Configure G Suite Log Collector
The Alert Logic G Suite collector is an AWS-based API Poll (PAWS) log collector library mechanism designed to collect logs. You must complete tasks in G Suite and Google Cloud Platform, and then finish the configuration process in the Alert Logic console. The Alert Logic G Suite collector can collect from these specific G Suite applications:
- Login
- Admin
- Access Transparency
- Calendar
- Drive
- Google Plus
- Token
- Groups
- Groups Enterprise
- Mobile
- Rules
- User Accounts
- Chrome
- Context Aware Access
- Alerts (Alert Center)
A single Alert Logic G Suite collector can collect logs from any or all the content streams that you configure in the Alert Logic console. You can find G Suite logs collected with keyword search in the Alert Logic console Get Started with Search page.
Note: The Context Aware Access feature is supported in the following editions:
- Enterprise
- Enterprise Essentials Plus
- Cloud Identity Premium
Create a service account JSON key in Google Cloud Platform
You must complete a few key tasks in the Google Cloud Platform for logs to be collected. You must have a Google Cloud Platform account set up. For information about how to set up a Google Cloud Platform account, see Get Started with Google Cloud Platform.
- Log in to the Google Cloud Platform console.
- Create a Google Cloud project. For further instructions, see Creating and Managing Projects.
- Enable Admin SDK API for this project on this link.
- Enable Google Workspace Alert Center API for this project on this link if the Alerts check box is selected in Applications in the console.
- Create a service account in the IAM service page. The service account does not require a role. For further instructions, see go to Creating a service account.
- Create a JSON based credential for the service account. A JSON file that contains your key downloads to your computer. Note the location of JSON file, which you will need later.
- Delegate domain-wide authority to the service account. Add the scope as https://www.googleapis.com/auth/admin.reports.usage.readonly and https://www.googleapis.com/auth/admin.reports.audit.readonly for reports, audit logs, and API. To access the Alert Center API, you need to add https://www.googleapis.com/auth/apps.alerts along with the previous scopes. For further instructions, go to Delegating domain-wide authority to the service account.
Create a custom role and enable API access in G Suite
In G Suite, you must create a custom role and enable API access to collect logs. You must have a G Suite account set up.
- Log in to G Suite.
- You must create a custom admin role with the Reports privilege.
- You must create another custom admin role with the Alerts privilege and give full access if Alerts check box is selected in the console. For further instructions, see Create, edit, and delete custom admin roles.
To learn more about G Suite privileges, see Administrator privilege definitions.
- Create an administrative user account, and then assign the role you created to that user account. Make note of the user email address for later steps. For further instructions, see Add an administrator.
- Enable API access for G Suite. To learn how to manage API access in G Suite, see Control which third-party & internal apps access G Suite data.
Configure collection in the Alert Logic console
After you set up your G Suite and Google Cloud platform, you must complete the log collection configuration process in the Alert Logic console. This configuration is an account-level integration, which means you can configure more than one instance of G Suite collection. This capability is useful when more than one instance of the application exists.
To access the Application Registry page, click the menu icon (). Click Configure, and then click Application Registry.
To add a new application collection:
- In the Application Registry click the Google Cloud tile, and then click Google Suite Applications.
- In the Application Name field, enter a name for this G Suite collection instance.
- Under Collection Method and Policy, in the Delegated User Email Address field, enter the email address of the user you created earlier (ex: username@company.com).
- In the Service account JSON key field, enter the contents of the Google JSON file that you downloaded previously from generating a key.
- Select the applications from which you want to collect logs.
- (Optional) Enter a Collection Start time using a format such as (2020-01-01T16:00:00Z). If the Collection Start field is left blank, only logs generated after you configure this collection instance will be collected.
The collection start time determines how far back you want Alert Logic to collect logs if data already exists in your account. Alert Logic can only collect logs up to 30 days prior to the date you configured this collection instance.
- Click ADD. Wait a few minutes for the application to create and appear in your application list. Do not click ADD again.
In the Applications List tab, if you configured your application correctly, within approximately 10 minutes you will see Configured next to the application. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.
Troubleshooting tips
Here are common errors than can occur when you test the configuration and suggested troubleshooting steps.
- 401 Access denied : {"error":{"code":401,"message":"Access denied. You are not authorized to read activity records."}
This message indicates authentication/authorization errors. Check the following:- Refer to the Create a service account JSON key in Google Cloud Platform section above and verify that steps 3 to 7 are configured properly in G Suite Admin Console and Google Cloud Console.
- Confirm the correct email address of the admin user is entered as the Delegated User Email Address in the correct format (ex: username@company.com). This is entered in step 3 of Configure collection in the Alert Logic Console.
- 400 Client Error: {"error":"invalid_grant","error_description":"Invalid JWT Signature."
This message indicates JWT token errors. Refer to Using OAuth 2.0 for Server to Server Applications.