Open obriensystems opened 9 months ago
follow
Script in https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/tree/gh651-splunk
use as base https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh446-hub/solutions/setup.sh
export BOOT_PROJECT_ID=bigquery-ol
export PROJECT_ID=bigquery-ol
gcloud config set project $PROJECT_ID
export SUPER_ADMIN_EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
export ORGANIZATION_ID=$(gcloud projects get-ancestors $BOOT_PROJECT_ID --format='get(id)' | tail -1)
export PROJECT_NUMBER=$(gcloud projects list --filter="${PROJECT_ID}" '--format=value(PROJECT_NUMBER)')
export NETWORK_NAME=hub
export SUBNET_NAME=hub-sn
export REGION=northamerica-northeast1
export INPUT_TOPIC_NAME=bqtopic
export INPUT_SUBSCRIPTION_NAME=bqtopic-sub
export DEAD_LETTER_TOPIC_NAME=bq-dead-topic
export DEAD_LETTER_SUBSCRIPTION_NAME=bq-dead-topic-sub
export LOG_SINK_SERVICE_ACCOUNT=service-${PROJECT_NUMBER}@gcp-sa-logging.iam.gserviceaccount.com
export ORGANIZATION_SINK_NAME=org-sink-splunk
echo "BOOT_PROJECT: $BOOT_PROJECT_ID"
echo "PROJECT_ID: $PROJECT_ID"
echo "SUPER_ADMIN_EMAIL: $SUPER_ADMIN_EMAIL"
echo "ORGANIZATION_ID: $ORGANIZATION_ID"
echo "PROJECT_NUMBER: $PROJECT_NUMBER"
echo "NETWORK_NAME: $NETWORK_NAME"
echo "SUBNET_NAME: $SUBNET_NAME"
echo "REGION: $REGION"
echo "INPUT_TOPIC_NAME: $INPUT_TOPIC_NAME"
echo "INPUT_SUBSCRIPTION_NAME: $INPUT_SUBSCRIPTION_NAME"
echo "DEAD_LETTER_TOPIC_NAME: $DEAD_LETTER_TOPIC_NAME"
echo "DEAD_LETTER_SUBSCRIPTION_NAME: $DEAD_LETTER_SUBSCRIPTION_NAME"
echo "LOG_SINK_SERVICE_ACCOUNT: $LOG_SINK_SERVICE_ACCOUNT"
echo "ORGANIZATION_SINK_NAME: $ORGANIZATION_SINK_NAME"
# enable services
gcloud services enable monitoring.googleapis.com
gcloud services enable secretmanager.googleapis.com
gcloud services enable compute.googleapis.com
gcloud services enable pubsub.googleapis.com
gcloud services enable dataflow.googleapis.com
# grant roles
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/logging.configWriter --quiet > /dev/null 1>&1
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/compute.networkAdmin --quiet > /dev/null 1>&1
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/compute.securityAdmin --quiet > /dev/null 1>&1
gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/secretmanager.admin --quiet > /dev/null 1>&1
gcloud compute networks create $NETWORK_NAME --subnet-mode=custom
gcloud compute networks subnets create $SUBNET_NAME \
--network=$NETWORK_NAME \
--region=$REGION \
--range=192.168.1.0/24
gcloud compute firewall-rules create allow-internal-dataflow \
--network=$NETWORK_NAME \
--action=allow \
--direction=ingress \
--target-tags=dataflow \
--source-tags=dataflow \
--priority=0 \
--rules=tcp:12345-12346
gcloud compute routers create nat-router \
--network=$NETWORK_NAME \
--region=$REGION
gcloud compute routers nats create nat-config \
--router=nat-router \
--nat-custom-subnet-ip-ranges=$SUBNET_NAME \
--auto-allocate-nat-external-ips \
--region=$REGION
gcloud compute networks subnets update $SUBNET_NAME \
--enable-private-ip-google-access \
--region=$REGION
gcloud pubsub topics create $INPUT_TOPIC_NAME
gcloud pubsub subscriptions create \
--topic $INPUT_TOPIC_NAME $INPUT_SUBSCRIPTION_NAME
echo "PROJECT_ID: $PROJECT_ID"
echo "INPUT_TOPIC_NAME: $INPUT_TOPIC_NAME"
gcloud logging sinks create $ORGANIZATION_SINK_NAME \
pubsub.googleapis.com/projects/${PROJECT_ID}/topics/${INPUT_TOPIC_NAME} \
--organization=$ORGANIZATION_ID \
--include-children \
--log-filter='NOT logName:projects/bigquery-ol/logs/dataflow.googleapis.com'
## fix project and topic rendering above
#gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
#--member=serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com \
#--role=roles/pubsub.publisher
gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${LOG_SINK_SERVICE_ACCOUNT} \
--role=roles/pubsub.publisher
gcloud pubsub topics create $DEAD_LETTER_TOPIC_NAME
gcloud pubsub subscriptions create --topic $DEAD_LETTER_TOPIC_NAME $DEAD_LETTER_SUBSCRIPTION_NAME
https://cloud.google.com/architecture/stream-logs-from-google-cloud-to-splunk/deployment
running
michael@cloudshell:~/bigquery-ol/pubsec-declarative-toolkit/solutions (bigquery-ol)$ ./setup-splunk-sink.sh
Updated property [core/project].
BOOT_PROJECT: bigquery-ol
PROJECT_ID: bigquery-ol
SUPER_ADMIN_EMAIL: mi..ev
ORGANIZATION_ID: 583..68
PROJECT_NUMBER: 951469276805
NETWORK_NAME: hub
SUBNET_NAME: hub-sn
REGION: northamerica-northeast1
INPUT_TOPIC_NAME: bqtopic
INPUT_SUBSCRIPTION_NAME: bqtopic-sub
DEAD_LETTER_TOPIC_NAME: bq-dead-topic
DEAD_LETTER_SUBSCRIPTION_NAME: bq-dead-topic-sub
LOG_SINK_SERVICE_ACCOUNT: service-951469276805@gcp-sa-logging.iam.gserviceaccount.com
ORGANIZATION_SINK_NAME: org-sink-splunk
Operation "operations/acat.p2-951469276805-e274bf61-e2a0-461f-86e7-03a476cd3b27" finished successfully.
Operation "operations/acf.p2-951469276805-f4e3d475-3c23-494e-8a2b-84b1a67a5107" finished successfully.
Operation "operations/acf.p2-951469276805-d1965720-dd9c-4c5e-981b-eb96689b123f" finished successfully.
Updated IAM policy for organization [583675367868].
Updated IAM policy for organization [583675367868].
Updated IAM policy for organization [583675367868].
Updated IAM policy for organization [583675367868].
Created [https://www.googleapis.com/compute/v1/projects/bigquery-ol/global/networks/hub].
NAME: hub
SUBNET_MODE: CUSTOM
BGP_ROUTING_MODE: REGIONAL
IPV4_RANGE:
GATEWAY_IPV4:
Instances on this network will not be reachable until firewall rules
are created. As an example, you can allow all internal traffic between
instances as well as SSH, RDP, and ICMP by running:
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network hub --allow tcp,udp,icmp --source-ranges <IP_RANGE>
$ gcloud compute firewall-rules create <FIREWALL_NAME> --network hub --allow tcp:22,tcp:3389,icmp
Created [https://www.googleapis.com/compute/v1/projects/bigquery-ol/regions/northamerica-northeast1/subnetworks/hub-sn].
NAME: hub-sn
REGION: northamerica-northeast1
NETWORK: hub
RANGE: 192.168.1.0/24
STACK_TYPE: IPV4_ONLY
IPV6_ACCESS_TYPE:
INTERNAL_IPV6_PREFIX:
EXTERNAL_IPV6_PREFIX:
Creating firewall...working..Created [https://www.googleapis.com/compute/v1/projects/bigquery-ol/global/firewalls/allow-internal-dataflow].
Creating firewall...done.
NAME: allow-internal-dataflow
NETWORK: hub
DIRECTION: INGRESS
PRIORITY: 0
ALLOW: tcp:12345-12346
DENY:
DISABLED: False
Creating router [nat-router]...done.
NAME: nat-router
REGION: northamerica-northeast1
NETWORK: hub
Creating NAT [nat-config] in router [nat-router]...done.
Updated [https://www.googleapis.com/compute/v1/projects/bigquery-ol/regions/northamerica-northeast1/subnetworks/hub-sn].
Created topic [projects/bigquery-ol/topics/bqtopic].
Created subscription [projects/bigquery-ol/subscriptions/bqtopic-sub].
Created [https://logging.googleapis.com/v2/organizations/583675367868/sinks/org-sink-splunk].
Please remember to grant `serviceAccount:service-org-583675367868@gcp-sa-logging.iam.gserviceaccount.com` the Pub/Sub Publisher role on the topic.
More information about sinks can be found at https://cloud.google.com/logging/docs/export/configure_export
writer identity
serviceAccount:service-org-583675367868@gcp-sa-logging.iam.gserviceaccount.com
inclusion filter
NOT logName:projects/bigquery-ol/logs/dataflow.googleapis.com
fix project id
hardcoded project but there is an issue selecting the target - logs are ok, just need to fix queue topic selection
gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${LOG_SINK_SERVICE_ACCOUNT}@${PROJECT_ID}.iam.gserviceaccount.com \
--role=roles/pubsub.publisher
ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.pubsub.topics.add-iam-policy-binding) INVALID_ARGUMENT: Invalid service account (service-951469276805@gcp-sa-logging.iam.gserviceaccount.com@bigquery-ol.iam.gserviceaccount.com).
fixed
gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com \
--role=roles/pubsub.publisher
Updated IAM policy for topic [bqtopic].
bindings:
- members:
- serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com
role: roles/pubsub.publisher
etag: BwYJvRbrKsU=
version: 1
existing sink
Writer Identity serviceAccount:service-org-583...68@gcp-sa-logging.iam.gserviceaccount.com
PubSub topic
Testing
echo "Granting roles/pubsub.publisher to SA: ${LOG_SINK_SERVICE_ACCOUNT} on PubSub topic: ${INPUT_TOPIC_NAME}"
gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${LOG_SINK_SERVICE_ACCOUNT} \
--role=roles/pubsub.publisher
Granting roles/pubsub.publisher to SA: service-951469276805@gcp-sa-logging.iam.gserviceaccount.com on PubSub topic: bqtopic
Updated IAM policy for topic [bqtopic].
bindings:
- members:
- serviceAccount:service-951469276805@gcp-sa-logging.iam.gserviceaccount.com
role: roles/pubsub.publisher
etag: BwYKNQy6cWo=
version: 1
michael@cloudshell:~/bigquery-ol/pubsec-declarative-toolkit/solutions (bigquery-ol)$
service-org-583...68@gcp-sa-logging.iam.gserviceaccount.com instead of service-951...805@gcp-sa-logging.iam.gserviceaccount.com
export PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT=service-org-${ORGANIZATION_ID}@gcp-sa-logging.iam.gserviceaccount.com
echo "Granting roles/pubsub.publisher to SA: $PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT} on PubSub topic: ${INPUT_TOPIC_NAME}"
gcloud pubsub topics add-iam-policy-binding $INPUT_TOPIC_NAME \
--member=serviceAccount:${PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT} \
--role=roles/pubsub.publisher
PUBSUB_WRITER_IDENTITY_SERVICE_ACCOUNT: service-org-58...868@gcp-sa-logging.iam.gserviceaccount.com
ORGANIZATION_SINK_NAME: org-sink-splunk
Granting roles/pubsub.publisher to SA: service-org-58...68@gcp-sa-logging.iam.gserviceaccount.com} on PubSub topic: bqtopic
Updated IAM policy for topic [bqtopic].
bindings:
- members:
- serviceAccount:service-951...805@gcp-sa-logging.iam.gserviceaccount.com
- serviceAccount:service-org-58...68@gcp-sa-logging.iam.gserviceaccount.com
role: roles/pubsub.publisher
etag: BwYKNSG_KO0=
version: 1
Messages now
Forcing some logs via
SELECT * FROM `bigquery-ol.rollerblade.rollerblade` LIMIT 1000
2.7 messages / sec
Pulling messages
check https://docs.splunk.com/Splexicon:Heavyforwarder target instead of direct HEC
https://cloud.google.com/architecture/stream-logs-from-google-cloud-to-splunk https://cloud.google.com/architecture/stream-logs-from-google-cloud-to-splunk/deployment secondary https://cloud.google.com/splunk
https://prd-p-07o6m.splunkcloud.com user: sc_admin pw: usual aac
follow after PubSub queue up above https://cloud.google.com/dataflow/docs/guides/templates/provided/pubsub-to-splunk
# gcloud TODO - bigquery-ol-dataflow bucket with staging folder
export JOB_NAME=dataflowbq
export REGION_NAME=$REGION
# see gs://dataflow-templates-northamerica-northeast1
export VERSION=latest
export STAGING_LOCATION=gs://bigquery-ol-dataflow/staging
#export INPUT_SUBSCRIPTION_NAME=
export SPLUNK_HEC_TOKEN=
export SPLUNK_HEC_URL=https://splunk-hec-host:8088
export DEADLETTER_TOPIC_NAME=$DEAD_LETTER_TOPIC_NAME
export JAVASCRIPT_FUNCTION=myTransform
export PATH_TO_JAVASCRIPT_UDF_FILE=gs://my-bucket/my-udfs/my_file.js
export BATCH_COUNT=1
export PARALLELISM=2
export DISABLE_VALIDATION=true
# optional
export ROOT_CA_CERTIFICATE_PATH=gs://your-bucket/privateCA.crt
gcloud dataflow jobs run $JOB_NAME \
--gcs-location gs://dataflow-templates-$REGION_NAME/$VERSION/Cloud_PubSub_to_Splunk \
--region $REGION_NAME \
--staging-location $STAGING_LOCATION \
--parameters \
inputSubscription=projects/$PROJECT_ID/subscriptions/$INPUT_SUBSCRIPTION_NAME,\
token=$SPLUNK_HEC_TOKEN,\
url=$SPLUNK_HEC_URL,\
outputDeadletterTopic=projects/$PROJECT_ID/topics/$DEADLETTER_TOPIC_NAME,\
javascriptTextTransformGcsPath=$PATH_TO_JAVASCRIPT_UDF_FILE,\
javascriptTextTransformFunctionName=$JAVASCRIPT_FUNCTION,\
batchCount=$BATCH_COUNT,\
parallelism=$PARALLELISM,\
disableCertificateValidation=$DISABLE_VALIDATION,\
rootCaCertificatePath=$ROOT_CA_CERTIFICATE_PATH
nput Type
Token
Name
hec-token
Source name override
N/A
Description
N/A
Enable indexer acknowledgements
Yes
Allowed indexes
historylastchanceindexmainsummary
Default index
history
Source Type
Automatic
App Context
launcher
https://docs.splunk.com/Documentation/Splunk/9.1.1/Data/UsetheHTTPEventCollector
https://prd-p-07o6m.splunkcloud.com/en-US/manager/search/http-eventcollector
michaelobrien@mbp7 rest-client-java % curl https://prd-p-07o6m.splunkcloud.com/hec-token -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"event": "hello world"}'
Invalid language specified%
michaelobrien@mbp7 rest-client-java % curl -v https://prd-p-07o6m.splunkcloud.com:8088/hec-token -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"event": "hello world"}'
* Trying 35.171.229.88:8088...
* Connected to prd-p-07o6m.splunkcloud.com (35.171.229.88) port 8088 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl https://prd-p-07o6m.splunkcloud.com:8088/services/collector/hec-token -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": "principalEmail": "michael@obrienlabs.dev" }, "requestMetadata": { "callerIp": "174.112.128.160" "requestAttributes": { "time": "2023-11-17T16:59:08.029271Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "cloudbilling.googleapis.com", "methodName": "ListBillingAccounts", "authorizationInfo": [ { "resource": "organizations/583675367868", "permission": "billing.accounts.list", "granted": true, "resourceAttributes": {} }, { "resource": "billingAccounts/019D0C-A1B72A-4BC522", "permission": billing.accounts.get", "granted": true, "resourceAttributes": {} }, { "resource": "billingAccounts/019283-6F1AB5-7AD576", "permission": "billing.accounts.get", "granted": true, "resourceAttributes": {} } ], "resourceName": "organizations/583675367868", "request": { "excludeProjectLookups": true, "organizationName": "organizations/583675367868", "@type": type.googleapis.com/google.internal.cloudbilling.billingaccount.v1.ListBillingAccountsRequest", "pageSize": 1000 } }, "insertId": "-2ruh4jcnoi", "resource": { "type": "organization", "labels": { "organization_id": 583675367868" } }, "timestamp": "2023-11-17T16:59:07.950674Z", "severity": "INFO", "logName": organizations/583675367868/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2023-11-17T16:59:08.944678641Z"}'
{"protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": "principalEmail": "michael@obrienlabs.dev" }, "requestMetadata": { "callerIp": "174.112.128.160" "requestAttributes": { "time": "2023-11-17T16:59:08.029271Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "cloudbilling.googleapis.com", "methodName": "ListBillingAccounts", "authorizationInfo": [ { "resource": "organizations/583675367868", "permission": "billing.accounts.list", "granted": true, "resourceAttributes": {} }, { "resource": "billingAccounts/019D0C-A1B72A-4BC522", "permission": billing.accounts.get", "granted": true, "resourceAttributes": {} }, { "resource": "billingAccounts/019283-6F1AB5-7AD576", "permission": "billing.accounts.get", "granted": true, "resourceAttributes": {} } ], "resourceName": "organizations/583675367868", "request": { "excludeProjectLookups": true, "organizationName": "organizations/583675367868", "@type": type.googleapis.com/google.internal.cloudbilling.billingaccount.v1.ListBillingAccountsRequest", "pageSize": 1000
} }, "insertId": "-2ruh4jcnoi", "resource": { "type": "organization", "labels": { "organization_id": 583675367868"
} }, "timestamp": "2023-11-17T16:59:07.950674Z", "severity": "INFO", "logName": organizations/583675367868/logs/cloudaudit.googleapis.com%2Fdata_access", "receiveTimestamp": "2023-11-17T16:59:08.944678641Z"}
triaging (CERT issue should be solved by token - via https://community.splunk.com/t5/Getting-Data-In/Using-Splunk-HEC-and-validating-Certificates/m-p/563088
michaelobrien@mbp7 rest-client-java % curl -k https://prd-p-07o6m.splunkcloud.com:8088/services/collector/event -H "Authorization: Splunk fbaac76f-69fe-430a-9959-e9644bee88fd" -d '{"event": "hello world"}'
{"text":"Data channel is missing","code":10}%
could be
User 'admin' triggered the '_reload' action on app 'splunk_monitoring_console', and completing an implicit app deletion requires restart
11/17/2023, 7:27:09 PM
Splunk must be restarted for changes to take effect. Contact Splunk Cloud Support to complete the restart.
11/7/2023, 2:58:45 AM
Attempting manually
exported CLI
gcloud dataflow jobs run console --gcs-location gs://dataflow-templates-northamerica-northeast1/latest/Cloud_PubSub_to_Splunk --region northamerica-northeast1 --staging-location gs://bigquery-ol-dataflow/staging/ --additional-user-labels {} --parameters inputSubscription=projects/bigquery-ol/subscriptions/bqtopic-sub,token=fbaac76f-69fe-430a.....ee88fd,url=https://prd-p-07o6m.splunkcloud.com:8088,enableBatchLogs=true,enableGzipHttpCompression=true,javascriptTextTransformReloadIntervalMinutes=0,outputDeadletterTopic=projects/bigquery-ol/topics/bq-dead-topic
trying to determine actual messages getting through to the HEC
Splunk push from PubSub via Dataflow (Apache BEAM) looks to be working - just verifying the Splunk Cloud end
Run some more BigQuery queries to push some more logs
Note Log sink publishing delays - I see an hour+ on certain sinks - when using pubsub we are near realtime
thank you team for - https://support.google.com/a/answer/7061566
Results
Log Sink to Dataflow (apache beam) pipeline to Http Endpoint Collector
Notes
Architecture/Requirements
Support 3rd party log aggregation support for Splunk for example as a logging sync target
drive/shadow to https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/318
review splunk specific integrations
https://splunkbase.splunk.com/app/3088?_ga=2.266051020.2131231099.1699452385-302992155.1699452385&_gl=1*1oxfrkk*_ga*MzAyOTkyMTU1LjE2OTk0NTIzODU.*_ga_GS7YF8S63Y*MTY5OTQ1MjM4Ni4xLjAuMTY5OTQ1MjM4Ni42MC4wLjA.*_ga_5EPM2P39FV*MTY5OTQ1MjM4Ni4xLjEuMTY5OTQ1MjM4OS41Ny4wLjA.
review ELK stack export simulation
review IBM qradar integration https://www.ibm.com/docs/en/qradar-common?topic=collector-setting-maximum-eps-rate