Solved: Cannot View Logs in Splunk after Integrating with ...

ShuKinTa · ‎10-15-2024

This is regarding the integration between Splunk and Google Workspace.

I have followed the documentation below to configure the integration, but the log data is not being ingested into the specified index in Splunk, and I cannot view the Google Workspace logs on Splunk. ~~Additionally, there are no apparent errors after the integration setup.~~

I would appreciate any advice or precautions to take when installing the Add-on for Google Workspace.

# Additional info
Upon checking the log files, the following errors were found. However, no 40x errors were found.

Could not refresh service account credentials because of ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})

# Referenced Documentation
## Installation of the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Installation

## Issuing Authentication Keys for Accounts Created on the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs1
-> Refer to the "Google Workspace activity report prerequisites" section in the above document.

## Add-on Configuration
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs2
-> Refer to the "Add your Google Workspace account information" and "Configure activity report data collection using Splunk Web" sections in the above document.

## Troubleshooting
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot
-> Refer to the "No events appearing in the Splunk platform" section in the above document.

https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-Add-on-for-Google-Workspace-inputs-get...

ShuKinTa · ‎11-06-2024

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful.

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

View solution in original post

ShuKinTa · ‎11-06-2024

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful.

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

sainag_splunk · ‎10-18-2024

I think its a permission issue, Google Workspace user should have a “Organization Administrator” role. That’s the only requirement for the account. you account might be read only?

Cannot View Logs in Splunk after Integrating with Google Workspace

data

scripted input

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases