Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Troubleshooting Google G Suite Activity Reports

 

To resolve issues with the Google G Suite Activity Reports DSM, use the troubleshooting and support information. Errors can be found by using the protocol testing tools in the JSA Log Source Management app.

General Troubleshooting

The following steps apply to all user input. The general troubleshooting procedure contains the first steps to follow for any errors with the Google G Suite Activity Reports REST API protocol. Many of the errors related to the Google G Suite Activity Reports REST API protocol can be solved with these basic steps.

  1. Check for any spelling mistakes or unnecessary characters in the User Account field.

  2. Reenter all fields.

  3. Create a service account credential file and enter it into the Service Account Credentials field.

For more information, see:

Invalid Private Keys

Symptoms

Error: “An I/O operation failed or was interrupted. For further details, see the "Raw Error Message" and the additional messages”.

Error: “List of potentially invalid parameters: Service Account Credentials”.

Error: “Unexpected exception reading PKCS data”.

Causes

These errors indicate that the Service Account Credentials contain an invalid private key value. This error is commonly caused by issues with the value that is entered into the Service Account field.

Resolving the problem

Follow these steps to resolve your invalid private key error.

  1. Check for any spelling mistakes or unnecessary characters in the User Account field.

  2. Reenter all fields.

  3. Create a service account credential file and enter it into the Service Account Credentials field.

Authorization Errors

Symptoms

Error: “An I/O operation failed or was interrupted. For further details, see the "Raw Error Message" and the additional messages”.

Error: “List of potentially invalid parameters: Service Account Credentials”.

Error: "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."

Causes

These errors relate to service account authorization. Authorization issues commonly occur when required permissions are not provided to the service account or user account. The service account needs domain wide read access. The user account requires reports access.

Resolving the problem

Follow these steps to resolve your authorization error.

  1. Verify that the service account is correctly configured with domain-wide services.

  2. Ensure that the user account has a role with reports access.

Invalid Email or Username Errors

Symptoms

Error: “An I/O operation failed or was interrupted.”

Error: "error_description" : "Not a valid email or user ID."

Error: “List of potentially invalid parameters : User Account and Service Account Credentials”.

Causes

These errors usually occur if the provided user account doesn’t exist, or the client_email field within the service account credentials is invalid. A common reason for this error is typographical errors in the user account field.

Resolving the problem

Ensure that the user account exists.

Invalid JSON Formatting

Symptoms

Error: “Service Account Credentials don't appear to be in a valid json format.”

Error: “An error occurred indicating a json parsing problem. Usually used when non-well-formed content (content that does not conform to JSON syntax as per specification) is encountered. For further details see the "Raw Error Message" and the additional messages”.

Error: “Invalid UTF-8 start byte”.

Error: “An error occurred indicating a json parsing problem. Usually used when non-well-formed content (content that does not conform to JSON syntax as per specification) is encountered. For further details see the "Raw Error Message" and the additional messages”.

Causes

These errors occur when the service account credentials are not in a valid JSON format.

Resolving the problem

Follow these steps to resolve your invalid JSON formatting error.

  1. Verify that the service account credentials are in a valid JSON format.

    Note

    An online JSON formatter can identify problems with the JSON format.

  2. If the error persists, generate a new service account credentials key.

Network Errors

Symptoms

Error: “Error obtaining sample events :: Network is unreachable (connect failed”.

Causes

JSA cannot connect to Google servers to receive Google G Suite Activity Reports events. This error can be related to many network issues, including proxy issues.

Resolving the problem

Follow these steps to resolve your network error.

  1. Ensure that the target event collector has access to the Internet.

  2. Ensure that there are no network configurations that are blocking access to Google Admin. Contact your network administrator if you are unable to connect to Google Admin.

  3. Check that the network can access the following hosts:

    • googleapis.com:443

    • oauth2.googleapis.com:443

Google G Suite Activity Reports FAQ

Use these frequently asked questions and answers to help you understand Google G Suite Activity Reports.

Why does the service account need domain-wide read access?

The domain-wide read access allows the service account to impersonate a user. Without domain-wide read access, the service account is unable to obtain reports access.

Why does the user account need reports access?

The events that the Google Activity Reports protocol retrieves all come from the reports function of Google Admin. This access is required to retrieve any events from the Google Activity Reports API.

Why does Google G Suite Activity Reports use service accounts to authorize access instead of other authentication methods?

The following document contains a section that is named “Service accounts,” which explains in detail the difference between service accounts and other methods of authorization. Service accounts are different from other methods of authorization because they can act without requiring user consent. Service accounts are intended for server to server communications.

What types of events are collected by the Google G Suite Activity Reports API?

This protocol collects only admin, user accounts, login, and drive events

Why do you need a user account if you have service account credentials?

For a service account to have access to the reports API it needs to impersonate an existing user.

What does a standard Service Account Credentials file look like?

In a real Service Account Credentials file, the empty fields are populated with values that are related to the service account.

{ "type": "service_account", "project_id": “”, "private_key_id": "", "private_key": "-----BEGIN PRIVATE KEY-----\n=\n-----END PRIVATE KEY-----\n", "client_email": "", "client_id": "", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": ""

What host and ports are used by this protocol?

The following hosts and ports are used by this protocol:

Host

Description

oauth2.googleapis.com:443

Authentication server used by Google to authenticate API access.

googleapis.com:443

Googles API server. Used to access the Google G Suite Activity Reports API.

Are there any alternatives to the officially documented authorization method?

The Google G Suite Activity Reports API requires both a user account and a service account. Due to these restrictions, it is not possible to delegate the required permissions to just the service account or just the user account. If the offered authorization method is not satisfactory, contact Juniper Customer Support .

Related Documentation