Skip to content

Google Workspace API

This guide provides step-by-step instructions for configuring Cribl Stream to ingest logs from the Google Workspace API using the REST API Collector source type.

Prerequisites

Google Workspace API requirements

  1. Service Account: Create a Google Workspace service account.

  2. Domain-Wide Delegation: Configure the service account with domain-wide delegation for the scope:

https://www.googleapis.com/auth/admin.reports.audit.readonly

  1. Service Account Credentials: Download the service account credentials in JSON format. It should look like this:

    Click to expand JSON

    {
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "your-private-key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nYourPrivateKeyHere\n-----END PRIVATE KEY-----\n",
"client_email": "your-service-account-email@your-project-id.iam.gserviceaccount.com",
"client_id": "your-client-id",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/your-service-account-email%40your-project-id.iam.gserviceaccount.com"
}

  2. User Account: Create or use an existing Google Workspace user account with Super Admin role. This account will be impersonated by the service account.

Cribl

to pull the google workspace activity report events from their respective APIs you need to create a REST collector for each of the following endpoints:

Configure the following API endpoints as collect URLs:

```https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login 

additionally the following endpoints can also be configured: 

```https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/mobile
https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token
https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/groups
https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/chat
https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/meet
https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/sheets
Deploy the REST collector using the following json template:

Click to expand JSON 
{
  "type": "collection",
  "ttl": "4h",
  "removeFields": [],
  "resumeOnBoot": false,
  "schedule": {
    "type": "simple",
    "interval": "5m",
    "timezone": "UTC",
    "delay": "0s"
  },
  "streamtags": [],
  "workerAffinity": false,
  "collector": {
    "conf": {
      "discovery": {
        "discoverType": "none",
        "discoverMethod": "get",
        "pagination": {
          "type": "none"
        },
        "enableDiscoverCode": false
      },
      "collectMethod": "get",
      "pagination": {
        "type": "none"
      },
      "authentication": "google_oauth",
      "timeout": 0,
      "useRoundRobinDns": false,
      "disableTimeFilter": false,
      "decodeUrl": false,
      "rejectUnauthorized": true,
      "captureHeaders": false,
      "safeHeaders": [],
      "retryRules": {
        "type": "backoff",
        "interval": 1000,
        "limit": 5,
        "multiplier": 2,
        "maxIntervalMs": 20000,
        "codes": [
          429,
          503
        ],
        "enableHeader": true,
        "retryConnectTimeout": false,
        "retryConnectReset": false,
        "retryHeaderName": "retry-after"
      },
      "__scheduling": {
        "stateTracking": {}
      },
      "scopes": [
        "https://www.googleapis.com/auth/admin.reports.audit.readonly"
      ],
      "collectUrl": "'https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive'",
      "subject": "impersonated@account.com",
      "serviceAccountCredentials": "service account secret json goes here",
      "collectRequestParams": [
        {
          "name": "maxResults",
          "value": "100"
        },
        {
          "name": "startTime",
          "value": "`${˝}`"
        },
        {
          "name": "endTime",
          "value": "`${latest}`"
        }
      ]
    },
    "destructive": false,
    "encoding": "utf8",
    "type": "rest"
  },
  "input": {
    "type": "collection",
    "staleChannelFlushMs": 10000,
    "sendToRoutes": true,
    "preprocess": {
      "disabled": true
    },
    "throttleRatePerSec": "0"
  },
  "description": "Collects events from the Google Workspace Activity Reports API. Polls every 5 minutes.",
  "savedState": {},
  "id": "google_workspace_collector"
}

Populate the following fields:

id
subject
collectUrl
serviceAccountCredentials

Modify the rest of field values as needed.