssl/coralogix.crt"]
  ssl.certificate_authorities: ["/etc/filebeat/ssl/coralogix.crt"] 

After applying the changes. Start your filebeat service.

SAML View users’ successful and failed sign-ins to SAML applications.
User Accounts Audit actions carried out by users on their own accounts including password changes, account recovery details and 2-Step Verification enrollment.
Login Track user sign-in activity to your domain.
Admin View administrator activity performed within the Google Admin console.
Drive Record user activity within Google Drive including content creation in such as Google Docs, as well as content created elsewhere that your users upload to Drive such as PDFs and Microsoft Word files.
Groups Track changes to groups, group memberships and group messages.

If you want to learn more about the Gsuite plugin please see the link.

Please note that GSuite defaults to a 2-hour polling interval because Google reports can go from some minutes up to 3 days of delay.
For more details on this, you can read more here.

Start solving your production issues faster

Let's talk about how Coralogix can help you

Managed, scaled, and compliant monitoring, built for CI/CD

Get a demo

No credit card required

© 2021 Copyright Coralogix. All rights reserved.

Get a personalized demo

Jump on a call with one of our experts and get a live personalized demonstration