Skip to main content
Lantern Home

 

Splunk Lantern

Monitoring Google Cloud SQL

  1. Last updated
  2. Save as PDF

Customers who use Google Cloud Platform’s (GCP) Managed Database Service, Cloud  SQL need a way to monitor performance, activity, and metadata for security and observability use cases. The Splunk platform is an ideal solution for addressing these use cases by building dashboards for monitoring and saved searches for automated alerting. Cloud Audit Logs from Cloud SQL can be easily ingested into the Splunk platform via the official Splunk Add-on for GCP, utilizing a GCP Pub/Sub topic.

This article is intended for those in technical roles, such as Splunk administrators, developers, IT, and cloud engineers. After reading this document, you will understand how to ingest GCP Cloud SQL logs into the Splunk platform from Postgres, MySQL, and SQL Server databases. You will also learn how to implement searches for common security use cases to cover in your Splunk environment. 

How Splunk software can help with this use case

GCP services write Cloud Audit Logs that track activities including:

  • Admin Activity audit logs
  • Data Access audit logs
  • System Event audit logs
  • Policy Denied audit logs

By using a Log Router Sink, logs from Cloud SQL can be routed to a Pub/Sub topic, which can then be easily consumed by the Splunk Add-on for Google Cloud Platform through its modular input.

After the log entries are ingested into the Splunk platform, they can be queried and visualized, allowing users to create dashboards, reports, and alerts tied to automated remediation actions. 

Splunk has partnered with Google to ensure that critical security and observability use cases are covered by the joint solution. These include:

  • Data exfiltration: Tracking long-running queries
    • The Query, Who, Connection IP, timed-out queries
  • Rogue actor: DDL operations (Data Definition Language)
    • Who, Connection IP, Query
  • Rogue client: New Connection IP 
    • Connection IP, Actions taken, Comparison against a known list
  • Permissions management: GRANT / REVOKE Commands
    • Specific commands issued

How it works

Follow this step-by-step guide, which demonstrates how to get relevant Cloud SQL log data into the Splunk platform. Further detailed information can be found in the Configuration guide for the Splunk Add-on for Google Cloud Platform.

  1. Enable audit logs. Enable the GCP Data Access Audit Logs for the Cloud SQL service(s). Ensure you have the proper IAM role to configure these permissions. https://cloud.google.com/logging/doc...re-data-access
  2. Pub/Sub topic. Create a Pub/Sub topic (and deadletter queue). 
  3. Log router sink. Create a log router sink that routes logs to the Pub/Sub topic. 
  4. Service account creation. Create a service account for API credentials.  
  5. Install GCP Add-on for Splunk. Follow the installation guide for the add-on.  
  6. Modular input configuration to the Splunk platform. Create a modular input to consume messages containing audit logs from the Pub/Sub topic into your Splunk index. It is recommended to create a new index for this data.
  7. Query relevant data for use cases. Follow the guide below to discover how to effectively search audit log events to address use cases relevant to your environment.

Use cases

Take a look at some SPL snippets for searching the GCP audit log data in your environment and creating searches for relevant use cases.

Terraform configuration

Using this link, use the following Terraform Code snippets to help you configure the required resources in GCP and the Splunk platform. You will need to set variables for your own environment, and adjust the code to suit your needs. 

  • Creating GCP Resources
  • Configuring Splunk Service Account 
  • Configuring Modular Input to get Audit log data 

Database flags

Configure these database flags for each of the CloudSQL instances, depending on the type.

PostgreSQL

image4.png

MySQL

image2.png

Next steps

Splunk provides the tools needed to secure your CloudSQL data, as demonstrated through various use cases. From identifying rogue DDL operations and managing permissions to tracking data exfiltration attempts and pinpointing slow queries, the integration delivers visibility and security.

Beyond mere data collection, Splunk empowers organizations to transform raw log data into actionable intelligence, enabling proactive threat detection, performance optimization, and automated incident response through integrations with third-party systems. Using Splunk to monitor your GCP Cloud SQL database is key to achieving the security and observability use cases that protect and optimize your organization's data.