Troubleshooting
Problem
The Google G Suite log source is not collecting events and shows the following error message in the log source configuration window:
"Token must be a short-lived token (60 minutes) and in a reasonable timeframe"
Cause
This error happens when the target event collector time is not synchronized with NTP. The time difference between NTP and the target event collector time cannot be higher than 30s.
Diagnosing The Problem
The log source is in the error state and it shows the following error message:
An I/O operation failed or was interrupted. Typically occurs due to connection issues.
For more information see the "Raw Error Message".
The query threads for this log source will be stopped. To re-enable the query threads,
disable the log source and th->
en re-enable it.
Parameters : User Account and Service Account Credentials
Raw Error Message : 400 Bad Request
{
"error" : "invalid_grant",
"error_description" : "Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for->
clock differences between systems."
}
This error is logged in the /var/log/qradar.error log file:
May 1 23:20:27 "error_description" : "Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable timeframe. Check your iat and exp values and use a clock with skew to account for clock differences between systems."
If the date command is used to verify the system time and the output shows some minutes of difference, it causes the issue.
For example, if in any time zone is 11:00 hours, the minutes on this event collector might be XX:04, like in this capture:
Resolving The Problem
There are two methods to set up the system time correctly:
- Set the time manually:
Configuring system time - Configure an NTP (Network Time Protocol) Server:
QRadar: Configuring NTP settings for a QRadar appliance
Result:
After the system time is synchronized with NTP, the error message is no longer displayed in the log source configuration tab. If the error persists after the changes, contact QRadar Support for assistance.
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
01 June 2022
UID
ibm16456207