Skip to main content

There are two endpoints for log ingestion into SecOps:

  • europe-malachiteingestion-pa.googleapis.com

  • chronicle.googleapis.com

Whether using the APIs directly, or via the bindplane agent, we can get successfully logs into our SecOps instance.

The "legacy" Malachite API works perfectly. The logs, labels, and base_labels are added, meaning Data RBAC works as expected.

metadata.base_labels.allow_scoped_access = true

metadata.base_labels.ingestion_kv_labels[0].key = "attempt_id"

metadata.base_labels.ingestion_kv_labels[0].value = "597901e6cbfb490e8903fb660da2b4e0"

metadata.ingestion_labels[0].key = "attempt_id"

metadata.ingestion_labels[0].value = "597901e6cbfb490e8903fb660da2b4e0"

The v1alpha, chronicle API allows our logs to be ingested. The ingestion labels are visible in SecOps, but the base_labels are not added to the metadata. Data RBAC does not work.

metadata.ingestion_labels.rbac_enabled = true

metadata.ingestion_labels[0].key = "attempt_id"

metadata.ingestion_labels[0].value = "597901e6cbfb490e8903fb660da2b4e0"

We have scratched our heads with this for a while, and suspect it is a bug. Similar (recent) posts in the community also seem to support this.

We want to use the v1alpha API for DataRBAC. The logs seem to be missing base_labels which seem to be stopping Data RBAC from working.

@cmmartin_google Any ideas? In one of your blogs, mention ingestion labels , do you know if this is a bug, or if we are doing something wrong? Cheers

@akingscote This is a bug, engineering is aware of it but please submit a support case.  This allows us to prioritize properly and will get you notifications for when the issue is resolved.

@akingscote This is a bug, engineering is aware of it but please submit a support case.  This allows us to prioritize properly and will get you notifications for when the issue is resolved.


Cheers Jeremy, we have submitted a ticket with our reseller, who hopefully will pass any information on.

Here is some more information that might help:

  • When using the Bindplane agent to send logs via gRPC, the necessary fields are populated, and Data RBAC works.
  • According to the Bindplane documentation (source), gRPC selects the legacy API (europe-malachiteingestion-pa.googleapis.com).
  • When switching to the HTTPS API, which selects the DataPlane API, the required labels (metadata.base_labels.ingestion_kv_labels) are missing, causing Data RBAC to fail.

We are able to manually ingest data via HTTPS with the Ingestion API, but the data labels do not appear in metadata.base_labels.ingestion_kv_labels, meaning Data RBAC does not work.

Cheers Jeremy, we have submitted a ticket with our reseller, who hopefully will pass any information on.

Here is some more information that might help:

  • When using the Bindplane agent to send logs via gRPC, the necessary fields are populated, and Data RBAC works.
  • According to the Bindplane documentation (source), gRPC selects the legacy API (europe-malachiteingestion-pa.googleapis.com).
  • When switching to the HTTPS API, which selects the DataPlane API, the required labels (metadata.base_labels.ingestion_kv_labels) are missing, causing Data RBAC to fail.

We are able to manually ingest data via HTTPS with the Ingestion API, but the data labels do not appear in metadata.base_labels.ingestion_kv_labels, meaning Data RBAC does not work.


Apparently a fix is planned for Q2 🙃

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.