HEX

File: //usr/share/filebeat/module/google_workspace/groups/config/config.yml
{{ if eq .input "httpjson" }}
type: httpjson
interval: {{ .interval }}
auth.oauth2.provider: google
auth.oauth2.google.jwt_file: {{ .jwt_file }}
auth.oauth2.google.delegated_account: {{ .delegated_account }}
auth.oauth2.scopes:
  - https://www.googleapis.com/auth/admin.reports.audit.readonly
request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/groups
{{ if .http_client_timeout }}
request.timeout: {{ .http_client_timeout }}
{{ end }}
{{ if .proxy_url }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.transforms:
  - set:
      target: url.params.startTime
      # If last pagination cycle was finished successully
      # we move the startDate pointer forward
      # else we reprocess the last interval from the beginning.
      # If none of the values are in the cursor it means is a fresh start
      # and we pick the default value.
      value: >-
        [[- if eq .cursor.pagination_finished "true" -]]
          [[- .cursor.next_start_date -]]
        [[- else -]]
          [[- .cursor.last_response_date -]]
        [[- end -]]
      default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]'
response.split:
  target: body.items
  split:
    target: body.events
    keep_parent: true
response.pagination:
  - set:
      target: url.params.pageToken
      value: >-
        [[- if index .last_response.body "nextPageToken" -]]
          [[- .last_response.body.nextPageToken -]]
        [[- end -]]
      fail_on_template_error: true
cursor:
  pagination_finished:
    # Use this flag to identify if an execution was interrupted in the middle
    # of a pagination cycle.
    value: '[[not (index .last_response.body "nextPageToken")]]'
  last_response_date:
    # Use this value to be able to resume from an interrupted pagination cycle.
    value: '[[.last_response.url.params.Get "startTime"]]'
  next_start_date:
    # The API returns records sorted from newest to oldest,
    # in order to pick the next startDate we keep the first event (newest) time.
    value: >-
      [[- $time := .first_event.id.time -]]
      [[- if not (parseDate $time "RFC3339").IsZero -]]
        [[- $time -]]
      [[- else if not (parseDate $time "2006-01-02T15:04:05").IsZero -]]
        [[- formatDate (parseDate $time "2006-01-02T15:04:05") -]]
      [[- else if not (parseDate $time "2006-01-02T15:04:05Z").IsZero -]]
        [[- formatDate (parseDate $time "2006-01-02T15:04:05Z") -]]
      [[- else if not (parseDate $time "2006-01-02T15:04:05.999Z").IsZero -]]
        [[- formatDate (parseDate $time "2006-01-02T15:04:05.999Z") -]]
      [[- else if not (parseDate $time "2006-01-02T15:04:05 MST").IsZero -]]
        [[- formatDate (parseDate $time "2006-01-02T15:04:05 MST") -]]
      [[- else -]]
        [[- formatDate now -]]
      [[- end -]]

{{ else if eq .input "file" }}
type: log
paths:
{{ range $i, $path := .paths }}
  - {{$path}}
{{ end }}
exclude_files: [".gz$"]
{{ end }}

tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
  - add_fields:
      target: ''
      fields:
        ecs.version: 1.12.0
  - script:
      lang: javascript
      id: gworkspace-common
      file: ${path.home}/module/google_workspace/config/common.js
  - script:
      lang: javascript
      id: gworkspace-admin
      file: ${path.home}/module/google_workspace/groups/config/pipeline.js