Use this method of collection for Google Cloud Platform (GCP) environments.
Google Cloud Platform (GCP) collection
This section provides instructions for configuring G Suite Alert Center collection in your Google Cloud Platform environment. The G suite Alert Center collector function fetches the findings from G Suite and sends them to Sumo Logic.
To configure G Suite Alert Center collection in your GCP environment, do the following:
Run the following command:
Edit the sumo_gsuite_alerts_collector_deploy.sh bash script to configure following variables:
- region: The Region where the Google function will be deployed. For example: "us-central1"
- project_id: The project id of the project where the collector and all its resources will be deployed
- delegated_email: The valid email address for the G Suite user with Super Admin access permission
- Sumo_endpoint: The Sumo Logic HTTP endpoint created in Step 1
Run the following script:
In the command prompt, enter "N" for the following question "Allow unauthenticated invocations of new function" as shown below.
Copy the Client ID displayed at the end of the script output. You will use in the Client Name field when you configure G Suite Alert Center to allow client API access in the following task.
Go to the Cloud Datastore page of the project, with the Project ID you configured in the previous steps of this procedure, and create a database instance with the Cloud Firestore in Datastore Mode option. For more information, refer to the Google Cloud Datastore documentation.
Configure G Suite Alert Center to allow client API access
This section explains how to configure G Suite Alert Center to allow API access.
To configure GSuite Alert Center:
- Go to your G Suite domain’s Admin console (see instructions on signing in to your Admin console), click Security, and select Settings.
- Scroll down and click the App access control section.
- In the newly opened window, click Manage Domain-wide Delegation at the bottom.
- Click Add new button on the top.
- Enter the Client ID for the service account copied in Step 2, then in the OAuth Scopes field enter the following: https://www.googleapis.com/auth/apps.alerts
- Click Authorise.
Adding new Alert types
In future, if Google adds a new alert type do the following to add new alert types:
Go to the gsuitealertcenterfunc google cloud function console.
Click Edit at the top and then click Next.
In the editor, edit the gsuitealertcenter.yaml file and add the new alert types in ALERT_TYPES parameter from the “Alert type” column present in G Suite Alert types documentation.
This section provides a list of environment variables for G Suite Alert Center and their usage. For information on how to set these environment variables, refer to this Google Cloud document.
"Customer takeout initiated"
"Misconfigured whitelist "
"User reported phishing"
"User reported spam spike"
"Suspicious message reported"
"Suspicious login (less secure app)"
"Suspicious programmatic login"
"User suspended (spam)"
"User suspended (spam through relay)"
"User suspended (suspicious activity)"
"Government attack warning"
|BACKFILL_DAYS||Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.|
|PAGINATION_LIMIT||Number of events to fetch in a single API call.|
|LOG_FORMAT||Log format used by the python logging module to write logs in a file.|
|ENABLE_LOGFILE||Set to TRUE to write all logs and errors to a log file.|
|ENABLE_CONSOLE_LOG||Enables printing logs in a console.|
|LOG_FILEPATH||Path of the log file used when ENABLE_LOGFILE is set to TRUE.|
|NUM_WORKERS||Number of threads to spawn for API calls.|
|MAX_RETRY||Number of retries to attempt in case of request failure.|
A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.
|TIMEOUT||Request time out used by the requests library.|
|SUMO_ENDPOINT||HTTP source endpoint url created in Sumo Logic.|
Troubleshooting the Google Cloud Platform Function
This section shows you how to troubleshoot the function and resolve errors you may have encountered.
To verify the function, do the following:
- Log in to your Google Cloud Platform account, navigate to the cloud function you created, and click Testing.
- Click the Test the function button.
- Click the View Logs button to view the function logs. If an environment variable was not set, you will see error messages similar to the following.
- Set the missing environment variable to resolve the issue.
To verify whether the cloud scheduler job is triggering the function:
- Enter Cloud Scheduler in the search bar and click.
Click View button under Logs column corresponding to the Cloud Scheduler job starting with sumogsuite as show below.
In the newly opened window, you should be able to see logs with no errors seen under Severity. If there is an error, you can see more details by clicking on the Error section under Severity.