Solved: Re: BindPlane agent for Windows event logs - Inval...

luisq · 10-14-2024 08:15 PM

I want to use BindPlane agent to send Windows Event logs to Chronicle as in here: https://cloud.google.com/chronicle/docs/ingestion/use-bindplane-agent

After following the instructions, I get "Invalid Argument" error in the Open Telemetry collector log.
I am struggling to make this work. Can someone point me in the right direction?

Some of the things I see in the error log are the following:
"level":"error",
"caller":"internal/queue_sender.go:92",
"msg":"Exporting failed. Dropping data.",
"kind":"exporter,
"data_type":"logs","name":"chronicle","error":"not retryable error: upload to chronicle: Permanent error: upload logs to chronicle: rpc error:
code = InvalidArgument desc = Request contains an invalid argument."

According to my research, the problem may be related to invalid log type but I don't think this is the reason.

This is an example of my config.yaml
receivers:
windowseventlog/security:
channel: security
raw: true
windowseventlog/system:
channel: system
raw: true

processors:
batch:

exporters:
chronicle/winevtlog:
endpoint: malachiteingestion-pa.googleapis.com
creds: '{
"type": "service_account",
"project_id": "malachite-projectname",
"private_key_id": "abcdefghijklmnopqrstuvwxyz123456789",
"private_key": "-----BEGIN PRIVATE KEY-----abcdefg-----END PRIVATE KEY-----\n",
"client_email": "account@malachite-projectname.iam.gserviceaccount.com",
"client_id": "123456789123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account%40malachite-projectname.iam.gserviceaccoun...",
"universe_domain": "googleapis.com"
}'
log_type: 'WINEVTLOG'
override_log_type: false
raw_log_field: body
customer_id: 'dddddddd-dddd-dddd-dddd-dddddddddddd'

service:
pipelines:
logs/winevtlog:
receivers:
- windowseventlog/security
- windowseventlog/system
processors:
- batch
exporters:
- chronicle/winevtlog

brodsky

@luisq Check the endpoint. Depending on what region SecOps is deployed in, "malachiteingestion-pa.googleapis.com" as seen in the config above may be incorrect. See: https://cloud.google.com/chronicle/docs/reference/ingestion-api#regional_endpoints

View solution in original post

Rob_P

Hello @luisq

Thanks for reaching out on this issue. In looking at the config.yaml for my personal lab, I've noticed that I under exporters, I have mine set to log_type: 'UDM'

I know this was an issue for me before, please let us know if this helps you.

luisq

Hello @Rob_P thanks for the suggestion. I changed log_type to 'UDM' and restarted the service, but the result was the same. Error description: "Request contains an invalid argument" I also tried changing override_log_type: true but also no luck

brodsky

@luisq Check the endpoint. Depending on what region SecOps is deployed in, "malachiteingestion-pa.googleapis.com" as seen in the config above may be incorrect. See: https://cloud.google.com/chronicle/docs/reference/ingestion-api#regional_endpoints

luisq

Thank you @brodsky this was the issue. After I changed the regional endpoint to match chronicle, it finally worked.

satya_saketh

i have faced the same issue and now i have resolved the issue with your solution
thank you @brodsky

matthewnichols

HI @luisq we just embedded our Bindplane and Data Pipeline Management webinar. Check it out here. Hopefully it helps with some of your other uses cases as you leverage these features.

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

BindPlane agent for Windows event logs - Invalid Argument error