Splunk Cloud Platform

Authentication issue with GCP- Why are we not getting logs from "gws:gmail"?

splunkzilla
Explorer

We have implemented the Splunk Add-On for Google Workspace (https://splunkbase.splunk.com/app/5556) in our Splunk environment.

We used this documentation for the implementation: https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs1

Currently, we are successfully getting logs with the sourcetype "gws:gmail", which is good. However, we are not getting logs for the other sourcetypes:

gws:reports:admin
gws:reports:calendar
gws:reports:context_aware_access
gws:reports:drive
gws:reports:gcp
gws:reports:login
gws:reports:oauthtoken
gws:reports:saml

In looking at the _internal index, we see the following error:

2022-10-06 18:45:36,130 ERROR pid=32667 tid=MainThread file=activity_report.py:stream_events:140 | Exception raised while ingesting data for activity report: . Traceback: Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/activity_report.py", line 133, in stream_events
service,
File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_runner.py", line 97, in run_ingest
proxies,
File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_request.py", line 116, in fetch_report
rand=random.random,
File "/opt/splunk/etc/apps/Splunk_TA_Google_Workspace/bin/gws_request.py", line 52, in _retry_request
raise CouldNotAuthenticateException()
gws_request.CouldNotAuthenticateException

This appears to be a permissions/authentication issue. We have recreated the accounts and applied them to the inputs in the app. However this has not resolved the issue. At this stage we are trying to determine the appropriate permissions for the account needed to access the above sourcetypes.

To clarify: we have 2 service accounts for this implementation.  One for Gmail (which is working), and the other for the other activity reports (which is not).  At this stage, I just need permissions/role/scope info for the non-working service account.  The troubleshooting documentation is somewhat confusing as to what is needed, specifically steps 1 and 6, which seem to contradict one another:

  1. Log into your Google Cloud service account. This service account cannot be an organization admin account.
  2. Copy Client ID of this service account
  3. Check if the Client ID for your service account contains the https://www.googleapis.com/auth/admin.reports.audit.readonly scope. If it is not there, add your Client ID, and specify the https://www.googleapis.com/auth/admin.reports.audit.readonly scope.
  4. Check if the account you are using for the Username field contains the Organization Administrator role.
  5. Navigate to the Certificate field.
  6. Verify that you added the entire JSON file that you downloaded as a key for your service account.
  7. Save your changes."

It seems like they have merged the instructions for two service accounts into one?  Apologies in advance if I am missing something simple - I think I may have gotten too far into the weeds on this one.

Labels (2)
0 Karma

Ice
New Member

Hi @splunkzilla ,

Did you managed to fix this? 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...