Configure script based collection for G Suite Alert Center
This page provides instructions for deploying script based collection for G Suite Alert Center. This script collects logs for the Sumo Logic G Suite Alert Center App.
Prerequisites
This task assumes you have successfully added a Hosted Collector and HTTP source, as described in Configure Collection for G Suite Alert Center.
The following tasks assume you are logged in to the user account with which you will install the collector. If you are not, use the following command to switch to that account
sudo su <user_name>
Configure the script on a Linux machine
This task shows you how to install the script on a Linux machine.
To deploy the script, do the following:
- Setup the Alert Center API as described in the following Google documentation.
- If pip is not already installed, follow the instructions in the pip documentation to download and install pip.
- Log in to a Linux machine (compatible with either Python 3.7 or Python 2.7) and install the script using the following command.
pip install sumologic-gsuitealertcenter
- Create a configuration file named gsuitealertcenter.yaml in home directory by copying the following snippet.
SumoLogic: SUMO_ENDPOINT: <SUMO LOGIC HTTP URL> GsuiteAlertCenter: DELEGATED_EMAIL: "<real email address of the real G Suite user with Super Admin access>" CREDENTIALS_FILEPATH: "<path to json Service Account JSON file>" Collection: ENVIRONMENT: onprem
-
Add the SUMO_ENDPOINT and CREDENTIALS_FILEPATH (from step 1 above), and DELEGATED_EMAIL parameters, then save the file.
- Create a cron job for running the collector every 5 minutes by using crontab -e and adding the following line.
*/5 * * * * /usr/bin/python -m sumogsuitealertscollector.main > /dev/null 2>&1
Advanced configuration
This section provides a list of environment variables for G Suite Alert Center that you can define in the configuration file, as shown in the this example. See the following table for explanations for each of the environment variables.
For information on how to set these environment variables, refer to this Google Cloud document.
Environment Variable | Usage |
---|---|
ALERT_TYPES |
"Customer takeout initiated" "Misconfigured whitelist " "User reported phishing" "User reported spam spike" "Suspicious message reported" "Phishing reclassification" "Malware reclassification" "Leaked password" "Suspicious login" "Suspicious login (less secure app)" "Suspicious programmatic login" "User suspended" "User suspended (spam)" "User suspended (spam through relay)" "User suspended (suspicious activity)" "Google Operations" "Government attack warning" "Device compromised" "Suspicious activity" |
BACKFILL_DAYS | Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today. |
PAGINATION_LIMIT | Number of events to fetch in a single API call. |
LOG_FORMAT | Log format used by the python logging module to write logs in a file. |
ENABLE_LOGFILE | Set to TRUE to write all logs and errors to a log file. |
ENABLE_CONSOLE_LOG | Enables printing logs in a console. |
LOG_FILEPATH | Path of the log file used when ENABLE_LOGFILE is set to TRUE. |
NUM_WORKERS | Number of threads to spawn for API calls. |
MAX_RETRY | Number of retries to attempt in case of request failure. |
BACKOFF_FACTOR |
A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries. |
TIMEOUT | Request time out used by the requests library. |
SUMO_ENDPOINT | HTTP source endpoint url created in Sumo Logic. |
Troubleshooting
This section shows you how to run the function manually and then verify that log messages are being sent from Alert Center.
To run the function manually, do the following:
- Enter one of the following commands:
— For python, use this command:
python -m sumogsuitealertscollector.main
— For python3, use this command:
python3 -m sumogsuitealertscollector.main
- The script generates logs in /tmp/sumoapiclient.log by default. Check these logs to verify whether it’s getting triggered or not.
-
If you installed the collector as
root
user and then run it as a normal user, you will see an error message similar to the followig because the config is not present in the home directory of user running the collector. Switch toroot
user and run the script again.
Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 190, in main ns = GSuiteAlertsCollector() File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 29, in __init__ self.config = Config().get_config(self.CONFIG_FILENAME, self.root_dir, cfgpath) File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 22, in get_config self.validate_config(self.config) File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 34, in validate_config raise Exception("Invalid config") Exception: Invalid config
- To verify if there are new messages generated by Alert Center, go to Google Home > Security > Alert Center and then do the following:
- Check for an error message similar to the following. If you see this error message, then the DELETGATED_EMAIL in configuration should be verified to make sure it belongs to a valid Google Suite Admin user account and not a service account.
Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 191, in main ns.run() File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 162, in run task_params = self.build_task_params() File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 152, in build_task_params obj = self.set_new_end_epoch_time(alert_type, self.DEFAULT_START_TIME_EPOCH) File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 81, in set_new_end_epoch_time response = self.alertcli.alerts().list(**params).execute() File "/usr/local/lib/python3.6/dist-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper return wrapped(*args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/googleapiclient/http.py", line 851, in execute raise HttpError(resp, content, uri=self.uri) googleapiclient.errors.HttpError: <HttpError 400 when requesting https://alertcenter.googleapis.com/v1beta1/alerts?pageSize=1&filter=create_time+%3E%3D+%222019-04-17T16%3A29%3A14.061731Z%22+AND+create_time+%3C%3D+%222019-04-18T16%3A27%3A14.417915Z%22+AND+type+%3D+%22Customer+takeout+initiated%22&orderBy=create_time+desc&alt=json returned "Request contains an invalid argument.">
-
If you installed the collector as
root
user and then run it as a normal user, you will see an error message similar to the followig because the config is not present in the home directory of user running the collector. Switch toroot
user and run the script again.
Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 190, in main ns = GSuiteAlertsCollector() File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 29, in __init__ self.config = Config().get_config(self.CONFIG_FILENAME, self.root_dir, cfgpath) File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 22, in get_config self.validate_config(self.config) File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 34, in validate_config raise Exception("Invalid config") Exception: Invalid config