IBM Support

QRadar: Google G Suite Log Source fails to save with the message "Access denied. You are not authorized to read activity records"

Troubleshooting


Problem

The following message might be displayed when you save a Google G Suite Log Source: "Access denied. You are not authorized to read activity records".

Symptom

When you save a Google G Suite Log Source, the following message can be seen in the qradar.log file.
 
Attempting to access the login application.
Error: An I/O operation failed or was interrupted. Typically occurs due to connection issues. For more information see the "Raw Error Message".
Error: Parameters : Service Account Credentials
Error: 401 Unauthorized
Error: {
Error: "code" : 401,
Error: "errors" : [ {
Error: "domain" : "global",
Error: "location" : "Authorization",
Error: "locationType" : "header",
Error: "message" : "Access denied. You are not authorized to read activity records.",
Error: "reason" : "authError"
Error: } ],
Error: "message" : "Access denied. You are not authorized to read activity records."
Error: } 
The following information can also be seen in the qradar.log file.
May 2 18:29:29 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Google G Suite Activity Reports Rest API Protocol Provider Thread: class com.q1labs.semsources.sources.googlegsuiteactivityreportsrestapi.GoogleGSuiteActivityReportsRESTAPIProviderxxx] com.q1labs.semsources.sources.googlegsuiteactivityreportsrestapi.GoogleGSuiteActivityReportsRESTAPIProvider: [ERROR] [NOT:0000003000][xx.xx.xxx.xx/- -] [-/- -]An error occured during execution of provider class com.q1labs.semsources.sources.googlegsuiteactivityreportsrestapi.GoogleGSuiteActivityReportsRESTAPIProviderXXX
May 2 18:29:29 ::ffff:127.0.0.1 [ecs-ec-ingress.ecs-ec-ingress] [Google G Suite Activity Reports Rest API Protocol Provider Thread: class com.q1labs.semsources.sources.googlegsuiteactivityreportsrestapi.GoogleGSuiteActivityReportsRESTAPIProviderXXX] com.google.api.client.googleapis.json.GoogleJsonResponseException: 401 Unauthorized

Resolving The Problem

To resolve the issue complete the following steps.
  1. On the QRadar console, confirm the version of the Google G Suite Protocol that is currently installed.
    rpm -qa | grep -i googlegsuite
    The output looks similar to the following.
    PROTOCOL-GoogleGSuiteActivityReportsRESTAPI-7.5-xxxxxxxxxxxxxx.noarch
    DSM-GoogleGSuiteActivityReports-7.5-xxxxxxxxxxxxxx.noarch
    
  2. To download the Google G Suite Protocol.
    1. Open your Internet Browser and connect to the IBM FixCentral page.
      IBM Support: Fix Central.
    2. In the Product selector search bar type SIEM and then select product 'IBM Security QRadar SIEM '.
    3. Select the Installed Version, click 7.5.0.
    4. Platform, select Linux.
    5. Click on Continue.
    6. Leave 'Browse for fixes' selected and click on Continue.
    7. Click on Protocol.
    8. In the Filter fix details: search bar enter 'google'.
    9. Click on the Protocol you want to download, this will bring you to the download link.
    10. Right click on the Download link and select the option 'Copy link'.
    11. Connect to the QRadar Console, use the wget command to download the rpm file.
      Example:
      wget <copied_link>
      wget https://ak-delivery04-mul.dhe.ibm.com/sar/CMA/OSA/0bbdx/0/PROTOCOL-GoogleGSuiteActivityReportsRESTAPI-7.5-xxxxxxxxxxxxxx.noarch.rpm
  3. After the Google G Suite Protocol is downloaded, run the following command to reinstall the Protocol.
    yum reinstall -y PROTOCOL-GoogleGSuiteActivityReportsRESTAPI-7.5-xxxxxxxxxxxxxx.noarch.rpm
  4. When the Google G Suite Protocol is installed, the following message will be displayed.
    Installed:
      PROTOCOL-GoogleGSuiteActivityReportsRESTAPI.noarch 0:7.5-xxxxxxxxxxxxxx
    
Results: The Google G Suite Log Source can be configured and saved successfully.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
01 August 2024

UID

ibm17152287