IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

Configure the module

edit

Configure the module

edit

In order for filebeat to ingest data from the Google Reports API you must set up a ServiceAccount that has access to the Admin SDK API.

Additionally Domain-Wide Delegation is required for your application to work properly.

This module will make use of the following oauth2 scope:

https://www.googleapis.com/auth/admin.reports.audit.readonly

Once you have downloaded your service account credentials as a JSON file, you can set up your module:

Configuration options

edit

- module: gsuite
  saml:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  user_accounts:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  login:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  admin:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  drive:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"
  groups:
    enabled: true
    var.jwt_file: "./credentials_file.json"
    var.delegated_account: "[email protected]"

Every fileset has the following configuration options:

var.jwt_file: Specifies the path to the JWT credentials file.
var.delegated_account: Email of the admin user used to access the API.
var.http_client_timeout: Duration of the time limit on HTTP requests made by the module. Defaults to 60s.
var.interval: Duration between requests to the API. Defaults to 2h.

GSuite defaults to a 2 hour polling interval because Google reports can go from some minutes up to 3 days of delay. For more details on this, you can read more here.

var.user_key: Specifies the user key to fetch reports from. Defaults to all.
var.initial_interval: It will poll events up to this time period when the module starts. This is to prevent polling too many or repeated events on module restarts. Defaults to 24h.

GSuite Reports ECS fields

edit

This is a list of GSuite Reports fields that are mapped to ECS.

GSuite Reports	ECS Fields
`items[].id.time`	`@timestamp`
`items[].id.uniqueQualifier`	`event.id`
`items[].id.applicationName`	`event.provider`
`items[].events[].name`	`event.action`
`items[].customerId`	`organization.id`
`items[].ipAddress`	`source.ip`, related.ip`, `source.as.`, `source.geo.`
`items[].actor.email`	`source.user.email`, `source.user.name`, `source.user.domain`
`items[].actor.profileId`	`source.user.id`

These are the common ones to all filesets.

Fields

edit

For a description of each field in the module, see the exported fields section.

« GSuite module haproxy module »