Use this method of collection for Google Cloud Platform (GCP) environments.
Google Cloud Platform (GCP) collection
This section provides instructions for configuring G Suite Alert Center collection in your Google Cloud Platform environment. The G suite Alert Center collector function fetches the findings from G Suite and sends them to Sumo Logic.
To configure G Suite Alert Center collection in your GCP environment, do the following:
Run the following command:
Edit the sumo_gsuite_alerts_collector_deploy.sh bash script to configure following variables:
- region: The Region where the Google function will be deployed. For example: "us-central1"
- project_id: The project id of the project where the collector and all its resources will be deployed
- delegated_email: The valid email address for the G Suite user with Super Admin access permission
- Sumo_endpoint: The Sumo Logic HTTP endpoint created in Step 1
Run the following script:
Copy the Client ID displayed at the end of the script output. You will use in the Client Name field when you configure G Suite Alert Center to allow client API access in the following task.
Go to the Cloud Datastore page of the project, with the Project ID you configured in the previous steps of this procedure, and create a database instance with the Cloud Firestore in Datastore Mode option. For more information, refer to the Google Cloud Datastore documentation.
Configure G Suite Alert Center to allow client API access
This section explains how to configure G Suite Alert Center to allow API access.
To configure GSuite Alert Center:
- Go to your G Suite domain’s Admin console (see instructions on signing in to your Admin console), click Security, and select Settings.
- Go to Advanced Settings and click Manage API client access.
- In the Client Name field enter the Client ID for the service account copied in Step 2, then in the One or More API Scopes field enter the following: https://www.googleapis.com/auth/apps.alerts
- Click Authorize.
This section provides a list of environment variables for G Suite Alert Center and their usage. For information on how to set these environment variables, refer to this Google Cloud document.
"Customer takeout initiated"
"Misconfigured whitelist "
"User reported phishing"
"User reported spam spike"
"Suspicious message reported"
"Suspicious login (less secure app)"
"Suspicious programmatic login"
"User suspended (spam)"
"User suspended (spam through relay)"
"User suspended (suspicious activity)"
"Government attack warning"
|BACKFILL_DAYS||Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.|
|PAGINATION_LIMIT||Number of events to fetch in a single API call.|
|LOG_FORMAT||Log format used by the python logging module to write logs in a file.|
|ENABLE_LOGFILE||Set to TRUE to write all logs and errors to a log file.|
|ENABLE_CONSOLE_LOG||Enables printing logs in a console.|
|LOG_FILEPATH||Path of the log file used when ENABLE_LOGFILE is set to TRUE.|
|NUM_WORKERS||Number of threads to spawn for API calls.|
|MAX_RETRY||Number of retries to attempt in case of request failure.|
A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.
|TIMEOUT||Request time out used by the requests library.|
|SUMO_ENDPOINT||HTTP source endpoint url created in Sumo Logic.|
Troubleshooting the Google Cloud Platform Function
This section shows you how to troubleshoot the function and resolve errors you may have encountered.
To verify the function, do the following:
- Log in to your Google Cloud Platform account, navigate to the cloud function you created, and click Testing.
- Click the Test the function button.
- Click the View Logs button to view the function logs. If an environment variable was not set, you will see error messages similar to the following.
- Set the missing environment variable to resolve the issue.