Professional Documents
Culture Documents
Collector
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
Audited Activity
This Beat leverages the GSuite Admin SDK Reports API. It can be used to audit the following:
• Google Admin Console activity
• User and group creation/elevation/modification
• Policies
• Licensing
• Organizational units
• Authentication activity
• Successes
• Failures
• Challenges, such as prompts for multi-factor authentication
• Google Drive activity
• File/Directory view, creation/upload, modification, rename, deletion, download, move
• Permission changes
• Sharing (especially external share)
• Application activity
• Tokens and OAuth
Use Cases
• Audit trail of anything an administrator does
• Authentication data
• Audit a compromised account's activity
• Audit feed analytics, like from CloudAI
• Users provisioned/signed in to Google Cloud Platform
• Audit Drive activity
• Detect or audit compromised accounts
• Identify data exfiltration or disruption
• Detect accidentally deleted files
Audited Activity 4
GSuite Beat for the LogRhythm Open Collector
Use Cases 5
GSuite Beat for the LogRhythm Open Collector
Configure GSuite
Follow the Prerequisites
The GSuite Admin SDK Reports API has a number of prerequisites, which can be found in the official
documentation. Most importantly, for access to the Google Admin Console, you need
• A Super Administrator account to enable API Access
• An admin account with the Reports Administrator privilege to create and grant permission to the application
Configure GSuite 6
GSuite Beat for the LogRhythm Open Collector
Configure GSuite 7
GSuite Beat for the LogRhythm Open Collector
4. Make sure the Enable API access check box is selected, and then click Save.
Create a Project
1. Open the Google API Console: https://console.developers.google.com.
2. On the right, click Create.
3. Give the project a name, such as LogRhythm Collection.
You can use an existing project if you are familiar with Google APIs and projects.
Configure GSuite 8
GSuite Beat for the LogRhythm Open Collector
Configure GSuite 9
GSuite Beat for the LogRhythm Open Collector
Create Credentials
1. Open the Google API Console: https://console.developers.google.com.
2. In the menu on the top left, select your project.
Configure GSuite 10
GSuite Beat for the LogRhythm Open Collector
Configure GSuite 11
GSuite Beat for the LogRhythm Open Collector
Your OAuth Consent screen config may look a little different than the screenshot below. You should fill
out all required fields given.
Configure GSuite 12
GSuite Beat for the LogRhythm Open Collector
Configure GSuite 13
GSuite Beat for the LogRhythm Open Collector
Configure GSuite 14
GSuite Beat for the LogRhythm Open Collector
10. Download the .JSON credentials. You need them to Authorize the GSuite Application.
Configure GSuite 15
GSuite Beat for the LogRhythm Open Collector
Before you initialize the Beat, you must have the Open Collector installed. If you do not already
have it installed, follow the instructions in the Open Collector Installation and User Guide, and then
return to this topic.
The Auth Code generated in step 8 of this procedure has a short lifetime, roughly 5 minutes. You
should complete this step after you have configured everything in GSuite and confirmed that the
Open Collector is running.
./lrctl status
You should see the open_collector and metrics as shown in the following graphic:
If the Open Collector is not running correctly, see GSuite: Troubleshoot the Open Collector.
A prompt opens to input the contents of the .JSON credentials file you downloaded from the project.
3. Copy and paste the contents of the .JSON credentials into your terminal.
6. Copy and paste the URL into your browser, and press Enter.
7. Sign into the same good account you used to configure GSuite.
9. When the auth code appears, click the copy icon. The auth code is saved to your clipboard.
10. Paste the auth code into the Open Collector, and press Enter.
You'll see the default applications the Open Collector will collect logs for.
11. Press Enter.
You receive confirmation of the successful creation of the GSuite Beat config file.
Prerequisites
• LogRhythm Client Console
• LogRhythm Administrator Account
• Download the Open Collector_ GSuite Preview.xml file by going to Documentation & Downloads on
the LogRhythm Community and selecting the Open Collector tab.
7. Click OK.
Here is an example of a configured Syslog Relay. The Open Collector IP address is 10.3.0.1
Do not select the GSuite specific log source types yet! You will do that later with Log
Source Virtualization.
4. Select Warning and Error intervals. LogRhythm recommends Warning in 1 hour and Error in 2 hours.
5. Click OK.
6. Click the Alarm Rules tab.
7. Search for LogRhythm Silent Log Source Error and ensure the value in the Status column is Enabled.