Troubleshoot the Google Workspace Beat

This guide provides solutions for common issues with the Google Workspace Beat.

Data Missing from Delayed Log Event Names

Google Workspace logs sometimes see documented delays within Google, which prevent the collection of near-real time data for certain Log Event Names; more information on this issue is available on the Google Support website. To alleviate this issue, LogRhythm has added the ability to delay the collection of this data.

If data resiliency is required for this log source, the recommended approach is to configure multiple Google Workspace beats, where one collects the near-real time Log Event Names and one collects delayed Log Event Names. The majority of the Auth/Login Log Event Names can be delayed up to a few hours.

To configure the delay on your Google Workspace Beat, perform the following steps:

1. Run the following command:

./lrctl gsbeat config export --outfile gsbeatconfig.yml

2. Run the following command to open the Google Workspace configuration file:

vim gsbeatconfig.yml

3. Increase the "delayedTimeMin:" value and save the updated configuration file.

4. Run the following commands:

cat gsbeatconfig.yml | ./lrctl gsbeat config import

5. Run the following command to complete importing the updated configuration file:

rm gsbeatconfig.yml

6. Restart the Google Workspace Beat:

./lrctl gsbeat restart

7. Check the logs to see if the issue has been resolved:

./lrctl gsbeat logs

Login, Admin, and Token Logs Delayed or Missing

In cases where the system experiences data loss or delays in receiving login, admin, or token logs, the PubSub Beat can be also used to collect and parse Google Workspace login, admin, and token logs efficiently; however, this carries some additional cost on the GCP side.