Read Google Workspace log in Google cloud

gianluca_vale · 11-10-2022 08:20 AM

Hi all,

I need to get Google workspace events in Google Cloud so that with api I can see them for analytics scope.

After enabled the workspace routing I see just the google.login.LoginService.loginSuccess(/logout) but not the drive access, edit and so on.

What I have to do to be able to get all audit log events from Google platform (workspace and cloud)?

Thanks

Gianluca

christianpaula

Audit log permissions

IAM permissions and roles determine your ability to access audit logs data in the Logging API, the Logs Explorer, and the Google Cloud CLI.

For detailed information about the organization-level IAM permissions and roles you might need, see the Access control with IAM.

Route audit logs

You can route Google Workspace audit logs from Cloud Logging to supported destinations, including other Logging buckets.

Here are some applications for routing audit logs:

To use more powerful search capabilities, you can route copies of your audit logs to Cloud Storage, BigQuery, or Pub/Sub. Using Pub/Sub, you can route to other applications, other repositories, and to third parties.
To manage your audit logs across an entire organization, you can create aggregated sinks that combine and route logs from all the Cloud projects, billing accounts, and folders contained by your organization. For instance, you might aggregate and route audit log entries from an organization's folders to a Cloud Storage bucket.

For instructions on routing logs, see Configure and manage sinks.

You can check this document about audit logs for Google Workspace and Google Cloud.

gianluca_vale

Hi @christianpaula,

thanks for your answer.

I follow all your document and suggestions. I'd like to have the possibility to see the Drive Event Logs in the Google cloud Logs Exporer.

But I don't understand why I don't see them there but only in the Workspace Audit and investigation menu.

Is there something that I have to enable/assign/check to do it?

Thanks

Gianluca

christianpaula

Hi @gianluca_vale,

There is a single setting that you need to make sure it is enabled in your Admin Console, and then you verify the required permissions and access.

Links:

- Google Workspace audit logging information:
- https://cloud.google.com/logging/docs...
- Configure, view, and export Google Workspace audit logs: - https://cloud.google.com/logging/docs...
- https://support.google.com/a/answer/9...

You may want to check this video for your reference: How to export and view Google Workspace logs in GCP.

Thanks

Christian

gianluca_vale

Thanks a lot.

I follow the articles but I still don't understand where I'm wrong.

In the first link we read:

Google Workspace provides the following audit logs at the Google Cloud:

Can be possible that the this is not the right way to have the user data access log? I mean, the drive user file access, or user email sent log information should be sent to GoogleCloud? May I need a particolar subscription to have them? Currently I hava a Business Pro license, is it enough to get them using some API?

I continue to see just the access log information in the Google Cloud Log Explorer. Why I don't see the Google drive audit log too?

May be exist other APIs that I can use to have them without Google Cloud?

ohbarata

Hey there!

Did you have a reply on this?