Solution to pull alerts from G Suite Alert Center to Sumo Logic
This legacy solution to pull logs from Alert Center to Sumo Logic has been replaced with a dedicated Cloud-to-Cloud Integration Framework source. We recommend customers use the Duo Cloud-to-Cloud source instead of this legacy Python collection method. Google Workspace AlertCenter Source
This collector can be deployed both onprem and on cloud(google cloud functions). For installing the collector as a serverless solution refer these docs
Setup the Alert Center API by referring to the following docs. Here while creating key in service account make a note of the location of Service Account JSON file that has been downloaded in your computer you will need it later.
Add a Hosted Collector and HTTP Source
yyyy-MM-dd'T'HH:mm:ss.SSS'Z' \"createTime\": (.*),.Configuring the sumologic-gsuitealertcenter collector
Below instructions assume pip is already installed if not then, see the pip docs on how to download and install pip. sumologic-gsuitealertcenter is compatible with python 3.7 and python 2.7. It has been tested on Ubuntu 18.04 LTS and Debian 4.9.130. Login to a Linux machine and download and follow the below steps:
Install the collector using below command
pip install sumologic-gsuitealertcenter
Create a configuration file named gsuitealertcenter.yaml in home directory by copying the below snippet. Add the SUMO_ENDPOINT, CREDENTIALS_FILEPATH(downloaded in step 1) and DELEGATED_EMAIL parameters obtained from step 1 and step 2 and save it.
SumoLogic:
SUMO_ENDPOINT: <SUMO LOGIC HTTP URL>
GsuiteAlertCenter:
DELEGATED_EMAIL: "<use the default email address>"
CREDENTIALS_FILEPATH: "<path to json Service Accouont JSON file>"
Collection:
ENVIRONMENT: onprem
Create a cron job for running the collector every 5 minutes by using the crontab -e and adding the below line
*/5 * * * * /usr/bin/python -m sumogsuitealertscollector.main > /dev/null 2>&1