I have these information but adding page ask me diffent named fields

https://us.v-cdn.net/6031969/uploads/editor/vn/4zy2j0tlbr2w.png

JWT Endpoint: < auth_uri>
JWT Issuer: < client_email>
JWT Subject: <email of the account created in your workspace and linked to the service account you created (client_email)>
JWT Audience: < auth_uri>
customer ID: <get from workspace Admin. Starts with a C>

I used this link: https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-workspace-logs
However token_uri are written for 2 different fiels and I tried but I had 401 login failed error
Can you help me please?
Which fields are filled by which information? Thank you for your help

OAUTH JWT ENDPOINT - token_uri from Google Cloud Service Account JSON
JWT CLAIMS ISSUER - client_email from Google Cloud Service Account JSON
JWT CLAIMS SUBJECT - email address created for Workspace Service Account in your Workspace admin console
JWT CLAIMS AUDIENCE - token_uri from Google Cloud Service Account JSON
RSA PRIVATE KEY - remove all \\n characters and replace with new lines
CUSTOMER ID - from your Google Admin console, i.e., workspace customer ID

Does that help?

I will try and retturn. thank you so much

I tried the web site but it doesn't work. I will try it again. Token uri will be written twice, isn't it?

That's what I have from my notes yes

For info, in the near future there will new native Workspace connector which just requires you enter a one time code and them logs will be pulled without requiring a Feed or Service Account. It's in testing at present, but its far easier to configure, and also has the benefit of lower latency as the public APIs aren't all realtime

That is very good news. When it will be released?

@adam9 may be able to give an exact date, but it exists, and we're testing it in private preview, so soon...ish

Login failed with error code 401

RSA PRIVATE KEY - remove all \\n characters and replace with new lines

that will be manualy? Because there are some /n in the license except beginning and finishing

I'd try first of all just copying the RSA key with everything between the speech marks (") in the private_key field

I think since those notes Feed Management is more tolerant of \\n characters

so include the trailing

newline

ok

error code was changed after finishing \\n characters

https://us.v-cdn.net/6031969/uploads/editor/m7/xus558nerygi.png

On NIX you can try a command like below to get the private_key:
cat workspace-sa-1234644b5678.json | jq -r '.private_key'

Or the windows version:
Get-Content workspace-sa-1234644b5678.json | ConvertFrom-Json | Select-Object -ExpandProperty private_key

otherwise, I would try adding a feed for another type, e.g., try one of WORKSPACE_ACTIVITY, and WORKSPACE_ALERTS

If they both fail, its a related issue, but if one works and the other doesn't then you narrow down there is an issue with that feed

And for WORKSPACE_ACTIVITY I usually setup one application first, then add more once that works