Skip to content

Configure the Splunk Add-on for Google Workspace

Perform the following steps to configure the Splunk Add-on for Google Workspace to collect data from your Google Workspace deployment.

Version 2.4.1 of the Splunk Add-on for Google Workspace includes a new modular input option for customers who migrated from Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. This modular input is called Gmail Logs Migrated and has all of the same parameters as the Gmail Logs modular input. The format of the log has not changed after the migration, and there are no changes needed with regards to Common Information Model (CIM) field mappings for the migrated data. For more information, see the Gmail logs in BigQuery topic in the Google Workspace Admin Help portal, and the Google Workspace logs and reports in BigQuery topic in the Google Workspace Admin Help portal.

Add your Google Workspace account information

Add your Google Workspace account information to the Splunk Add-on for Google Workspace using Splunk Web.

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Select the Configuration tab.
  3. On the Accounts tab, select the Add button.

  4. In the Add Accounts window, enter the following information:

    1. In the Name field, create a name for your account.

    2. If you are adding a service account to collect activity reports, in the Username field, enter the email address that has the role of Organization Administrator for the same project where you created your service account. If you are adding a service account to collect Gmail logs, you can leave this field blank.

    3. In the Certificate field, copy the contents from the JSON file that you created in the Keys section in your Google Cloud Platform deployment, and paste into the Certificate field.

    4. Select the Add button.

Configure activity report data collection using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Select the Inputs tab.
  3. On the Inputs tab, select the Create New Input button.

  4. In the Add Activity window, fill in the required fields:

    Field Description
    Name A unique name for the new data input.
    Application Name The API that the Splunk software will use to collect your data. Available values are:
    Admin, Login, Drive, SAML, OAuth Token, Context-Aware Access, Google Calendar, Google Cloud Platform, Enterprise Groups, Rules, Chat, Mobile or Chrome
    Interval Time interval of the data input, in seconds.
    Lookback Offset The lookback offset is the lag time to collect events (measured in number of seconds), based on the different data lag times for different inputs. For recommended values, see the Data retention and lag times topic in the Google Workspace Admin Help manual.
    Service Account to use Connected GWS Service Account.
    Index Name of destination index.

  5. Select the Add button.

Configure usage report data collection using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Click on the Inputs tab.
  3. On the Inputs tab, click the Create New Input button.

  4. In the Add Usage Report window, fill in the required fields:

    Field Description
    Name A unique name for the new data input.
    Endpoint The API that the Splunk software will use to collect your data. Available values are:
    userUsageReport, entityUsageReport, customerUsageReport
    Interval Time interval of the data input, in cron. Please set interval to atleast a day as usage reports are generated daily. This input takes into account the lag times and data retention. It will take reports up to date of execution of input - 4 days. For more information about lag times and data retention please check:Data retention and lag times topic in the Google Workspace Admin Help manual.
    Service Account to use Connected GWS Service Account
    Index Name of destination index.
    Start Time Start time of the input, the last possible value is now - 180 days and the newest possible value is now - 4 days. Thats because of lag times and data retention Data retention and lag times

  5. Click the Add button.

Configure Gmail headers data collection

Configure Gmail headers data collection for the Splunk Add-on for Google Workspace using Splunk Web.

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Select the Inputs tab.
  3. On the Inputs tab, select the Create New Input button.
  4. Select Gmail Logs. If you are a customer who has already migrated to Google Workspace logs and reports in BigQuery, you must choose the “““Gmail Logs Migrated”“” input.

  5. In the Add Gmail Logs window, fill in the required fields:

    Field Description
    Name A unique name for the new data input.
    Interval Time interval of the data input, in seconds.
    Service account to use Google Cloud Platform service account created for Gmail logs.
    Dataset name BigQuery dataset name.
    Dataset location BigQuery dataset location name (US or EU).
    GCP Project ID Google Cloud Platform project ID where Gmail logs BigQuery export was enabled.
    Index Name of destination index.

  6. Select the Add button.

Configure Gmail User Identity data collection

Configure Gmail User Identity collection for the Splunk Add-on for Google Workspace using Splunk Web.

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Select the Inputs tab.
  3. On the Inputs tab, select the Create New Input button.
  4. Select GWS Users Identity.

  5. In the Add GWS User Identity List window, fill in the required fields:

    Field Description
    Name A unique name for the new data input.
    Interval Time interval of the data input, in seconds.
    GWS Service Account Google Cloud Platform service account created for Gmail logs.
    GWS Customer ID GWS Customer ID that will be used for the identity list. To find the customer ID see Find your customer ID in the Google Workspace Admin Help.
    Index Name of destination index.

  6. Select the Add button.

Configure Alert Center data collection using Splunk Web

  1. On the Splunk platform instance where you want to collect data, navigate to the Splunk Add-on for Google Workspace.
  2. Select the Inputs tab.
  3. On the Inputs tab, select the Create New Input button.

  4. In the Add Alert Center window, fill in the required fields:

    Field Description
    Name A unique name for the new data input.
    Interval Time interval of the data input, in seconds.
    GWS Service Account Google Cloud Platform service account created for Gmail logs.
    Alert source Alert source to collect data from. There are 2 options: Gmail phishing and Everything except Gmail phishing. The Gmail phishing option has a 4 hour delay and the Everything except Gmail phishing option has a 10 minute delay. See View alert details in the Google Workspace Admin Help.
    Index Name of destination index.

  5. Select the Add button.

Create an identity lookup in Splunk Enterprise Security

Integration can be done through the Custom event type. The following event type has been configured in the Splunk Add-on for Google Workspace: gws_users_identity.

For information on using cloud service provider data to register your identities, create a lookup, and schedule a search to run on a regular basis in Splunk Enterprise Security, see the Create an identity lookup from your cloud service provider data in Splunk Enterprise Security topic in the Splunk Enterprise Security manual.

Configure the Splunk Add-on for Google Workspace through inputs.conf

You can create an inputs.conf file and configure the Splunk Add-on for Google Workspace in this file, instead of using Splunk Web.

  1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_Google_Workspace/local folder.
  2. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_Google_Workspace/local folder.
  3. Using a text editor, open the inputs.conf file.

  4. Add the following stanza and lines, replacing the stanzas with your deployment’s configurations.

    [activity_report://<input name>]
account = test1
application = admin
index = activities_token
interval = 3600
lookbackOffset = 10800

  5. Save the file.

  6. Restart your Splunk instance for the new input to take effect.