Hi everyoneI’m currently testing log ingestion from a Linux VM to Google SecOps (Chronicle) using Bindplane (no Chronicle Forwarder, only the Bindplane agent and gRPC).In the Bindplane destination, I’m using: Protocol: gRPC Endpoint: malachiteingestion-pa.googleapis.com Auth: json, with the Ingestion Authentication File from SecOps Correct Customer ID But on the VM, the Chronicle exporter always shows:"error": "upload to chronicle: Permanent error: 403 Forbidden" Any idea what can cause a 403 in this case, or anything that must be enabled/checked on the SecOps side?Thanks!

Hi Melissa,Sounds like you are using all the right settings. A few things you can check:Verify is that there are no new lines or spaces at the end of your json when pasting.Check the time on your collectorVerify that you do not have something in the path making changes (proxy,firewall)

Question

403 Forbidden when sending logs from Bindplane to Google SecOps (gRPC)

Forum|Forum|12 days ago
November 27, 2025
5 replies
42 views

+1

melissagr
Bronze 1

Hi everyone

I’m currently testing log ingestion from a Linux VM to Google SecOps (Chronicle) using Bindplane (no Chronicle Forwarder, only the Bindplane agent and gRPC).

In the Bindplane destination, I’m using:

Protocol: gRPC
Endpoint: malachiteingestion-pa.googleapis.com
Auth: json, with the Ingestion Authentication File from SecOps
Correct Customer ID

But on the VM, the Chronicle exporter always shows:

"error": "upload to chronicle: Permanent error: 403 Forbidden"

Any idea what can cause a 403 in this case, or anything that must be enabled/checked on the SecOps side?

Thanks!

TheBindplaneDude
New Member
Forum|Forum|12 days ago
November 27, 2025

Hi Melissa,

Sounds like you are using all the right settings. A few things you can check:

Verify is that there are no new lines or spaces at the end of your json when pasting.
Check the time on your collector
Verify that you do not have something in the path making changes (proxy,firewall)

Like

+1

melissagr
Author
Bronze 1
Forum|Forum|12 days ago
November 28, 2025

Hi @TheBindplaneDude ,

thanks a lot for your reply.

I’ve double-checked the ingestion JSON: it’s clean (no extra characters, no spaces or new lines after the final }), and I re-pasted it from the original file just to be sure.

I also tested the other method in Bindplane (using the file path to the ingestion JSON instead of pasting it directly), and I still get the exact same error:
Permanent error: 403 Forbidden from the Chronicle exporter.

Time on the collector is correct and NTP-synced, and there is no proxy in the path.

Is there anything else on the Chronicle / tenant side that could cause a 403 with a valid ingestion auth file?

Like

TheBindplaneDude
New Member
Forum|Forum|11 days ago
November 28, 2025

@melissagr Honestly, this sounds like there is a problem with the auth token. You could open a google ticket and see if they can regenerate it for you. The other option is to create a service account in the project and use https as the protocol version.

https://docs.bindplane.com/how-to-guides/google-secops/google-secops-configuring-the-https-dataplane-api-protocol

You also have more control over your tokens if you go this route.

Like

TheBindplaneDude
New Member
Forum|Forum|13 hours ago
December 9, 2025

Hi @melissagr were you able to get this working?

Like

+1

melissagr
Author
Bronze 1
Forum|Forum|1 hour ago
December 10, 2025

Hi @TheBindplaneDude Not yet the person who manages GCP access on our side is still working on getting the correct key, so I haven’t been able to test the HTTPS Dataplane setup yet. I’ll update here as soon as I can try it. Thanks again!

Like

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded