The GSuite Log Exporter Tool calls GSuite APIs to pull logs from GSuite into Cloud Logging on GCP. This example uses a simple script to deploy a Cloud Function integrated with a Cloud Scheduler job that executes the GSuite Log Exporter Tool on a specified cadence.
-
A Cloud Logging Project: GCP Project prepared for hosting the Cloud Function and the logs from G Suite. -
A Service Account: The Service Account in the Cloud Logging Project used to run the Cloud Function -
Grant these IAM roles to your service account:
roles/iam.tokenCreatorroles/logging.viewerroles/logging.logWriter
-
Enables these APIs in the Cloud Logging Project:
Identity and Access Management (IAM) APIAdmin SDK (Admin Reports API)Cloud Functions APICloud Scheduler APIApp Engine API
-
Grant the following API scopes to your service account's client_id in the Admin Console under Admin Console > Security > Advanced Settings > Manage API client access:
The scopes should be entered in a comma-separated list. Populate the Client Name field with your service account's client_id. To find the client_id of your service account, run the following command:
gcloud iam service-accounts describe <service-account> --format="value(uniqueId)"
Make sure you have the Google Cloud SDK downloaded and can run gcloud commands from your command line. Run the following commands:
gcloud config set project <logging-project-name>
./deploy.sh
- A Terraform module to deploy Gsuite Exporter on a GCE VM
- A Terraform module to deploy the exporter on Google Cloud Functions
- The GSuite Exporter tool
There’s a chance that you have not created an App Engine app in the project yet. It is required to have App Engine set up before you can deploy a Cloud Scheduler job. To create an App Engine app, simply follow the instructions on screen while running the deploy script.