A simple application for collecting audit logs from your Google Workspace account and producing the events to Kafka topic. The app is designed to work continuously inside a container.
Collection of events generated in a 60-second sliding time window from 6 to 5 minutes ago is triggered each 60 seconds. The scheme guarantees that Workspace has time to generate all audit events for all actions in the account and will be available using the API.
The app collects traces of all activity inside Google Workspace account using Google Workspace Admin Console through Reports API provided by all the internal applications: access_transparency, admin, calendar, chat, drive, gcp, gplus, groups, groups_enterprise, jamboard, login, meet, mobile, rules, saml, token, user_accounts, context_aware_access, chrome, data_studio, keep.
Declare environment variables and run:
docker build --tag gws-audit . \
&& docker run --rm \
-e SUBJECT=$SUBJECT \
-e KAFKA_SERVERS=$KAFKA_SERVERS \
-e KAFKA_TOPIC=$KAFKA_TOPIC \
--name gws-audit \
gws-audit
Variables:
SUBJECTis the principal name of any account that has access to the apropriate service accountKAFKA_SERVERSis an initial list of brokers as a CSV list of brokers in formathost1:9092,host2:9092,host3:9092KAFKA_TOPICis a name of Kafka topic
Files:
app/keyfile.jsoncontains Google Cloud service account keyapp/kafka-ca.pemcontains Kafka CA certificate for verifying the broker's keyapp/producer-gws-audit.pemcontains Kafka client's public and private keys
Reports API only accepts OAuth 2.0 for Service Accounts.
Scope: https://www.googleapis.com/auth/admin.reports.audit.readonly