Skip to main content
Sumo Logic

Configure script based collection for G Suite Alert Center

This page provides instructions for deploying script based collection for G Suite Alert Center.

This page provides instructions for deploying script based collection for G Suite Alert Center. This script collects logs for the Sumo Logic G Suite Alert Center App.

Prerequisites

This task assumes you have successfully added a Hosted Collector and HTTP source, as described in Configure Collection for G Suite Alert Center.

The following tasks assume you are logged in to the user account with which you will install the collector. If you are not, use the following command to switch to that account

sudo su <user_name>

Configure the script on a Linux machine

This task shows you how to install the script on a Linux machine.

To deploy the script, do the following:

  1. Setup the Alert Center API as described in the following Google documentation
  1. If pip is not already installed, follow the instructions in the pip documentation to download and install pip
  2. Log in to a Linux machine (compatible with either Python 3.7 or Python 2.7) and install the script using the following command.
pip install sumologic-gsuitealertcenter
  1. Create a configuration file named gsuitealertcenter.yaml in home directory by copying the following snippet.
SumoLogic:
  SUMO_ENDPOINT: <SUMO LOGIC HTTP URL>
  
GsuiteAlertCenter:
  DELEGATED_EMAIL: "<real email address of the real G Suite user with Super Admin access>"
  CREDENTIALS_FILEPATH: "<path to json Service Account JSON file>"
  
Collection:
  ENVIRONMENT: onprem
  1. Add the SUMO_ENDPOINT and CREDENTIALS_FILEPATH (from step 1 above), and DELEGATED_EMAIL parameters, then save the file.  

  2. Create a cron job for running the collector every 5 minutes by using crontab -e and adding the following line.
 */5 * * * * /usr/bin/python -m sumogsuitealertscollector.main > /dev/null 2>&1

Advanced configuration

This section provides a list of environment variables for G Suite Alert Center that you can define in the configuration file, as shown in the this example. See the following table for explanations for each of the environment variables.

GSuite_Alert_Center_Troubleshooting_config.png

For information on how to set these environment variables, refer to this Google Cloud document.

Environment Variable  Usage
ALERT_TYPES

"Customer takeout initiated"

"Misconfigured whitelist "

"User reported phishing"

"User reported spam spike"

"Suspicious message reported"

"Phishing reclassification"

"Malware reclassification"

"Leaked password"

"Suspicious login"

"Suspicious login (less secure app)"

"Suspicious programmatic login"

"User suspended"

"User suspended (spam)"

"User suspended (spam through relay)"

"User suspended (suspicious activity)"

"Google Operations"

"Government attack warning"

"Device compromised"

"Suspicious activity"

BACKFILL_DAYS Number of days before the event collection will start. If the value is 1, then events are fetched from yesterday to today.
PAGINATION_LIMIT Number of events to fetch in a single API call.
LOG_FORMAT Log format used by the python logging module to write logs in a file.
ENABLE_LOGFILE Set to TRUE to write all logs and errors to a log file.
ENABLE_CONSOLE_LOG Enables printing logs in a console.
LOG_FILEPATH Path of the log file used when ENABLE_LOGFILE is set to TRUE.
NUM_WORKERS Number of threads to spawn for API calls.
MAX_RETRY Number of retries to attempt in case of request failure.
BACKOFF_FACTOR

A backoff factor to apply between attempts after the second try. If the backoff_factor is 0.1, then sleep() will sleep for [0.0s, 0.2s, 0.4s, ...] between retries.

TIMEOUT Request time out used by the requests library.
SUMO_ENDPOINT HTTP source endpoint url created in Sumo Logic.

Troubleshooting

This section shows you how to run the function manually and then verify that log messages are being sent from Alert Center.

To run the function manually, do the following:

  1. Enter  one of the following commands:

— For python, use this command: 

python -m sumogsuitealertscollector.main

— For python3, use this command: 

python3 -m sumogsuitealertscollector.main
  1. The script generates logs in /tmp/sumoapiclient.log by default. Check these logs to verify whether it’s getting triggered or not.
  2. If you installed the collector as root user and then run it as a normal user, you will see an error message similar to the followig because the config is not present in the home directory of user running the collector. Switch to root user and run the script again.

Traceback (most recent call last):
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 190, in main
   ns = GSuiteAlertsCollector()
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 29, in __init__
   self.config = Config().get_config(self.CONFIG_FILENAME, self.root_dir, cfgpath)
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 22, in get_config
   self.validate_config(self.config)
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 34, in validate_config
   raise Exception("Invalid config")
Exception: Invalid config
  1. To verify if there are new messages generated by Alert Center, go to Google Home > Security > Alert Center and then do the following:

GSuite_Alert_Center_Troubleshooting.png

  1. Check for an error message similar to the following. If you see this error message, then the  DELETGATED_EMAIL in configuration should be verified to make sure it belongs to a valid Google Suite Admin user account and not a service account.
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 191, in main
ns.run()
File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 162, in run
task_params = self.build_task_params()
File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 152, in build_task_params
obj = self.set_new_end_epoch_time(alert_type, self.DEFAULT_START_TIME_EPOCH)
File "/usr/local/lib/python3.6/dist-packages/sumogsuitealertscollector/main.py", line 81, in set_new_end_epoch_time
response = self.alertcli.alerts().list(**params).execute()
File "/usr/local/lib/python3.6/dist-packages/googleapiclient/_helpers.py", line 130, in positional_wrapper
return wrapped(*args, **kwargs)
File "/usr/local/lib/python3.6/dist-packages/googleapiclient/http.py", line 851, in execute
raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 400 when requesting 
https://alertcenter.googleapis.com/v1beta1/alerts?pageSize=1&filter=create_time+%3E%3D+%222019-04-17T16%3A29%3A14.061731Z%22+AND+create_time+%3C%3D+%222019-04-18T16%3A27%3A14.417915Z%22+AND+type+%3D+%22Customer+takeout+initiated%22&orderBy=create_time+desc&alt=json 
returned "Request contains an invalid argument.">
  1. If you installed the collector as root user and then run it as a normal user, you will see an error message similar to the followig because the config is not present in the home directory of user running the collector. Switch to root user and run the script again.

Traceback (most recent call last):
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 190, in main
   ns = GSuiteAlertsCollector()
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/main.py", line 29, in __init__
   self.config = Config().get_config(self.CONFIG_FILENAME, self.root_dir, cfgpath)
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 22, in get_config
   self.validate_config(self.config)
 File "/usr/local/lib/python2.7/dist-packages/sumogsuitealertscollector/common/config.py", line 34, in validate_config
   raise Exception("Invalid config")
Exception: Invalid config