Solved: Cannot View Logs in Splunk after Integrating with ...

ShuKinTa · ‎10-15-2024

This is regarding the integration between Splunk and Google Workspace.

I have followed the documentation below to configure the integration, but the log data is not being ingested into the specified index in Splunk, and I cannot view the Google Workspace logs on Splunk. ~~Additionally, there are no apparent errors after the integration setup.~~

I would appreciate any advice or precautions to take when installing the Add-on for Google Workspace.

# Additional info
Upon checking the log files, the following errors were found. However, no 40x errors were found.

Could not refresh service account credentials because of ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})

# Referenced Documentation
## Installation of the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Installation

## Issuing Authentication Keys for Accounts Created on the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs1
-> Refer to the "Google Workspace activity report prerequisites" section in the above document.

## Add-on Configuration
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs2
-> Refer to the "Add your Google Workspace account information" and "Configure activity report data collection using Splunk Web" sections in the above document.

## Troubleshooting
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot
-> Refer to the "No events appearing in the Splunk platform" section in the above document.

https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-Add-on-for-Google-Workspace-inputs-get...

ShuKinTa

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful.

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

View solution in original post

ShuKinTa

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful.

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

sainag_splunk · ‎10-18-2024

I think its a permission issue, Google Workspace user should have a “Organization Administrator” role. That’s the only requirement for the account. you account might be read only?

Cannot View Logs in Splunk after Integrating with Google Workspace

data

scripted input

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)