Splunk Add-on for Google Cloud question

RobK · 12-09-2022 01:17 PM

Hi all,

For our SecOps we currently have to setups to analyse GCP audit logs, an Elastic and a Splunk instance.
We're using an aggregated sink -> pub/sub topic to export the logs to both systems.
Our Elastic instance is working fine, with our Splunk instance we have an issue to ingest the logs.

When I look at the service accounts involved, at the metric 'Service account usage per API' to be more specific, I see the Elastic SA utilises the 'pubsub.googleapis.com' but the Splunk SA is trying to use the 'cloudresourcemanager.googleapis.com' to which the SA has no permission, so it fails.

Does the Splunk add-on needs some more configuration to point it to the 'pubsub.googleapis.com'?

Thanks for your answers in advance.

Cheers,
Rob

rarsan

Generally, we recommend using the more cloud-native push-based method to export logs from Pub/Sub to your third-party tool. That method is simpler and more secure as it doesn't require you to grant external access or manage service account keys and their IAM permissions. Here are some detailed instructions with respect to both Splunk and Elastic.

That said, if you still wish to use the Splunk Add-on for Google Cloud Platform to pull logs from Pub/Sub, see Splunk docs for list of IAM permissions required. While the IAM permissions resourcemanager.projects.{get|list} are listed on that page, those permissions are not required to pull data from Pub/Sub. I'm pretty sure this permission is needed to retrieve the list of projects if you are configuring the modular inputs via Splunk Web (UI) (see projects dropdown in screenshot below); however, I recommend you reach out to Splunk for Add-on questions and support.