One of great things about Splunk is that if there’s a data source you want to capture, there’s probably a way to do it. I recently needed to configure Google Drive audit logging to track student activity in an international security competition. For many log sources, I don’t always have the ability to be both the client and the Splunk administrator and configure both the sides of the data source. However, in this case, I was both a Google admin and a Splunk admin, which allowed me to capture the process on both sides.
Without further ado, here’s what you need to do to get this logging configured.
Splunk environment overview
The target Splunk environment for this data is a distributed one, with a search head, indexer cluster, and heavy forwarder. This process will be a bit different for a standalone Splunk environment.
I will be using the following Splunk apps to handle this data source:
The heavy forwarder will reach out to the Google APIs for grabbing data, and forward it to the indexers.
Also, note that this app has specific versions with Splunk 8.0 support as well as an older version with Splunk 7.3 support. Due to the Python changes in Splunk 8.0, be sure to use the right app for the version of Splunk you are using!
Begin by reviewing the configuration notes listed in the G Suite for Splunk app’s documentation–there’s a bunch of good information on what is required, and that will likely be the most up-to-date source of information if (or when) Google’s APIs change for these data sources.
1.) First, create a new Splunk-specific account in the Google admin console that will be used for this audit functionality.
This is done by going to Users -> Add new user in the G-suite admin console.