Not sending any syslog output from Linux

[mil10jose]

Done everything as directed in documentation. I can now see the API polling activity every minutes Running the command: python quickstart.py --noauth_local_webserver, retires last 10 event succefully disabled FW on Linux machine Can verify the ping work between collector linux machine and target SIEM Running tcpdump on linux with target as siem server doesn't bring any result No traffic coming from linux to siem server

Anything that i am missing? Thanks in advance

[andywalden]

Could you try running the script in debug mode and possibly with a start date to force it to read events older than the date in the bookmark file? Please sanitize if you post it. Thanks.

$ python gsuite2mfe.py -l debug -s 2017-10-01T14:53:38.000Z Oct 10 15:24:18 monster gsuite2mfe: **DEBUG ENABLED** Oct 10 15:24:18 monster gsuite2mfe: Log retrieval enabled for: ['login'] Oct 10 15:24:18 monster gsuite2mfe: Validating timestamp: 2017-10-01 10:53:38-04:00 Oct 10 15:24:18 monster gsuite2mfe: Null time provided: None Oct 10 15:24:18 monster gsuite2mfe: Function: open_socket: 22.22.26.17: 514 Oct 10 15:24:18 monster gsuite2mfe: Oct 10 15:24:18 monster gsuite2mfe: Processing actvity: 'login' Oct 10 15:24:18 monster gsuite2mfe: Oct 10 15:24:18 monster gsuite2mfe: Authenticating to GSuite Oct 10 15:24:18 monster gsuite2mfe: Retrieving login events from: 2017-10-01 10:53:38-04:00 to 2017-10-10 15:24:18-04:00 Oct 10 15:24:18 monster gsuite2mfe: Syslog feedback sent Oct 10 15:24:18 monster gsuite2mfe: Event 1 sent to syslog: {"ipAddress": "10.16.4.9", "etag": "\"zjH8tjoYF5URJ2FgtSkky1bRV2Y/OSGZv2ryHVLEinqyrJO2J-hWieo\"", "id": {"time": "2017-10-10T12:59:28.000Z", "uniqueQualifier": "-75675337340989035", "customerId": "sdfff7aw", "applicationName": "login"}, "actor": {"email": "user@domain.com", "profileId": "111352983980052243957"}, "events": [{"parameters": [{"value": "google_password", "name": "login_type"}], "name": "login_success", "type": "login"}], "kind": "admin#reports#activity"}. Oct 10 15:24:18 monster gsuite2mfe: Syslog feedback sent Oct 10 15:24:18 monster gsuite2mfe: Event 2 sent to syslog: {"ipAddress": "10.2.3.4", "etag": "\"zjH8tFadssasSkky1basdasdHjjyLS2cPP2A0bhwlmoNHUfjtU\"", "id": {"time": "2017-10-03T13:50:02.000Z", "uniqueQualifier": "4508444321810", "customerId": "sdfsdfw", "applicationName": "login"}, "actor": {"email": "user@domain.com", "profileId": "1113529823432443957"}, "events": [{"parameters": [{"value": "google_password", "name": "login_type"}], "name": "login_success", "type": "login"}], "kind": "admin#reports#activity"}. Oct 10 15:24:18 monster gsuite2mfe: Total Events: 2 Oct 10 15:24:18 monster gsuite2mfe: Total events retrieved from login: 2 Oct 10 15:24:18 monster gsuite2mfe: Bookmark unchanged Oct 10 15:24:18 monster gsuite2mfe: **EXECUTE COMPLETE**

[mil10jose]

Hi, thnaks for your email, I'm getting following error message

python gsuite2mfe.py -l debug -s 2017-10-01T14:53:38.000Z

Traceback (most recent call last): File "gsuite2mfe.py", line 2, in from apiclient import discovery ImportError: No module named apiclient

Regards Milton

On Wed, Oct 11, 2017 at 10:55 AM, Andy Walden notifications@github.com wrote:

Could you try running the script in debug mode and possibly with a start date to force it to read events older than the date in the bookmark file? Please sanitize if you post it. Thanks.

$ python gsuite2mfe.py -l debug -s 2017-10-01T14:53:38.000Z Oct 10 15:24:18 monster gsuite2mfe: DEBUG ENABLED Oct 10 15:24:18 monster gsuite2mfe: Log retrieval enabled for: ['login'] Oct 10 15:24:18 monster gsuite2mfe: Validating timestamp: 2017-10-01 10:53:38-04:00 Oct 10 15:24:18 monster gsuite2mfe: Null time provided: None Oct 10 15:24:18 monster gsuite2mfe: Function: open_socket: 22.22.26.17: 514 Oct 10 15:24:18 monster gsuite2mfe: Oct 10 15:24:18 monster gsuite2mfe: Processing actvity: 'login' Oct 10 15:24:18 monster gsuite2mfe: Oct 10 15:24:18 monster gsuite2mfe: Authenticating to GSuite Oct 10 15:24:18 monster gsuite2mfe: Retrieving login events from: 2017-10-01 10:53:38-04:00 to 2017-10-10 15:24:18-04:00 Oct 10 15:24:18 monster gsuite2mfe: Syslog feedback sent Oct 10 15:24:18 monster gsuite2mfe: Event 1 sent to syslog: {"ipAddress": "10.16.4.9", "etag": ""zjH8tjoYF5URJ2FgtSkky1bRV2Y/OSGZv2ryHVLEinqyrJO2J-hWieo"", "id": {"time": "2017-10-10T12:59:28.000Z", "uniqueQualifier": "-75675337340989035", "customerId": "sdfff7aw", "applicationName": "login"}, "actor": {"email": "user@domain.com", "profileId": "111352983980052243957"}, "events": [{"parameters": [{"value": "google_password", "name": "login_type"}], "name": "login_success", "type": "login"}], "kind": "admin#reports#activity"}. Oct 10 15:24:18 monster gsuite2mfe: Syslog feedback sent Oct 10 15:24:18 monster gsuite2mfe: Event 2 sent to syslog: {"ipAddress": "10.2.3.4", "etag": ""zjH8tFadssasSkky1basdasdHjjyLS2cPP2A0bhwlmoNHUfjtU"", "id": {"time": "2017-10-03T13:50:02.000Z", "uniqueQualifier": "4508444321810", "customerId": "sdfsdfw", "applicationName": "login"}, "actor": {"email": "user@domain.com", "profileId": "1113529823432443957"}, "events": [{"parameters": [{"value": "google_password", "name": "login_type"}], "name": "login_success", "type": "login"}], "kind": "admin#reports#activity"}. Oct 10 15:24:18 monster gsuite2mfe: Total Events: 2 Oct 10 15:24:18 monster gsuite2mfe: Total events retrieved from login: 2 Oct 10 15:24:18 monster gsuite2mfe: Bookmark unchanged Oct 10 15:24:18 monster gsuite2mfe: EXECUTE COMPLETE

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/andywalden/gsuite2mfe/issues/1#issuecomment-335620181, or mute the thread https://github.com/notifications/unsubscribe-auth/AHqRc-P46SYQfKcClazLRxhkksggQh8jks5sq-fkgaJpZM4PzQ1k .

[mil10jose]

oops, sorry! I've fixed the missing modules - ignore my stupid question above Please see the output below

Oct 11 15:35:24 GSuiteServer gsuite2mfe: **DEBUG ENABLED** Oct 11 15:35:24 GSuiteServer gsuite2mfe: Log retrieval enabled for: [u'login'] Oct 11 15:35:24 GSuiteServer gsuite2mfe: Validating timestamp: 2017-10-01 10:53:38-04:00 Oct 11 15:35:24 GSuiteServer gsuite2mfe: Null time provided: None Oct 11 15:35:24 GSuiteServer gsuite2mfe: Function: open_socket: 130.217.76.94: 514 Oct 11 15:35:24 GSuiteServer gsuite2mfe: Oct 11 15:35:24 GSuiteServer gsuite2mfe: Processing actvity: 'login' Oct 11 15:35:24 GSuiteServer gsuite2mfe: Oct 11 15:35:24 GSuiteServer gsuite2mfe: Authenticating to GSuite Oct 11 15:35:24 GSuiteServer gsuite2mfe: Retrieving login events from: 2017-10-01 10:53:38-04:00 to 2017-10-10 22:35:24-04:00 Oct 11 15:35:25 GSuiteServer gsuite2mfe: Syslog feedback sent Oct 11 15:35:25 GSuiteServer gsuite2mfe: Event 1 sent to syslog: {"kind": "admin#reports#activity", "actor": {"profileId": "110544911523492456222", "email": "user1@waikato.ac.nz"}, "events": [{"type": "login", "name": "login_success", "parameters": [{"name": "login_type", "value": "saml"}]}], "etag": "\"zjH8tjoYF5URJ2FgtSkky1bRV2Y/wykm01H9MpKf7zZNM0J-uhVpZXo\"", "ipAddress": "", "id": {"uniqueQualifier": "370424542483655890", "applicationName": "login", "customerId": "C03guwau5", "time": "2017-10-11T02:23:08.000Z"}}. Oct 11 15:35:25 GSuiteServer gsuite2mfe: Syslog feedback sent Oct 11 15:35:25 GSuiteServer gsuite2mfe: Event 2 sent to syslog: {"kind": "admin#reports#activity", "actor": {"profileId": "103976039877356871066", "email": "user2@waikato.ac.nz"}, "events": [{"type": "login", "name": "login_success", "parameters": [{"name": "login_type", "value": "saml"}]}], "etag": "\"zjH8tjoYF5URJ2FgtSkky1bRV2Y/6Iegf2xZXVp6TmFNb0FzMMC1hss\"", "ipAddress": "", "id": {"uniqueQualifier": "-7878327725672095838", "applicationName": "login", "customerId": "C03guwau5", "time": "2017-10-11T02:20:17.000Z"}}. Oct 11 15:35:25 GSuiteServer gsuite2mfe: Syslog feedback sent ................... ................... ................... Oct 11 15:35:25 GSuiteServer gsuite2mfe: Total Events: 50 Oct 11 15:35:25 GSuiteServer gsuite2mfe: Total events retrieved from login: 50 Oct 11 15:35:25 GSuiteServer gsuite2mfe: Bookmark unchanged Oct 11 15:35:25 GSuiteServer gsuite2mfe: **EXECUTE COMPLETE**

Thanks in advance.

Milton

On Wed, Oct 11, 2017 at 3:15 PM, Milton Markose < milton.markose@waikato.ac.nz> wrote:

Hi, thnaks for your email, I'm getting following error message

python gsuite2mfe.py -l debug -s 2017-10-01T14:53:38.000Z

Traceback (most recent call last): File "gsuite2mfe.py", line 2, in from apiclient import discovery ImportError: No module named apiclient

Regards Milton

On Wed, Oct 11, 2017 at 10:55 AM, Andy Walden notifications@github.com wrote:

Could you try running the script in debug mode and possibly with a start date to force it to read events older than the date in the bookmark file? Please sanitize if you post it. Thanks.

$ python gsuite2mfe.py -l debug -s 2017-10-01T14:53:38.000Z Oct 10 15:24:18 monster gsuite2mfe: DEBUG ENABLED Oct 10 15:24:18 monster gsuite2mfe: Log retrieval enabled for: ['login'] Oct 10 15:24:18 monster gsuite2mfe: Validating timestamp: 2017-10-01 10:53:38-04:00 Oct 10 15:24:18 monster gsuite2mfe: Null time provided: None Oct 10 15:24:18 monster gsuite2mfe: Function: open_socket: 22.22.26.17: 514 Oct 10 15:24:18 monster gsuite2mfe: Oct 10 15:24:18 monster gsuite2mfe: Processing actvity: 'login' Oct 10 15:24:18 monster gsuite2mfe: Oct 10 15:24:18 monster gsuite2mfe: Authenticating to GSuite Oct 10 15:24:18 monster gsuite2mfe: Retrieving login events from: 2017-10-01 10:53:38-04:00 to 2017-10-10 15:24:18-04:00 Oct 10 15:24:18 monster gsuite2mfe: Syslog feedback sent Oct 10 15:24:18 monster gsuite2mfe: Event 1 sent to syslog: {"ipAddress": "10.16.4.9", "etag": ""zjH8tjoYF5URJ2FgtSkky1bRV2Y/OSGZv2ryHVLEinqyrJO2J-hWieo"", "id": {"time": "2017-10-10T12:59:28.000Z", "uniqueQualifier": "-75675337340989035", "customerId": "sdfff7aw", "applicationName": "login"}, "actor": {"email": "user@domain.com", "profileId": "111352983980052243957"}, "events": [{"parameters": [{"value": "google_password", "name": "login_type"}], "name": "login_success", "type": "login"}], "kind": "admin#reports#activity"}. Oct 10 15:24:18 monster gsuite2mfe: Syslog feedback sent Oct 10 15:24:18 monster gsuite2mfe: Event 2 sent to syslog: {"ipAddress": "10.2.3.4", "etag": ""zjH8tFadssasSkky1basdasdHjjyLS2cPP2A0bhwlmoNHUfjtU"", "id": {"time": "2017-10-03T13:50:02.000Z", "uniqueQualifier": "4508444321810", "customerId": "sdfsdfw", "applicationName": "login"}, "actor": {"email": "user@domain.com", "profileId": "1113529823432443957"}, "events": [{"parameters": [{"value": "google_password", "name": "login_type"}], "name": "login_success", "type": "login"}], "kind": "admin#reports#activity"}. Oct 10 15:24:18 monster gsuite2mfe: Total Events: 2 Oct 10 15:24:18 monster gsuite2mfe: Total events retrieved from login: 2 Oct 10 15:24:18 monster gsuite2mfe: Bookmark unchanged Oct 10 15:24:18 monster gsuite2mfe: EXECUTE COMPLETE

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/andywalden/gsuite2mfe/issues/1#issuecomment-335620181, or mute the thread https://github.com/notifications/unsubscribe-auth/AHqRc-P46SYQfKcClazLRxhkksggQh8jks5sq-fkgaJpZM4PzQ1k .

[andywalden]

Woot! Looks like you're rocking and rolling now. Has anything parsed yet?

[mil10jose]

Now it looks great, thanks heaps for your help mate. Have a great day. Cheers Milton

On Wed, Oct 11, 2017 at 4:06 PM, Andy Walden notifications@github.com wrote:

Woot! Looks like you're rocking and rolling now. Has anything parsed yet?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/andywalden/gsuite2mfe/issues/1#issuecomment-335668761, or mute the thread https://github.com/notifications/unsubscribe-auth/AHqRc_iplgDGcWByZimxgvCEmiaT03Yxks5srDC_gaJpZM4PzQ1k .