Getting Data In

Cannot View Logs in Splunk after Integrating with Google Workspace

ShuKinTa
Engager

This is regarding the integration between Splunk and Google Workspace.

I have followed the documentation below to configure the integration, but the log data is not being ingested into the specified index in Splunk, and I cannot view the Google Workspace logs on Splunk. Additionally, there are no apparent errors after the integration setup.

I would appreciate any advice or precautions to take when installing the Add-on for Google Workspace.

# Additional info
Upon checking the log files, the following errors were found. However, no 40x errors were found.

Could not refresh service account credentials because of ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.', {'error': 'unauthorized_client', 'error_description': 'Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested.'})


# Referenced Documentation

## Installation of the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Installation

## Issuing Authentication Keys for Accounts Created on the Add-on for Google Workspace
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs1
-> Refer to the "Google Workspace activity report prerequisites" section in the above document.

## Add-on Configuration
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Configureinputs2
-> Refer to the "Add your Google Workspace account information" and "Configure activity report data collection using Splunk Web" sections in the above document.

## Troubleshooting
https://docs.splunk.com/Documentation/AddOns/released/GoogleWorkspace/Troubleshoot
-> Refer to the "No events appearing in the Splunk platform" section in the above document.

https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-Add-on-for-Google-Workspace-inputs-get...

Labels (2)
0 Karma
1 Solution

ShuKinTa
Engager

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful. 

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

View solution in original post

Tags (1)
0 Karma

ShuKinTa
Engager

When use a group email address (with owner permissions) and configure the integration between Splunk and GWS, an authentication error occurs. However, if use a user name email address, the integration is successful. 

I thought that granting owner permissions would allow the group email address to integrate successfully just like a user email address, but this was incorrect.

Ref: https://splunk.github.io/splunk-add-on-for-google-workspace/Configureinputs1/

==========

9. In the Service account details page for your new service account, perform the following steps:

~~~~~ Omitted ~~~~~

h. Navigate to the user name email address that has Owner permissions. Copy the email address.

==========

Tags (1)
0 Karma

sainag_splunk
Splunk Employee
Splunk Employee

I think its a permission issue, Google Workspace user should have a “Organization Administrator” role. That’s the only requirement for the account. you account might be read only?



Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...