Your In-Depth Guide to Collecting Google Drive Activity Logs in Splunk
One of great things about Splunk is that if there’s a data source you want to capture, there’s probably a way to do it. I recently needed to configure Google Drive audit logging to track student activity in an international security competition. For many log sources, I don’t always have the ability to be both the client and the Splunk administrator and configure both the sides of the data source. However, in this case, I was both a Google admin and a Splunk admin, which allowed me to capture the process on both sides.
Without further ado, here’s what you need to do to get this logging configured.
Splunk environment overview
The target Splunk environment for this data is a distributed one, with a search head, indexer cluster, and heavy forwarder. This process will be a bit different for a standalone Splunk environment.
I will be using the following Splunk apps to handle this data source:
- On the heavy forwarder, Input Add On for G Suite App
- On the search head, G Suite For Splunk
The heavy forwarder will reach out to the Google APIs for grabbing data, and forward it to the indexers.
Also, note that this app has specific versions with Splunk 8.0 support as well as an older version with Splunk 7.3 support. Due to the Python changes in Splunk 8.0, be sure to use the right app for the version of Splunk you are using!
Begin by reviewing the configuration notes listed in the G Suite for Splunk app’s documentation–there’s a bunch of good information on what is required, and that will likely be the most up-to-date source of information if (or when) Google’s APIs change for these data sources.
1.) First, create a new Splunk-specific account in the Google admin console that will be used for this audit functionality.
This is done by going to Users -> Add new user in the G-suite admin console.
Keep track of the credentials set on this user–you’ll need to use those later.
2.) This newly-created user will require additional privileges to access the information in the organization.
Click on the username in your list of users, expand the Admin roles and privileges section, and assign the Super Admin role to this user. Note: The app recommends Super Admin permissions for this access, and I’ve not tested this with anything lesser.
3.) Next, this new user will need API access configured and assigned.
Go to https://console.developers.google.com/, and log in with the newly created account.
4.) From the console dashboard, search for and enable the following APIs:
- Admin SDK
- G Suite Alert Center API
- Google Drive API
5.) In order to create the API access, you’ll need to create an OAuth consent screen.
This is the pop up that comes up when logging into a service with your Google account–except this one will be particularly scary since this account is able to do all sorts of things requiring elevated permissions.
Navigate to the OAuth consent screen section, and follow the prompts to create an internal application. You’ll need to click the “Add scope” button and add the additional APIs allowing access to admin activity and Google Drive activity.
6.) Next, create an OAuth Client ID by Navigating to Credentials -> Create Credentials.
7.) Select Desktop app as the application type and specify a name for the client ID.
8.) Upon clicking create, you’ll be shown a client ID and secret that we’ll configure in Splunk in the next section.
Be sure to redact this information before posting a screenshot of it on the Internet.
Tip: Use the buttons on the right of each of the boxes to copy the entire content. It’s easy to not select the entire thing if you don’t, and then things won’t work correctly (I may have learned this from experience).
That wraps up what we need to do in the Google console. Next, let’s configure Splunk!
On your heavy forwarder, install the GSuiteforSplunk Input Add-On. From here, you’ll configure the application details for using the APIs we just set up on the Google side.
1.) From the app’s setup screen, enter the G Suite Domain for your G Suite account as well as the Client ID and Client Secret obtained earlier.
2.) Next, click Authorize Step 1.
This will pop up a Google authentication window. Be sure to log in with the account you created with the OAuth application and API access enabled. This will present you with quite possibly the scariest-looking Google permissions screen you’ve ever seen:
3.) Since you created this app, go ahead and click Allow.
Upon doing so, you’ll receive an authorization token that you should copy–we’ll be putting this into Splunk in the next step.
4.) Paste the authorization token into Splunk, and click “Authorize Step 2.”
5.) If everything worked correctly, you’ll see a message indicating “Credentials Written to Encrypted Password Store.”
Create a G Suite Input
Next, we’ll want to create a G Suite input in the app. Click “Create New G Suite Input” to do so. For this example, I enabled a few of the activity indicators and set a 600 second interval as well as an index of my choice. Standard disclaimers here apply about ensuring that the index storing this data exists, and that the right users have access.
Search the data!
Now you’ll be able to use the data in Splunk. For example, to review drive activity, you can start with a search like this:
And there you go–near real-time activity monitoring of everything that happens in Google Drive.
This format isn’t the easiest to write tutorials on as I rarely have access to both sides of the configuration, but I do hope to offer more tutorials like this in the future. I definitely learned a few things about G Suite administration getting this set up, and I hope you did, too! Happy Splunking!
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.