Re: How can I stream Google Workspace Vault logs i...

danielbb

I want to add vault logs to my inputs.conf for the Google Workspace TA. I added the following stanza

[activity_report://VaultReport]
account = <company>
application = vault
index = gsuite
interval = 300
lookbackOffset = 14400
disabled = 0

But I see the following error coming from the /app/splunk/var/log/splunk/splunk_ta_google_workspace_VaultReport.log -

Parameter "applicationName" value "" does not match the pattern "(access_transparency)|(admin)|(calendar)|(chat)|(chrome)|(context_aware_access)|(data_studio)|(drive)|(gcp)|(gplus)|(groups)|(groups_enterprise)|(jamboard)|(keep)|(login)|(meet)|(mobile)|(rules)|(saml)|(token)|(user_accounts)"

How can I add vault logs to Splunk?

alacercogitatus

While the app that you tagged does not support Vault ingest, checkout https://splunkbase.splunk.com/app/5498 that does have an input for Vault, among others. Thanks!

danielbb

Thank you so much @alacercogitatus, I installed it, and Vault data is being streamed in. One thing I don't understand is how do they relate to each other? Should I switch all sourcetypes to https://splunkbase.splunk.com/app/5498 or keep only Vault on this one?

Wander

The line application = vault is the issue. It's not supported as a stanza in the TA. The link below has the supported values.
Configure the Splunk Add-on for Google Workspace - Splunk Add-on for Google Workspace

That being said, what you could do is write a short script that uses the Google API to pull the Vault audit event into a custom input
Vault Audit Activity Events | Admin console | Google for Developers

How can I stream Google Workspace Vault logs into Splunk?

data

heavy forwarder

other

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation