...
To run this collector, there are some configurations detailed below that you need to take into account.
Configuration | Details |
---|---|
GPC GCP console | You have the right credentials to access the GCP console. |
Permissions | You have to be the owner of the account or have administrator’s permissions in the GCP console. |
Delegated email | You need to have a delegated email with the right permissions. Refer to Google documentation to know how to do it. |
...
Depending on how did you obtain your credentials, you will have to either fill or delete the following properties on the JSON credentials
configuration block.
Authentication Method | Filename | Base64 credentials | Delegated email | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Service Account with Base64 |
|
|
|
...
Download the
...
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
...
Rw tab | ||
---|---|---|
|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
Code Block |
---|
<any_directory>
└── devo-collectors/
└── <product_name>/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
├── state/
└── config/
└── config.yaml |
Note |
---|
Replace |
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/
. Learn more about security credentials in Devo here.
...
Note |
---|
Replace |
Editing the config.yaml file
...
Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Collector Docker image | SHA-256 hash |
---|---|
|
Use the following command to add the Docker image to the system:
Code Block |
---|
gunzip -c <image_file>-<version>.tgz | docker load |
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace <image_file>
and <version>
with a proper value.
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Code Block |
---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
Replace <product_name>
, <image_name>
and <version>
with the proper values.
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/
directory.
Code Block | |||||||||
---|---|---|---|---|---|---|---|---|---|
version: '3' services: collector-<product_name>: image: <image_name>:${IMAGE_VERSION:-latest} container_name: collector-<product_name> volumes:directory_name: state outputs: - ./certs:/devo-collector/certsdevo_1: -type ./config:devo_platform /devo-collector/configconfig: address: <devo_address>- ./credentials:/devo-collector/credentials -port: 443 ./state:/devo-collector/statetype environment:SSL chain: <chain_filename>
cert: <cert_filename>
key: <key_filename>
inputs:
gsuite_alerts:
id: <input_id>
enabled: <input_status>
requests_per_second: <requests_per_second_value>
environment: <environment_value>
credentials:
filename: <filename_value>
content_base64: <content_base64_value>
delegated_email: <delegated_email_value>
source_id: <source_id_value>
services:
<collector_service_name>:
request_period_in_seconds: <request_period_in_seconds_value>
start_time: <start_time_override_value>
tag: <custom_tag>
Replace the placeholders with your required values following the description table below: | |||||||||
Parameter | Data Type | Type | Value Range | Details | |||||
|
|
|
| If the value is | |||||
|
|
| Minimum length: | Use this param to give an unique id to this collector. | |||||
|
|
| Minimum length: | Use this param to give a valid name to this collector. | |||||
|
|
|
| Use this param to identify the Devo Cloud where the events will be sent. | |||||
|
|
| Minimum length: | Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | |||||
|
|
| Minimum length: | Use this param to identify the | |||||
|
|
| Minimum length: | Use this param to identify the | |||||
|
|
| Minimum length: | Use this param to give an unique id to this input service.
| |||||
|
|
|
| Use this param to enable or disable the given input logic when running the collector. If the value is | |||||
|
|
| Minimum value: | Customize the maximum number of API requests per second. If not used, the default setting will be used:
| |||||
|
|
| Minimum length: | This parameter is used to create the Devo tag. It corresponds to the sixth level of the tag:
| |||||
|
|
| Minimum length: | This parameter is the name that you want to give to the token generated by the Collector. For example: | |||||
|
|
| Minimum length: | This parameter is the credentials in base64 format. To know how to obtain this value review the section How to enable the collection in the vendor. | |||||
|
|
| Minimum length: | This parameter is the email of the user whose domain is delegated to authorize the Service Account to access the alerts. To know how to obtain this value review the section How to enable the collection in the vendor.
| |||||
|
|
| Minimum value: | This parameter will be used when {source_id} placeholder is present when using custom tags. Please use | |||||
|
|
| Any collector service names described in the Data source section. | This parameter can be set to any collector service name described in the Data sources section. It is also important to note that there may be more than one service. Choose one of our available services:
For example:
| |||||
|
|
| Minimum length: | Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)
| |||||
|
|
| UTC with format: | This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (1 month back for example) before downloading new events.
| |||||
|
|
| A Devo tag. See for more information see Devo tags. | This parameter is used to override the default tag with a new customer defined tag.
| |||||
Collector Docker image | SHA-256 hash | ||||||||
|
Code Block |
---|
gunzip -c <image_file>-<version>.tgz | docker load |
Note |
---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Code Block |
---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
Note |
---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/
directory.
Code Block |
---|
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/
directory:
Code Block |
---|
IMAGE_VERSION=<version> docker-compose up -d |
Note |
---|
Replace |
Rw tab | ||
---|---|---|
|
We use a piece of software called Collector Server to host and manage all our available collectors.
To enable the collector for a customer:
In the Collector Server GUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create
Table
events, but mandatory for those that createLookups
.In the Parameters section, establish the Collector Parameters as follows below:
Editing the JSON configuration
Code Block |
---|
{
"global_overrides": {
"debug": <debug_status>
},
"inputs": {
"gsuite_alerts": {
"id": "<short_unique_id>",
"enabled": <input_status>,
"requests_per_second": <requests_per_second_value>,
"environment": "<environment_value>"
"credentials": {
"filename": "<filename_value>",
"content_base64": "<content_base64_value>",
"delegated_email": "<delegated_email_value>",
"source_id": "<source_id_value>"
},
"services": {
"<collector_service_name>": {
"request_period_in_seconds": <request_period_in_seconds_value>,
"start_time": "<start_time_override_value>",
"tag": "<custom_tag>"
}
}
}
}
} |
Info |
---|
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Please replace the placeholders with real world values following the description table below:
Parameter
Data Type
Type
Value Range / Format
Details
debug_status
bool
Mandatory
false
/ true
If the value is true
, the debug logging traces will be enabled when running the collector. If the value is false
, only the info
, warning
and error
logging levels will be printed.
short_unique_id
int
Mandatory
Minimum length: 1
Maximum length: 5
Use this param to give an unique id to this input service.
Note |
---|
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision. |
input_status
bool
Mandatory
false
/ true
Use this param to enable or disable the given input logic when running the collector. If the value is true
, the input will be run. If the value is false
, it will be ignored.
requests_per_second_value
int
Optional
Minimum value: 1
Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000
requests/sec.
This parameter should be removed if it is not used.
environment_value
str
Optional
Minimum length: 1
This parameter is used to create the Devo tag. It corresponds to the sixth level of the tag:cloud.gsuite.alerts.<alert_type>.<format_version>.<environment>
. If this parameter is removed, the sixth level of the tag will have the value unknown
.
This parameter should be removed if it is not used.
filename_value
str
Mandatory
Minimum length: 1
This parameter is the name that you want to give to the token generated by the Collector. For example: token.pickle
content_base64_value
str
Mandatory
Minimum length: 1
This parameter is the credentials in base64 format. To know how to obtain this value review the section How to enable the collection in the vendor.
delegated_email_value
str
Mandatory
Minimum length: 1
This parameter is the email of the user whose domain is delegated to authorize the Service Account to access the alerts. To know how to obtain this value review the section How to enable the collection in the vendor.
Note |
---|
Note for later: |
source_id
str
Mandatory
Minimum value: 1
This parameter will be used when {source_id} placeholder is present when using custom tags. Please use "abc"
value when not used.
collector_service_name
str
Mandatory
Any collector service names described in the Data sources section.
This parameter can be set to any collector service name described in the Data sources section. It is also important to note that there may be more than one service.
Choose one of our available services:
access_approvals
account_suspension_warn
activity_rule
apns_cert_expired
apns_cert_expiring
appmaker_default_cloud_sql_setup
apps_outage
calendar_changed
chrome
configuration_problem
customer_abuse
customer_takeout_initiated
data_loss_prevention
device_compromised
drive_changed
email_changed
google_operations
government_attack_warning
leaked_password
malware_reclassification
misconfigured_whitelist
mobile_changed
msa_billing
msa_legal
msa_product
msa_security
new_user
phishing_reclassification
primary_admin_changed
reporting_rule
sso_profile_updated
sso_profile_added
sso_profile_deleted
super_admin_password_reset
suspended_user_active
suspicious_activity
suspicious_login
suspicious_login_less_secure_app
suspicious_message_reported
suspicious_programmatic_login
user_admin_revoked
user_deleted
user_granted_admin
user_password_changed
user_reported_phishing
user_reported_spam_spike
user_suspended
user_suspended_alert
user_suspended_spam
user_suspended_spam_through_relay
user_suspended_suspicious_activity
For example:
Code Block |
---|
"services": {
"customer_takeout_initiated": {
"request_period_in_seconds": 60
},
"misconfigured_whitelist": {
"request_period_in_seconds": 60
}
} |
request_period_in_seconds_value
int
Optional
Minimum length: 1
Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)
This parameter should be removed if it is not used.
start_time_override_value
str
Optional
UTC with format: YYYY-mm-ddTHH:MM:SS.sssZ
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (1 month back for example) before downloading new events.
This parameter should be removed if it is not used.
custom_tag
str
Optional
A Devo tag. See for more information see Devo tags
This parameter is used to override the default tag with a new customer defined tag.
This parameter should be removed if it is not used.
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Devo categorization and destination
The alerts are ingested in the Devo tables with the format cloud.gsuite.alerts.<alert_type>
when alert_type
is the alert type of the Alert Center. The alert types are listed below:
...
Alert type
...
Devo Table
...
customer_takeout_initiated
...
cloud.gsuite.alerts.customer_takeout_initiated
...
misconfigured_whitelist
...
cloud.gsuite.alerts.misconfigured_whitelist
...
malware_reclassification
...
cloud.gsuite.alerts.malware_reclassification
...
phishing_reclassification
...
cloud.gsuite.alerts.phishing_reclassification
...
suspicious_message_reported
...
cloud.gsuite.alerts.suspicious_message_reported
...
user_reported_phishing
...
cloud.gsuite.alerts.user_reported_phishing
...
user_reported_spam_spike
...
cloud.gsuite.alerts.user_reported_spam_spike
...
leaked_password
...
cloud.gsuite.alerts.leaked_password
...
suspicious_login
...
cloud.gsuite.alerts.suspicious_login
...
suspicious_login_less_secure_app
...
cloud.gsuite.alerts.suspicious_login_less_secure_app
...
suspicious_programmatic_login
...
cloud.gsuite.alerts.suspicious_programmatic_login
...
user_suspended
...
cloud.gsuite.alerts.user_suspended
...
user_suspended_spam
...
cloud.gsuite.alerts.user_suspended_spam
...
user_suspended_spam_through_relay
...
cloud.gsuite.alerts.user_suspended_spam_through_relay
...
user_suspended_suspicious_activity
...
cloud.gsuite.alerts.user_suspended_suspicious_activity
...
google_operations
...
cloud.gsuite.alerts.google_operations
...
government_attack_warning
...
cloud.gsuite.alerts.government_attack_warning
...
device_compromised
...
cloud.gsuite.alerts.device_compromised
...
suspicious_activity
...
cloud.gsuite.alerts.suspicious_activity
...
appmaker_default_cloud_sql_setup
...
cloud.gsuite.alerts.appmaker_default_cloud_sql_setup
...
activity_rule
...
cloud.gsuite.alerts.activity_rule
...
configuration_problem
...
cloud.gsuite.alerts
...
data_loss_prevention
...
cloud.gsuite.alerts.data_loss_prevention
...
apps_outage
...
cloud.gsuite.alerts
...
primary_admin_changed
...
cloud.gsuite.alerts
...
sso_profile_added
...
cloud.gsuite.alerts
...
sso_profile_updated
...
cloud.gsuite.alerts
...
sso_profile_deleted
...
cloud.gsuite.alerts
...
super_admin_password_reset
...
cloud.gsuite.alerts.super_admin_password_reset
Events service
...
title | Verify data collection |
---|
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.
This service has the following components:
...
Component
...
Description
...
Setup
...
The setup module is in charge of authenticating the service and managing the token expiration when needed.
...
Puller
...
The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.
Setup output
A successful run has the following output messages for the setup module:
Code Block |
---|
INFO InputProcess::GSuiteAlertsPullerSetup(gsuite_collector,gsuite_alerts#1234,activity_rule#predefined) -> Path for credentials file has been transformed to absolute: "token.pickle" -> "/../devo-collector-gsuite-google-workspace-alerts/credentials/token.pickle"
INFO InputProcess::GSuiteAlertsPullerSetup(gsuite_collector,gsuite_alerts#1234,activity_rule#predefined) -> File "/../devo-collector-gsuite-google-workspace-alerts/credentials/token.pickle" has been created from base64 content
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> PrePull method started |
Puller output
A successful initial run has the following output messages for the puller module:
Info |
---|
Note that the |
Code Block |
---|
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> PrePull method started
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Retrieving persisted data
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> No persisted data found. The content will be initialized.
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> The <initial_start_time> did not change, so the persistence will not be reset
WARNING InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> The persistence changed and it will be updated. Current -> None | New -> {'initial_start_time': '2022-05-26T00:00:00.000Z', 'last_alert_timestamp': '2022-05-26T00:00:00.000Z', 'last_alert_ids': []}
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> PrePull method completed
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Unpacking messages to start the delivery
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Made 1 request(s), received 24 message(s), filtered 0 message(s), delivered 24 message(s), tag used: "cloud.gsuite.alerts.activity_rule.1.unknown". avg_time_per_source_message: 61.463 ms
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Data collection completed. Elapsed time: 1.480 seconds. Waiting for 58.520 second(s) until the next one |
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Code Block |
---|
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Made 1 request(s), received 24 message(s), filtered 0 message(s), delivered 24 message(s), tag used: "cloud.gsuite.alerts.activity_rule.1.unknown". avg_time_per_source_message: 61.463 ms |
Expand | ||
---|---|---|
| ||
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
|
Expand | ||||
---|---|---|---|---|
| ||||
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors. | ||||
ErrorType | Error Id | Error Message | Cause | Solution |
|
|
| This error is raised when unknown error occurs while loading token.pickle | Check that the token.pickle is in the correct format and if not, regenerate it again. |
|
|
| This error is raised when an HTTP error appears during setup. | The solution depends on the type of error.. Contact with Devo Support team. |
|
| This error is raised when token.pickle does not exist. | Regenerate the token.json and save it in the file
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/
directory:
Code Block |
---|
IMAGE_VERSION=<version> docker-compose up -d |
Replace <product_name>
, <image_name>
and <version>
with the proper values.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
We use a piece of software called Collector Server to host and manage all our available collectors. To enable the collector for a customer:
Editing the JSON configuration
Please replace the placeholders with real world values following the description table below:
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config.yaml file
Replace the placeholders with your required values following the description table below:
Download the Docker imageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
The Docker image can be deployed on the following services: DockerExecute the following command on the root directory
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
|
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
Devo categorization and destination
The alerts are ingested in the Devo tables with the format cloud.gsuite.alerts.<alert_type>
when alert_type
is the alert type of the Alert Center. The alert types are listed below:
Alert type | Devo Table |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Events service
Expand | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||
Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console. This service has the following components:
Setup outputA successful run has the following output messages for the setup module:
|
|
| This error is raised when the token cannot be refreshed. The reason may be that it has been deleted. | Regenerate the token.json and save it in the file
.pickle" INFO InputProcess::GSuiteAlertsPullerSetup(gsuite_collector,gsuite_alerts#1234,activity_rule#predefined) -> File "/../devo-collector-gsuite-google-workspace-alerts/credentials/ |
token |
InputConfigurationError
70
<input_config_environment_key_path> property must be a string
This error is raised when optional value environment
is not in the str format.
Edit the value of environment
in the configuration file so it is of valid str format.
71
<input_config_environment_key_path> property must fulfil the regex pattern r'^[A-Za-z0-9_-]{1,32}$'
This error is raised when optional value environment
does not match the required regex.
Make the value of environment
in the configuration file match the indicated format.
GSuiteAlertsPullerConnectionLostException
0
Operation timed out: <error_message>
This error is raised when the maximum time to wait for the connection has been exceeded.
Check that the connection is working properly.
1
HTTP/1.1 503 Service Unavailable at moment - Retrying reconnection: <error_message>
This error is raised when the service is not available.
This is an internal issue. Contact the support team.
2
DefaultCredentials: <error_message>
This error is raised when credentials cannot be automatically determined.
This is an internal issue. Contact the support team.
0
Operation timed out
This error is raised when the maximum time to wait for the connection has been exceeded.
Check that the connection is working properly.
1
HTTP/1.1 503 Service Unavailable at moment - Retrying reconnection.
This error is raised when the service is not available.
This is an internal issue. Contact the support team.
3
<error_message>
This error is raised when credentials cannot be automatically determined.
This is an internal issue. Contact the support team.
GSuiteAlertsPullerCreationException
1
<module_properties_key_path> mandatory property is missing or empty'
This error is raised when module_properties
property is not found in collector_definitions.yaml
This is an internal issue. Contact the support team.
2
<module_properties_key_path> property must be a dictionary
This error is raised when module_properties
is defined in the collector_definitions.yaml
file but the format is not dict
.
This is an internal issue. Contact the support team.
3
<module_properties_key_path>.alert_type mandatory property is missing or empty
This error is raised when alert_type
property is not found in collector_definitions.yaml
This is an internal issue. Contact the support team.
4
<module_properties_key_path>.alert_type property must be a string
This error is raised when alert_type
is defined in the collector_definitions.yaml
file but the format is not str
.
This is an internal issue. Contact the support team.
5
<module_properties_key_path>.tag_base mandatory property is missing or empty
This error is raised when tag_base
property is not found in collector_definitions.yaml
This is an internal issue. Contact the support team.
6
<module_properties_key_path>.tag_base property must be a string
This error is raised when tag_base
is defined in the collector_definitions.yaml
file but the format is not str
.
This is an internal issue. Contact the support team.
7
<module_properties_key_path>.credentials_scopes" mandatory property is missing or empty
This error is raised when credentials_scopes
property is not found in collector_definitions.yaml
This is an internal issue. Contact the support team.
8
<module_properties_key_path>.credentials_scopes" property must be a string
This error is raised when credentials_scopes
is defined in the collector_definitions.yaml
file but the format is not str
.
This is an internal issue. Contact the support team.
9
<input_config_key_path> property must be a dictionary
This error is raised when the required property input_config_key_path
is not found in the config
file.
Add input_config_key_path
to config
file, for example: gsuit_alerts:
10
<input_config_credentials_key_path> mandatory property is missing or empty
This error is raised when the required property credentials
is not found in the config
file.
Add credentials
dictionary in config.
11
<input_config_credentials_key_path> property must be a dictionary
This error is raised when credentials
is defined in the config
file but the format is not dict
.
Edit the value of credentials
in config
file, so it is of valid dict
format.
12
<input_config_credentials_key_path>.filename mandatory property is missing or empty
This error is raised when the required property filename
is not found in the config
file, into credentials
dictionary.
Add filename
property in config
file, into credentials
dictionary.
13
<input_config_credentials_key_path>.filename property must be a string
This error is raised when filename
is defined in the config
file but the format is not str
.
Edit the value of filename
in config
file, so it is of valid str
format.
14
<input_config_credentials_key_path>.content_base64" property must be a string
This error is raised when content_base64
is defined in the config
file but the format is not str
.
Edit the value of content_base64
in config
file, so it is of valid str
format.
15
<input_config_credentials_key_path>.content_base64" must be in a valid base64 format
This error is raised when content_base64
is defined in the config
file but the format is not base64 string
.
Edit the value of content_base64
in config
file, so it is of valid base64 string
format.
16
<input_config_credentials_key_path>.delegated_email mandatory property is missing or empty
This error is raised when the required property delegated_email
is not found in the config
file, into credentials
dictionary.
Add delegated_email
property in config
file, into credentials
dictionary.
17
<input_config_credentials_key_path>.delegated_email property must be a string
This error is raised when delegated_email
is defined in the config
file but the format is not str
.
Edit the value of delegated_email
in config
file, so it is of valid str
format.
18
<input_config_credentials_key_path>.source_id mandatory property is missing or empty
This error is raised when the required property source_id
is not found in the config
file, into credentials
dictionary.
Add source_id
property in config
file, into credentials
dictionary.
19
<input_config_credentials_key_path}.source_id> property must be a string'
This error is raised when source_id
is defined in the config
file but the format is not str
.
Edit the value of source_id
in config
file, so it is of valid str
format.
20
\"start_time\" property from configuration file format is invalid
This error is raised when start_time
is defined in the config
file but the format is not "%Y-%m-%dT%H:%M:%S.%fZ"
or "%Y-%m-%dT%H:%M:%SZ"
.
Edit the value of start_time
in config
file, so it is of valid "%Y-%m-%dT%H:%M:%S.%fZ" or "%Y-%m-%dT%H:%M:%SZ"
format.
PrePullError
200
The <state> does not meet the structure requirements of this collector version. '
f'The keys <last_alert_timestamp> and <last_alerts_id> are mandatory. State = <state>
This error is raised when the collector is upgraded or downgraded to an incompatible version.
Go back to a compatible version.
Remove persistence by modifying the
start_time
property.
PullError
300
Puller action cannot be executed when PrePull step failed
This error is raised when the prepull fails for whatever reason.
Check the logs to find the PrePull error.
301
Could not automatically determine credentials. Cause:<exception_message>. Aborting...
.pickle" has been created from base64 content
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> PrePull method started |
Puller output
A successful initial run has the following output messages for the puller module:
Info |
---|
Note that the |
Code Block |
---|
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> PrePull method started
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Retrieving persisted data
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> No persisted data found. The content will be initialized.
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> The <initial_start_time> did not change, so the persistence will not be reset
WARNING InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> The persistence changed and it will be updated. Current -> None | New -> {'initial_start_time': '2022-05-26T00:00:00.000Z', 'last_alert_timestamp': '2022-05-26T00:00:00.000Z', 'last_alert_ids': []}
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> PrePull method completed
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Starting data collection every 60 seconds
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Unpacking messages to start the delivery
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Made 1 request(s), received 24 message(s), filtered 0 message(s), delivered 24 message(s), tag used: "cloud.gsuite.alerts.activity_rule.1.unknown". avg_time_per_source_message: 61.463 ms
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Data collection completed. Elapsed time: 1.480 seconds. Waiting for 58.520 second(s) until the next one |
After a successful collector’s execution (that is, no error logs found), you will see the following log message:
Code Block |
---|
INFO InputProcess::GSuiteAlertsPuller(gsuite_alerts,1234,activity_rule,predefined) -> Made 1 request(s), received 24 message(s), filtered 0 message(s), delivered 24 message(s), tag used: "cloud.gsuite.alerts.activity_rule.1.unknown". avg_time_per_source_message: 61.463 ms |
Expand | ||
---|---|---|
| ||
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
|
Expand | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Check the logs to find the related errors
This error is raised when
|
Collector operations
This section is intended to explain how to proceed with specific operations of this collector.
...
Expand | ||
---|---|---|
| ||
Sometimes it is necessary to activate the debug mode of the collector's logging. This debug mode increases the verbosity of the log and allows you to print execution traces that are very helpful in resolving incidents or detecting bottlenecks in heavy download processes.
For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode. |
Change log
...
Release
...
Released on
...
Release type
...
Details
...
For more information, visit the configuration and parameterization section corresponding to the chosen deployment mode. |
Change log
Release | Released on | Release type | Details | Recommendations | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Improvements
Bug Fix
|
| |||||||||||||
|
| Improvements
|
| |||||||||||||
|
| Improvements:
New features:
| Recommended version
| |||||||||||||
|
| Improvements:
|
| |||||||||||||
|
| Improvements:
|
| |||||||||||||
|
| Bugs fixes:
|
| |||||||||||||
|
| Improvements:
|
| |||||||||||||
|
| New features:
|
| |||||||||||||
|
| New features:
Improvements:
|
|