Google Workspace Logs to Wazuh Update

[Luciano Ferrari]

Hi, besides the proposed solution I saw below, is there a way to directly connect Google Workspace into Wazuh without having to send it to Google Cloud first? 

Thanks,

Proposed Past Solution:

you could route the audit logs for Google Workspace to Google Cloud following the following guide: https://cloud.google.com/logging/docs/audit/configure-gsuite-audit-logs?hl=en
and then use Wazuh to monitor GCP services: https://documentation.wazuh.com/current/gcp/index.html
Once you have everything configured, you will have to create your own rules and decoders. You have a guide on how to do it in our documentation: https://documentation.wazuh.com/current/user-manual/ruleset/custom.html or you can refer to https://gist.github.com/misje/3d9388a507b669cb068dc18a16a76412

[Franco Giovanolli]

Hi Luciano!

At the moment, the known way to manage Google Workspace logs is using GCP.

Regards,
Franco

[Arno van Wouwe]

Replying better late than never.

I've written a wodle that uses the Google Admin SDK API. This not only means you don't need to export to GCP (and use Pub-Sub) but also that you retrieve *all* audit events (and not just the small subset covered in the Wazuh integration based on GCP). Also, the integration includes rules that trigger the levels equivalent to the O365 integration.

https://github.com/avanwouwe/wazuh-gworkspace

[ΣЯMЦЯΣПZ]

great work!!! I implemented it a couple of days ago and it works perfectly!