Skip to content

Set up the Splunk Add-on for Google Cloud Platform

You can configure the add-on either through Splunk Web or by making changes directly in the configuration files. Due to the complexity of the setup, configure the add-on in Splunk Web.

Configure the Splunk Add-on for Google Cloud Platform using Splunk Web

To configure the Splunk Add-on for Google Cloud Platform using Splunk Web, complete the following steps:

  1. Go to the Splunk Add-on for Google Cloud Platform configuration page, either by clicking the name of the add-on on the left navigation banner on the home page, or by going to Manage Apps, and then clicking Launch App in the row of Splunk Add-on for Google Cloud Platform.
  2. Click Configuration tab to set up Google credentials, proxy, and logging level.
  3. On the Google Credentials tab, click Add.
  4. Then enter a name, select Account Type and paste the GoogleAccount JSON object you created in Create account in the Google Account Credentials field. Then click Add.
  5. If you are using a proxy, click on the Proxy tab, check the Enable Proxy checkbox and fill in the fields to specify the Host, Port, Username, and Password and then click Save.
    • (Optional) If you checked Enable Proxy, check the DNS resolution box if you want to perform DNS resolution through your proxy.
    • (Optional) If you checked Enable Proxy, select the type of proxy to use in the Proxy Type field. Supported proxy types are http and socks5
  6. (Optional) If you want to change the Logging level, click on the Logging tab, select a new level from the drop down menu, and click Save.

Set up the add-on using configuration files

Configure credentials of the Splunk Add-on for Google Cloud Platform by completing the following steps:

  1. Create a file named google_cloud_credentials.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/local.

  2. Create a stanza in google_cloud_credentials.conf using the following template: 

    [<name>]
google_credentials = <value> # Google account key that is in json format and can be downloaded from Google admin console.
account_type = <value> # Google credential type
    • You can add multiple Google credentials in google_cloud_credentials.conf. You need to remove all the line breaks in the JSON file to make it in one line, and then paste it to google_cloud_credentials.conf.

    For example, remove the line breaks in the following JSON file:

    {
  "type": "service_account",
  "project_id": "my-project",
  "private_key_id": "32a3be8f2f0dcfe967ea558e486deaereacfas0c2497e",
}

    Then, paste the following into the google_cloud_credentials.conf file:

      google_credentials={"type": "service_account","project_id": "my-project","private_key_id": "32a3be8f2f0dcfe967ea558e486deaereacfas0c2497e",}

Configure proxy and logging levels of the Splunk Add-on for Google Cloud Platform

Configure proxy and logging levels of the Splunk Add-on for Google Cloud Platform by completing the following steps:

  1. Copy the google_global_settings.conf file from $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/default to $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/local.
  2. Open the local version of the file in a text editor.
  3. Provide the necessary values and change default values as you see fit (See the google_cloud_global_settings.conf.spec, contained in the $SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/README directory for reference).
    • Enable the proxy by setting proxy_enabled to 1.
    • Change the proxy_type to http, or socks5 if necessary.
    • Change the proxy_rdns to 1 if you want the DNS lookup to go through the proxy. Leave it at 0 if you want to use the local machine to do a DNS lookup.
    • Change loglevel to DEBUG or ERROR if desired.
    • If you want the Splunk platform to index only the events when the scan is completed successfully, skipping those that were aborted or are still running, change index_events_for_unsuccessful_scans to 0. This parameter is not exposed in Splunk Web.

After updating google_global_settings.conf, restart the Splunk platform in order to make the changes and encrypt the proxy username and password.

Application Default Credentials (ADC)

Application Default Credentials (ADC) is a strategy used by the authentication libraries to automatically find credentials based on the application environment. The authentication libraries make those credentials available to Cloud Client Libraries and Google API Client Libraries. When you use ADC, your code can run in either a development or production environment without changing how your application authenticates to Google Cloud services and APIs.

Search order

ADC searches for credentials in the following locations:

  1. GOOGLE_APPLICATION_CREDENTIALS environment variable
  2. A credential file created by using the gcloud auth application-default login command
  3. The attached service account, returned by the metadata server

Note

The order of the locations ADC checks for credentials is not related to the relative merit of each location. For help with understanding the best ways to provide credentials to ADC, see https://cloud.google.com/docs/authentication/application-default-credentials.

Automatic account creation

When ADC is detected in a customer environment, the add-on will automatically create a service account named adc_account_<project_id>. This account is only created for customer-managed on-premise instances and not for cloud instances.

See the following example of an automatically created ADC account stanza in google_cloud_credentials.conf:

[adc_account_project-id]
adc_account = 1
google_credentials = ********
disabled = 0