FileBeat Gsuite module deprecated?

ido · February 2, 2021, 7:50am

TL;DR - gsuite module does not send logs although it seems that I've done everything right (more details in the post). I looked at the source code and there was a comment saying "Gsuite module is deprecated... use Google Workspace module instead."
does this mean that it is currently broken until google workspace will replace it?

I wanted to check the possibility of using the gsuite module, so I installed filebeat, elastic search, kibana and logstash (to save logs in s3).
When I ran filebeat over local logs everything worked fine, and logs got save to my configured s3.
Then I tried to configure the gsuite module, and although everything seemed fine (filebeat logs showed that all of the 6 inputs from the module were successfully loaded), no logs came out.
I did a lot of digging, and then I found the note about gsuite being deprecated in the module code.
Does this mean that the module is not currently working?

I ran filebeat using "filebeat -e -d "*" ", and no errors regarding the module were printed.

I'm attaching my module config just in case (and the email is the super admin email)

gist.github.com

https://gist.github.com/ido-hunters/6eb7c6ce94585d67fd491320d1899bc1

gistfile1.txt

filebeat.modules:
- module: google_workspace
  saml:
    enabled: true
    var.jwt_file: /path/to/gsuite.json
    var.delegated_account: super-admin@company.com
  user_accounts:
    enabled: true
    var.jwt_file: /path/to/gsuite.json
    var.delegated_account: super-admin@company.com

This file has been truncated. show original

Thanks!

marc.guasch · February 2, 2021, 10:47am

Hello! Which filebeat version are you running? I see your config is referencing google_workspace module instead of gsuite, which is not included in 7.10 which is our latest release.

Also, if you could include the output of the logs, that would help us to get a bit more information.

In the meantime, you can manually try an API call to see if there are events to report:

Access OAuth 2.0 Playground
Log in with the account used in delegated_account
In step 1 fill in the scope https://www.googleapis.com/auth/admin.reports.audit.readonly and hit the authorize button
In step 2 fill the Authorization code with the one obtained from Step 1
In step 3 fill in the url https://www.googleapis.com/admin/reports/v1/activity/users/all/applications/admin and check what the response is to verify data

You can add startTime parameter set to a date in the last 24h which is the default initial value used by the module.

Are you able to get any records back?

ido · February 2, 2021, 2:04pm

Hey, thanks for the reply!

I'm using filebeat 7.10.2.
I accidentally attached the config I tried in order to make use of google_workspace (because I've seen it in the repo), but what I described above was relevant to the gsuite module.
(when trying to run this with the google_workspace filebeat ofc doesn't recognise the module)

These are the logs I get when running the gsuite module, using this command:

filebeat -e -d "*" --modules gsuite &> ~/tmp/filebeat_logs.txt

I tried the playground, and it does return me records (a json with a list of items)
Also, when I tried to run the module I logged in into google drive and the admin workspace just to be sure there was activity, but nothing was received in filebeat.

system · March 2, 2021, 4:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.