Troubleshoot ingestion
Supported in:
This document explains errors that you might encounter during data ingestion and normalization in Google Security Operations and describes how to remediate them. Use the following tables to diagnose ingestion failures, identify dropped logs, and evaluate downstream impact.
The document describes the errors for the following ingestion methods: Google SecOps forwarder, Google SecOps Ingestion API, Google SecOps API feed, and Third-party technology partners.
Source and Ingestion Errors
You might encounter the following errors when:
- Retrieving data from source systems.
- The Google SecOps forwarder or a third-party feed attempts to communicate with an external API or resource.
| HTTP status code | Error reason | Canonical error code | Error message | Error description | Troubleshooting |
|---|---|---|---|---|---|
| 400 | Bad request | INVALID_ |
Invalid request parameters. | The system established a connection to the source, but the feed failed because of invalid arguments. | Verify source authorizations, required roles, and that all mandatory fields are correctly filled. Check for illegal characters in IDs, regions, or names, and ensure parameters like polling intervals are within limits. Review the feed configuration and refer to the feeds documentation. If the problem continues, contact Google SecOps support. |
| 401 | Unauthorized | LOGIN_ |
Authentication failed. Verify your credentials and try again. | The system established a connection, but authorization failed due to incorrect or missing credentials. | Verify and re-enter the credentials for the source to confirm they are correct and not expired. |
| 403 | Forbidden | ACCESS_ |
Access denied. The credentials lack permissions to access this resource. | The system established a connection to the source, but the credentials lack the necessary permissions for the resource. | Ensure the service or authentication account or API key has the necessary Identity and Access Management (IAM) roles or permissions for the resource. Refer to the feed configuration for details. For example, double-check the Azure Event Hub connection string in the Azure portal. Or, refer to the feeds documentation for the necessary permissions. For information about permissions, see Configuration by source type. |
| 404 | URL not found | FILE_ |
Endpoint not found. Verify the URL and resource details. | The system couldn't locate the specific file or endpoint. | Check the following:
If the problem continues, contact Google SecOps support. |
| 429 | ACCESS_ |
Feed timed out. | The source is rate-limiting requests. The feed failed because there were too many attempts to reach the source. | This is typically a transient issue. If it persists, contact Google SecOps support. | |
| 500 | A connection to the source was established, but the source didn't respond with data. | Ensure the source is available and responding. Contact Google SecOps support if the issue persists. | |||
| 502 | Feed encountered a gateway error. | This error is transient and the application will retry the request. If the issue persists, contact Google SecOps support. | |||
| 503 | Transient connection issue. | The source or gateway failed to respond or timed out. | Ensure the source is available and responding. Use jittered exponential backoff if calling the API programmatically. | ||
| 504 | Google SecOps can't connect to the source IP address and port. | This error is transient and the application will retry the request. Check the following:
If the problem continues, contact Google SecOps support. |
|||
| Generic credential | Unable to validate credentials. Check your configuration details. | Check the general configuration details for the credential set in the Google SecOps console. | |||
| CONNECTION_ |
The system established a connection to the source, but the connection closed before the feed completed. | This error is transient and application will retry the request. If the issue persists, contact Google SecOps support. | |||
| CONNECTION_ |
Can't connect to source. | The system is unable to establish a network connection. The application can't connect to the source IP address and port. | Verify the source is available, no firewall is blocking the connection, and the IP address is correct. Check the following:
If the problem continues, contact Google SecOps support. |
||
| DNS_ |
DNS error. | The system can't resolve the source hostname. | Verify the URLs in feed parameters and source name server settings. Check for spelling errors in the server hostname. | ||
| FILE_ |
The system established a connection to the source, but a problem occurred with the file or resource. | Check the following:
If the problem continues, contact Google SecOps support. |
|||
| GATEWAY_ |
API returned a gateway error to the call made by Google SecOps. | Verify the source details of the feed. The application will retry the request. | |||
| INTERNAL_ |
Unable to ingest data due to an internal error. | If the problem continues, contact Google SecOps support. | |||
| INVALID_ |
The feed configuration contains invalid values. | Review the feed configuration for incorrect settings. Refer to the feeds documentation for correct syntax. | |||
| INVALID_ |
A connection to the source was established, but the response was incorrect. | Check the feed configuration. Learn more about setting up feeds. If the problem continues, contact Google SecOps support. | |||
| INVALID_ |
Secret key mismatch. | Check for a mismatch between the secret key configured in the feed and the key that Google SecOps received in the HTTP header. For example when using HTTPS Push Ingestion. | |||
| INVALID_ |
Invalid SSL certificate. | The system couldn't validate the source's SSL certificate. | Check source authorizations and ensure the server's certificate is valid and trusted. | ||
| NO_ |
A connection to the source was established, but the source didn't respond. | Make sure the source can support requests from Google SecOps. If the problem continues, contact Google SecOps support. | |||
| REMOTE_ |
A connection to the source was established, but the source didn't respond with data. | Make sure the source is available and is responding with data. If the problem continues, contact Google SecOps support. | |||
| REMOTE_ |
A connection to the source was established, but the source rejected the request. | Check the feed configuration. Refer to the feeds documentation for more details. If the problem continues, contact Google SecOps support. | |||
| RESOURCE_ |
Quota or rate limit exceeded. | Check if quota rejections are happening due to high request volume or data limits. The source is sending requests too frequently. Monitor quota usage and contact support if needed. For example when using the Ingestion API or Google Workspace. | |||
| SOCKET_ |
A connection to the source was established, but the connection timed out before the data transfer was complete. | This error is transient and application will retry the request. If the issue persists, contact Google SecOps support. | |||
| TOO_ |
The feed timed out because it encountered multiple errors from the source. | Contact Google SecOps support. | |||
| TRANSIENT_ |
Feed encountered temporary internal error. | This error is transient and the application will retry the request. If the issue persists, contact Google SecOps support. | |||
| UNSAFE_ |
The application failed to make a connection because the IP address was restricted. | This error is transient and Google SecOps will retry the request. If the issue persists, contact Google SecOps support. |
Parser and Normalization Errors
These errors occur after ingestion, during the process of mapping raw logs to the Unified Data Model (UDM). If errors occur here, Google SecOps might drop logs, or you might not be able to search logs using UDM fields.
| Parser error type | Error description | Troubleshooting |
|---|---|---|
| Regex | The parser has an issue with a regular expression. | Check the parser logic. For prebuilt parsers, contact Google SecOps support. |
| Invalid_config | The parser's configuration file has a problem. | Validate and correct the parser configuration file. |
| Indexing event batch validation error | Normalized data fails schema checks. | Review the parser's mapping to UDM fields to ensure they meet requirements. |
| Backlog | The system delayed normalization. | Raw logs are in the queue waiting for processing. Contact support if the delay continues. |
| LOG_PARSING_DROPPED_NO_EVENTS | The parser produced no events, causing the log to be dropped. | Check raw logs to ensure they contain data that should actually produce events. |
| LOG_PARSING_DROPPED_BY_FILTER | An explicit drop filter in the parser caused the system to drop the log. | Review filter conditions in the parser code. This is often intentional for logs with no security value. |
| LOG_PARSING_DROPPED_BY_FILTER: TAG_MALFORMED_ENCODING | Bad JSON or XML encoding caused parsing to fail. | Ensure the log source is using a supported and well-formed encoding. |
| LOG_PARSING_NO_PARSER_FOUND | The system has no parser for this log type. | Verify that you set the correct LogType and that a parser is active for that type. |
Need more help? Get answers from Community members and Google SecOps professionals.