Hi everyoneI’m currently testing log ingestion from a Linux VM to Google SecOps (Chronicle) using Bindplane (no Chronicle Forwarder, only the Bindplane agent and gRPC).In the Bindplane destination, I’m using: Protocol: gRPC Endpoint: malachiteingestion-pa.googleapis.com Auth: json, with the Ingestion Authentication File from SecOps Correct Customer ID But on the VM, the Chronicle exporter always shows:"error": "upload to chronicle: Permanent error: 403 Forbidden" Any idea what can cause a 403 in this case, or anything that must be enabled/checked on the SecOps side?Thanks!

Question

403 Forbidden when sending logs from Bindplane to Google SecOps (gRPC)

Forum|Forum|3 months ago
November 27, 2025
8 replies
241 views

melissagr
Bronze 2

Hi everyone

I’m currently testing log ingestion from a Linux VM to Google SecOps (Chronicle) using Bindplane (no Chronicle Forwarder, only the Bindplane agent and gRPC).

In the Bindplane destination, I’m using:

Protocol: gRPC
Endpoint: malachiteingestion-pa.googleapis.com
Auth: json, with the Ingestion Authentication File from SecOps
Correct Customer ID

But on the VM, the Chronicle exporter always shows:

"error": "upload to chronicle: Permanent error: 403 Forbidden"

Any idea what can cause a 403 in this case, or anything that must be enabled/checked on the SecOps side?

Thanks!

TheBindplaneDude
New Member
Forum|Forum|3 months ago
November 27, 2025

Hi Melissa,

Sounds like you are using all the right settings. A few things you can check:

Verify is that there are no new lines or spaces at the end of your json when pasting.
Check the time on your collector
Verify that you do not have something in the path making changes (proxy,firewall)

melissagr
Author
Bronze 2
Forum|Forum|3 months ago
November 28, 2025

Hi @TheBindplaneDude ,

thanks a lot for your reply.

I’ve double-checked the ingestion JSON: it’s clean (no extra characters, no spaces or new lines after the final }), and I re-pasted it from the original file just to be sure.

I also tested the other method in Bindplane (using the file path to the ingestion JSON instead of pasting it directly), and I still get the exact same error:
Permanent error: 403 Forbidden from the Chronicle exporter.

Time on the collector is correct and NTP-synced, and there is no proxy in the path.

Is there anything else on the Chronicle / tenant side that could cause a 403 with a valid ingestion auth file?

TheBindplaneDude
New Member
Forum|Forum|3 months ago
November 28, 2025

@melissagr Honestly, this sounds like there is a problem with the auth token. You could open a google ticket and see if they can regenerate it for you. The other option is to create a service account in the project and use https as the protocol version.

https://docs.bindplane.com/how-to-guides/google-secops/google-secops-configuring-the-https-dataplane-api-protocol

You also have more control over your tokens if you go this route.

TheBindplaneDude
New Member
Forum|Forum|3 months ago
December 9, 2025

Hi @melissagr were you able to get this working?

melissagr
Author
Bronze 2
Forum|Forum|3 months ago
December 10, 2025

Hi @TheBindplaneDude Not yet the person who manages GCP access on our side is still working on getting the correct key, so I haven’t been able to test the HTTPS Dataplane setup yet. I’ll update here as soon as I can try it. Thanks again!

melissagr
Author
Bronze 2
Forum|Forum|3 months ago
December 12, 2025

Hi @melissagr were you able to get this working?

yes,now it’s working I can see the logs in SecOps
The issue was actually with the endpoint. In the doc for Paris (France) it mentions using:
https://europe-west9-malachiteingestion-pa.googleapis.com
but this endpoint didn’t work in my case.

I tried using https://europe-malachiteingestion-pa.googleapis.com instead, and with that endpoint the ingestion started working correctly.

Thanks again for your help!

+20

matthewnichols
Community Manager
Forum|Forum|3 months ago
December 12, 2025

@melissagr Thanks for sharing the solution you found! Glad you got it working. @TheBindplaneDude Community appreciates your help!

capybarahunter
New Member
Forum|Forum|2 months ago
January 9, 2026

It happened to me also!
I've made changes from http://malachiteingestion-pa.googleapis.com/ to http://asia-southeast1-malachiteingestion-pa.googleapis.com/. Btw, I was feeling around earlier changing it to asia-southeast1 because that's the general naming convention in GCP Singapore region and I tried using that.
It looks like Google/BindPlane need to update the default configuration file with the correct endpoint after inputting the cred from SecOps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded