Google workspace plugin and configuration

Hi all
I need your help. I’m using graylog 4.3.10 and I need to collect Google Workspace logs.
My problem are

1. I don’t have enterprise version and I need to understand the possibility to add that license.
2. Enable the google audit log. I look and apply all is prenent in the google_input documentation and test it using something else to read the google logs: logstash on system.out

The problem is that I don’t see any message. The logstash plugin starts wihtout error so I think that probably there is some misconfiguration in my google environment.

Is there something that I can see to understand why no log are visible on my output?
I mean, maybe, somebody had my same problem and fixed adding some premission o role, or something else that I forgot now.

Thanks
Gianluca

Enterprise licensing is here… The google input won’t work until your license is valid.

One thing to note, the Free license will only work if you can keep data below 2GB per day …There is something like a three day non-consecutive grace count (of days over) per month before the free license abilities will fail.

Thanx
I Will test It ASAP.
In this way I hope to understand if my Google workspace configuration is correct

Ho @tmacgbay
I try it but i have the Link error
Can you help me

Which “IT” are you testing? What did you try?

Sorry i mean it.
I try the enterprise version but I have the error that I attached before.

I can’t install graylog

Hey,

I think you have an issue with your configuration file and/or plugins that needed to be installed I found this here in your logs. Which might create more issues.

WARN : org.graylog2.shared.plugins.PluginLoader - Plugin directory /usr/share/graylog/plugin does not exist, not loading plugins.

Also here

ERROR: org.graylog2.bootstrap.CmdLineTool - Guice error (more detail on log level debug): No implementation for java.util.Map<org.graylog2.storage.SearchVersion, javax.inject.Provider<org.graylog2.indexer.messages.MessagesAdapter>> was bound.

Guice will throw a MISSING_IMPLEMENTATION error when an application requests an object that Guice does not know how to create.

Thanx
I used the installation within JVM.
Currently I don’t use any plugin so I need to install graylog as it is.
Looking the error, I think that something is missing in the setup configuration, or I need to something else?
I thought that it was installed without any problems

Hey @gianluca-valentini

So the plugin needed for Graylog-4.3 should have been install if you execute something like this.

Debian/Ubuntu

sudo apt-get update && sudo apt-get install graylog-server  graylog-integrations-plugins

RedHat

sudo yum install graylog-server  graylog-integrations-plugins 

Found here

• Installing Graylog

Not sure how you setup your server and the configuration, but judging from the errors I’m assume either configurations and/or installation is incorrect.

Ho @gsmith
I download this v.5 version (with JVM) as i don’t find the v4 one

Now during installation I have that error where some implementations are missing.

In this situation, what I have to do?

It’s not clear if you are installing on Debian or Red Hat or Docker… It’s not clear how far you are in the installation process or what commands you have run… It’s not clear if you have installed the other required parts such as mongo or Elasticsearch or OpenSearch. It is not clear where you have your screen shot of the installation page is from (We are not Graylog employees) It is not clear if you have installed the plugins portion of the install as @gsmith suggested… It is not clear if you applied for the free enterprise license and have a reply… All you have given us so far is a screen shot of running Graylog manually… which isn’t how it’s normally started, with a series of errors related to the installation being incomplete… but I don’t know where you are in the installation. You really do have to give more information about where you are and what you are doing for us to give you help on how to resolve issues… I know we have posted these for you before Tips for Asking Questions and How to ask questions please consider that we can help you better when you describe the issue and environment with relevant (and obfuscated if need be) detail…

Hi @tmacgbay
sorry if I made you waste your time. I will try to obtain more detailed information so that, if possible, you can give me a hand.

No waste of time - just need more info to help!!

Hi @tmacgbay thanks for your answer.
I’m sorry I was not so precise so, let’s start from the begginning:

I’m trying to start graylog enterprise from a tgz downloaded from graylog website

the archive I downloaded was
https://downloads.graylog.org/releases/graylog-enterprise/graylog-enterprise-5.0.3-linux-x64.tgz

so it’s an official distribution caught from the official website nothing more nothing less.

Then I unpacked this artifact on an Ubuntu 20 VM:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.5 LTS"
NAME="Ubuntu"
VERSION="20.04.5 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.5 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

on this machine MongoDB is up and running:

MongoDB shell version v5.0.14
Build Info: {
    "version": "5.0.14",
    "gitVersion": "1b3b0073a0b436a8a502b612f24fb2bd572772e5",
    "openSSLVersion": "OpenSSL 1.1.1f  31 Mar 2020",
    "modules": [],
    "allocator": "tcmalloc",
    "environment": {
        "distmod": "ubuntu2004",
        "distarch": "x86_64",
        "target_arch": "x86_64"
    }
}

and so is Elasticsearch:

{
  "name" : "elastic-graylog-5ff7b6f978-kr7tn",
  "cluster_name" : "graylog",
  "cluster_uuid" : "6HLznA1TRSaQV5vhmR-bmg",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

I had other errors before of this.
i.e. /etc/graylog/server/server.conf file was not present so I copied graylog.conf.example file and customized to reach mongo/elastic and with other configuration such as number of shard per index on elasticsearch, but my configuration is pretty similar to original file.

As you can see from log, Mongo and Elasticsearch are correctly reached from my installation/configuration:

org.graylog2.bootstrap.preflight.MongoDBPreflightCheck - Connected to MongoDB version 5.0.14
org.graylog2.bootstrap.preflight.SearchDbPreflightCheck - Connected to (Elastic/Open)Search version <Elasticsearch:7.10.2>

Obvious my ultimate goal is to install Google Workspace plugin but at the moment, with an official distribution from Graylog’s, I’m far to start the server.

When will I be able to start plain Graylog enterprise I’ll follow all your advices to install a licence or the plugin which is necessary to my final goal.

At the moment I’m stuck, as I already said yesterday, at:

1) [Guice/MissingImplementation]: No implementation for Map<SearchVersion, Provider<MoreSearchAdapter>> was bound.

which I think is not something about configuration, but related to official distribution I downloaded.

Thanks
Gianluca

Ah!! Lots more detail!

Although I have not installed Opensource 5 yet I am reasonably sure it works like v4.x where you can enter the code given to you for the free license. So I would recommend downloading the Debian Opensource install and get that running. When you apply for the free license they will ask for some details on your install.

I am not sure what the enterprise versions are on that page, they may be for ease of use for paying customers and you should definitely use a Debian package since you are using Ubuntu - a tgz install is generally more manually intensive and slightly more likely to have errors. The point that you didn’t have a server.conf and had to pull it from somewhere else shows that a bit.

Hey @gianluca-valentini

Can I ask why your using .tgz file on Ubuntu? Have you tried just installing it through APT?

Hi @gsmith,
Thank you for your replies.
I dropped previous installation method and managed to install as you did, via apt with following commands:

wget https://packages.graylog2.org/repo/packages/graylog-5.0-repository_latest.deb
sudo dpkg -i graylog-5.0-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server

then I configured server.conf and launched those other commands:

sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service

and the result is that Graylog is started:

INFO [ServerBootstrap] Graylog server up and running.

I accessed Graylog’s UI and under “Enterprise” tab I can see:

This is the status of Graylog Enterprise modules in this cluster:

• Graylog Plugin Enterprise is not installed

So I stopped graylog and tried to install enterprise plugin BEFORE requesting a Small Business License as you can see here:

3
Once you have installed Graylog Open and downloaded the Enterprise Plugin, fill out this form to generate your <2GB Graylog Small Business License Key.

Now the problem is that running this command:

sudo apt-get update && sudo apt-get install graylog-integrations-plugin

the result is

E: Unable to locate package graylog-integrations-plugin

and I’m not able to download the Enterprise plugin.
Can you help me to understand where I’m doing wrong?

you may be missing the S on the end?

graylog-integrations-plugins

EDIT: Somehow I typed E… ho I must have been distracted. E.

Ho @tmacgbay ,
Package graylog-integrations-plugins is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
graylog-server

E: Package ‘graylog-integrations-plugins’ has no installation candidate

Gianluca

Hey, @gianluca-valentini
dependingon what version you installed, I gave you the link’s to the documentation for whats needed below.

Prior to version 5 you need multi packages, but GL version 5.0 you have two Opensource and Enterprise one which should contain all the integrations within each one.

Graylog Server 4.3.x installation here

Graylog Server 5…x Installation here