Re: Gsuite App for splunk

splunk24 · ‎03-07-2018

In g suite App ,
1) What all data it will pull from G suite in to splunk?
2) In Applicationn Configuration , what will be the Google Apps Domain ? is it https://console.developers.google.com/ ?
3) what will be Client ID or client secret for application like Docs or email ? is it gusite Super admin credentials only?
4) If application configuration requires super admin credentials of g suite then what is in the create new credentials ? it will also have super admin of gsuite if yes then what is the difference ?

singhvishakha29 · ‎08-13-2019

Hi All,

After following the steps, i can see the following error in the splunk logs

{ [-]
errors: [ [-]
{ [-]
exception_arguments: expected string or buffer

exception_type: TypeError

filename: ga.py

input_name: ga://Splunktest

line: 103

msg: expected string or buffer

}

]

log_level: ERROR

modular_input_consumption_time: Tue, 13 Aug 2019 07:15:20 +0000

timestamp: Tue, 13 Aug 2019 07:15:20 +0000

Can someone tell me what the issue could be?

TIA

dmenon84 · ‎01-16-2019

HI All - Have a question coming from Audit - Does the data at anytime traverse the app developers cloud instance or any external cloud instance other than google cloud platform ? Anybody has any idea? Thanks in advance !

tpetersonalpine · ‎05-23-2018

Once there go through API Project -> APIs & Auth -> Credentials. Create Client ID -> Installed Application - Other.

This is not an option?

alacercogitatus · ‎03-07-2018

Hi @splunk24,

Please see full documentation under "User Guide", https://splunkbase.splunk.com/app/3791/#/details . There is quite a lot it can pull, and suggestions are always welcome.
This is YOUR domain (whatever G Suite Domain it might be. An example is "yahoo.co.in").
You need to obtain a Client ID and Secret from the Developer's console . Follow the Instructions in the User's Guide.
The "Create New Credentials" is used to interact with Splunk's Encrypted Credential Store. Do not do anything there unless you are familiar with the Encrypted Credential Store. You need to Authorize the app, and set up the input. See the extensive documentation.

As mentioned in my email, YOU NEED TO READ THE DOCUMENTATION. If you need further help, try getting on Slack (splk.it/slack) and ping me directly. The setup is not overly complicated, just follow the steps. Thanks!

splunk24 · ‎03-07-2018

As per the docs ,
You must have enabled the Google Apps API - Super Admin user will enable it i believe
You must have configured a credential for use with this App - So at console.developers we can have a seperate credentials which we will use for g suite app ? right ?

You must AUTHORIZE this app to make requests into Google Apps APIs. - how to authorize? if it is application configuration only then Google Apps Domain will be our company.com but we want to pull only
email or docs data . there is not a API project as such so what will be the client id and secret?

so i do not need to create new proxy , create new credential

so how splunk will get authorize to see or pull data from g suite?

alacercogitatus · ‎03-07-2018

@splunk24 - I suggest you get your Google Admin in the room. You need a few things.
1) a Google User with Super Admin privs.
2) An API Project from console.developers.google.com with a Client ID and Secret. Generate it. It's right there in the console.
3) Authorize the app - I've provided the workflow on the Application Configuration Page. This is straightforward, input your tokens and domain, click the button, authorize the api calls (check for adblocker), and then put the auth token in the box, and click the button again. Standard OAUTH workflow.
4) Create an Input. Click the checkboxes you want.

Again - THIS DOES NOT PULL EMAIL ANYTHING. That is a cumbersome mess I haven't figured out yet.
Again - this is in the documentation. Have you tried any of this yet? It appears you haven't, so please try any of the steps and then ask more questions based on trial/error that you receive.

splunk24 · ‎03-08-2018

ok will try that .
may i know the port number to authenticate the client id or secert from splunk to g suite ?
and data will come to splunk in which port ? i need to open the ports for firewall

splunk24 · ‎03-08-2018

create client id lands mein to this option
Application type

Web application
Android Learn more

Chrome App Learn more

iOS Learn more

PlayStation 4
Other

but i want data from g drive only? then which one to select

splunk24 · ‎03-08-2018

and what to be enter here

Enter JavaScript origins, redirect URIs or both

Authorised JavaScript origins
For use with requests from a browser. This is the origin URI of the client application. It cannot contain a wildcard (https://*.example.com) or a path (https://example.com/subdir). If you're using a non-standard port, you must include it in the origin URI.

Authorised redirect URIs
For use with requests from a web server. This is the path in your application that users are redirected to after they have authenticated with Google. The path will be appended with the authorisation code for access. Must have a protocol. Cannot contain URL fragments or relative paths. Cannot be a public IP address.

splunk24 · ‎03-09-2018

@alacercogitatus please respond

Gsuite App for splunk

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout