GSuite Beat for the LogRhythm Open

Collector

August 14, 2019

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under
the End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the
use of the Software. This Software may be used or copied only in accordance with the Agreement. No part of
this Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose other than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com

Phone Support (7am - 6pm, Monday-Friday)

Toll Free in North America (MT) +1-866-255-0862
Direct Dial in the Americas (MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Audited Activity .............................................................................................................. 4
Use Cases........................................................................................................................ 4
Configure GSuite ............................................................................................................ 6
Follow the Prerequisites ........................................................................................................................ 6
Enable API Access................................................................................................................................... 6
Create a Project...................................................................................................................................... 8
Create Credentials ............................................................................................................................... 10
Authorize the GSuite Application ................................................................................ 16
Configure the GSuite Beat Log Source in the SIEM .................................................... 20
Prerequisites ........................................................................................................................................ 20
Step 1: Import the Log Source Virtualization Template .................................................................... 20
Step 2: Syslog Relay Configuration ..................................................................................................... 20
Step 3: Accept the Pending Log Source .............................................................................................. 21
Step 4: Apply the Log Source Virtualization Template ...................................................................... 22
Step 5: (Optional) Enable Silent Log Source Detection ..................................................................... 22
Work with the GSuite Beat........................................................................................... 24
Start the Beat ....................................................................................................................................... 24
Modify the GSuite Beat Configuration File ......................................................................................... 24
Troubleshoot the Beat......................................................................................................................... 24

LogRhythm, Inc. | Contents 3

GSuite Beat for the LogRhythm Open Collector

Audited Activity
This Beat leverages the GSuite Admin SDK Reports API. It can be used to audit the following:
• Google Admin Console activity
• User and group creation/elevation/modification
• Policies
• Licensing
• Organizational units
• Authentication activity
•  Successes
•  Failures
•  Challenges, such as prompts for multi-factor authentication
• Google Drive activity
• File/Directory view, creation/upload, modification, rename, deletion, download, move
• Permission changes
• Sharing (especially external share)
• Application activity
• Tokens and OAuth 

Use Cases
• Audit trail of anything an administrator does 
• Authentication data
• Audit a compromised account's activity
• Audit feed analytics, like from CloudAI
• Users provisioned/signed in to Google Cloud Platform
• Audit Drive activity
• Detect or audit compromised accounts
• Identify data exfiltration or disruption 
• Detect accidentally deleted files

Audited Activity 4
GSuite Beat for the LogRhythm Open Collector

The following use cases are not covered by this Beat:

• GCP compute activity 
• VMs created, K8s clusters deployed (any IaaS/PaaS)
• GCP will be covered by the Google Pub Sub beat (via StackDriver)
• Gmail Message Tracking
• Logs metadata of each message sent/received, similar to O365 Message Tracking
• Enables identification of auto forwarding, data exfiltration, phishing, and malware received via
email
• Gmail Settings
• Audits mail setting changes, such as auto-forward enabled

Use Cases 5
GSuite Beat for the LogRhythm Open Collector

Configure GSuite
Follow the Prerequisites
The GSuite Admin SDK Reports API has a number of prerequisites, which can be found in the official
documentation. Most importantly, for access to the Google Admin Console, you need
• A Super Administrator account to enable API Access
• An admin account with the Reports Administrator privilege to create and grant permission to the application

Enable API Access

1. Open the Google Admin console: https://admin.google.com.
2. On the home page, click Security.

Configure GSuite 6
GSuite Beat for the LogRhythm Open Collector

3. Select API reference.

Configure GSuite 7
GSuite Beat for the LogRhythm Open Collector

4. Make sure the Enable API access check box is selected, and then click Save.

Create a Project
1. Open the Google API Console: https://console.developers.google.com.
2. On the right, click Create.
3. Give the project a name, such as LogRhythm Collection.

You can use an existing project if you are familiar with Google APIs and projects.

4. (Optional) Edit the Project ID and Organization.

Configure GSuite 8
GSuite Beat for the LogRhythm Open Collector

5. Click Enable APIs and Services.

6. Search for Admin SDK.

Configure GSuite 9
GSuite Beat for the LogRhythm Open Collector

7. Open Admin SDK and click Enable.

Create Credentials
1. Open the Google API Console: https://console.developers.google.com.
2. In the menu on the top left, select your project.

Configure GSuite 10
GSuite Beat for the LogRhythm Open Collector

3. Click the Credentials tab.

4. Select the OAuth consent screen tab.

Configure GSuite 11
GSuite Beat for the LogRhythm Open Collector

5. In the Create credentials menu, select OAuth client ID.

Your OAuth Consent screen config may look a little different than the screenshot below. You should fill
out all required fields given.

6. On the Create OAuth Client ID page, do the following:

a. For Application type, select Other.
b. Enter a Name, such as LogRhythm-Collection.
c. Click Create.

Configure GSuite 12
GSuite Beat for the LogRhythm Open Collector

Configure GSuite 13
GSuite Beat for the LogRhythm Open Collector

7. Complete all required fields, and then click Create.

A popup appears with your credential's Client ID and Client Secret.

8. Copy the Client ID and paste into an accessible location.

To close the popup, click OK.
9. The Client ID is now populated on the Credentials page.

Configure GSuite 14
GSuite Beat for the LogRhythm Open Collector

10. Download the .JSON credentials. You need them to Authorize the GSuite Application.

Configure GSuite 15
GSuite Beat for the LogRhythm Open Collector

Authorize the GSuite Application

Before you initialize the Beat, you must have the Open Collector installed. If you do not already
have it installed, follow the instructions in the Open Collector Installation and User Guide, and then
return to this topic.

The Auth Code generated in step 8 of this procedure has a short lifetime, roughly 5 minutes. You
should complete this step after you have configured everything in GSuite and confirmed that the
Open Collector is running.

1. Confirm the Open Collector is running by running the command:

./lrctl status

You should see the open_collector and metrics as shown in the following graphic:

If the Open Collector is not running correctly, see GSuite: Troubleshoot the Open Collector.

2. In the Open Collector, run the command:

./lrctl gsbeat start

A prompt opens to input the contents of the .JSON credentials file you downloaded from the project. 

Authorize the GSuite Application 16

GSuite Beat for the LogRhythm Open Collector

The .JSON file will look similar to the following graphic:

3. Copy and paste the contents of the .JSON credentials into your terminal.

4. Press Enter twice. 

5. Doing so generates a URL, highlighted in red below.

6. Copy and paste the URL into your browser, and press Enter.
7. Sign into the same good account you used to configure GSuite.

Authorize the GSuite Application 17

GSuite Beat for the LogRhythm Open Collector

8. To allow the application to view audit reports, click Allow.

9. When the auth code appears, click the copy icon. The auth code is saved to your clipboard.

Authorize the GSuite Application 18

GSuite Beat for the LogRhythm Open Collector

10. Paste the auth code into the Open Collector, and press Enter.

You'll see the default applications the Open Collector will collect logs for.

11. Press Enter.
You receive confirmation of the successful creation of the GSuite Beat config file.

Authorize the GSuite Application 19

GSuite Beat for the LogRhythm Open Collector

Configure the GSuite Beat Log Source in the SIEM

Prerequisites
• LogRhythm Client Console 
• LogRhythm Administrator Account
• Download the Open Collector_ GSuite Preview.xml file by going to Documentation & Downloads on
the LogRhythm Community and selecting the Open Collector tab.

Direction Port Protocol Source

Outbound 443 HTTPS GSuite Beat

Step 1: Import the Log Source Virtualization Template

Why does the Open Collector need Log Source Virtualization?
• The Open Collector sends the output of every Beat to the Agent in a single syslog stream.
• The Parent log source is a generic type "BETA : Syslog - Open Collector."
• The Log Source Virtualization Template creates child log sources for each Beat (e.g. GSuite, Metric Beat, Office
365).
To import the log source virtualization template:
1. On the main toolbar, click Deployment Manager.
2. On the Tools menu, click Administration, and then click Log Source Virtualization Template Manager.
3. Right-click anywhere within the Log Source Virtualization Template Manager window, click Action, and then
click Import.
The Import dialog box displays.
4. Navigate to and select the Open Collector_ GSuite Preview.xml template file.
5. Click Open.
The Import Successful message appears.
6. Click Close.

Step 2: Syslog Relay Configuration

Why does the Open Collector need Syslog Relay?
• By default, the agent timestamps syslog messages as they come in. The timestamp in the SIEM should reflect
when the log was generated, not when the agent received this log.
• An additional Syslog Relay Regular Expression is required to correctly extract the timestamp.
To configure Syslog Relay:

Configure the GSuite Beat Log Source in the SIEM 20

GSuite Beat for the LogRhythm Open Collector

1. Click the System Monitors tab.

2. Double-click the agent you will send the Open Collector syslog to.
3. Click the Syslog and Flow Settings tab.
4. Select the Enable Syslog Server check box, if it is not already selected.
5. Type the Open Collector IP Address in the Syslog Relay Hosts field on the left.
6. Type the following regular expression as the first line in Syslog Relay Regular Expressions.

^<(?<priority>\d{ 1 , 3 })>\s*(?<message>(?<year>\d{ 4 })-(?<month>\d{ 2 })-(?<day>\d{ 2

})T(?<hour>\d{ 2 }):(?<minute>\d{ 2 }):(?<seconds>\d{ 2 })(\.(?<ms>\d+))?Z?[-+]?[ 0 - 9 :]
{ 0 ,}\s.*)

7. Click OK.
Here is an example of a configured Syslog Relay. The Open Collector IP address is 10.3.0.1

Step 3: Accept the Pending Log Source

After Open Collector logs are sent to the Windows System Monitor Agent, you need to accept the pending log
source.
1. Click the Log Sources tab.
2. In the New Log Sources grid, select the Action check boxes of the following:
• Log Source Type. BETA : Syslog - Open Collector

Do not select the GSuite specific log source types yet! You will do that later with Log
Source Virtualization.

• Log Processing Policy. LogRhythm Default

3. Right-click the selection, click Actions, and then click Accept.
4. Select one of the following:
• Click Customize and change the following as needed:

Configure the GSuite Beat Log Source in the SIEM 21

GSuite Beat for the LogRhythm Open Collector

• Collection System Monitor Entity

• Log Message Processing Settings
• Log Data Management and Processing Settings
• Silent Log Message Source Settings
• Click Default to select customized defaults that were previously selected. 
• Select a default batch amount between 100 - 5000.
5. Click OK.
6. Click the Refresh button to see the newly accepted Log Source in the grid.

Step 4: Apply the Log Source Virtualization Template

Use the Log Source Virtualization Template imported in Step 1 to create a log source specifically for GSuite
logs.
1. Double-click the open the newly accepted Open Collector Log Source.
The Log Message Source Properties window appears.
2. Click the Log Source Virtualization tab.
3. Select the Enable Virtualization check box.
4. Click Create Virtual Log Sources.
The Create Virtual Log Sources dialog box appears.
5. In the Log Source Virtualization Template drop-down menu, select Open Collector: GSuite Preview.
6. Click Save.
The confirmation prompt appears.
7. Click OK.
New Log Sources, which are children of your parent log source, appear in the grid.

Step 5: (Optional) Enable Silent Log Source Detection

Silent Log Source Detection tells you when one of your log sources has stopped reporting logs.
1. Double-click the child log source you want to configure.
The Virtual Log Message Source Properties window appears.
2. Click the Additional Settings tab.
3. Select the Enable Silent Log Source Detection check box.

Configure the GSuite Beat Log Source in the SIEM 22

GSuite Beat for the LogRhythm Open Collector

4. Select Warning and Error intervals. LogRhythm recommends Warning in 1 hour and Error in 2 hours.

5. Click OK.
6. Click the Alarm Rules tab.
7. Search for LogRhythm Silent Log Source Error and ensure the value in the Status column is Enabled.

Configure the GSuite Beat Log Source in the SIEM 23

GSuite Beat for the LogRhythm Open Collector

Work with the GSuite Beat

Start the Beat
When the beat configuration is saved, the beat is also started. To monitor the beat, run the following
command:

./lrctl gsbeat logs

Modify the GSuite Beat Configuration File

If you need to change the credentials for the configuration file:
1. Run the following command:

./lrctl gsbeat config edit

2. Follow all steps in the Authorize the Application section again.

3. After you've re-added the credentials, restart the Beat with the following command:

./lrctl gsbeat restart

Troubleshoot the Beat

To help determine what the issue is, export gsbeat logs using following command:

./lrctl gsbeat troubleshoot export --outfile <output file name>

This outputs a .tar.gz file.

Work with the GSuite Beat 24