Question

SecOps Ingestion API returns HTTP 400 when including log_type field

Forum|Forum|1 month ago
October 30, 2025
6 replies
72 views

BrayanM
New Member

Hey everyone,

I’m currently working on a script that retrieves logs from one of our JSON sources and formats them into UDM events for ingestion into Google SecOps using the Ingestion API.

Here’s an example of the formatted UDM payload I’m trying to send:

{
"customerId": "Obfuscated",
"log_type": "Obfuscated",
"events": [
{
"metadata": {
"eventTimestamp": "2025-10-29T16:17:30.954000+00:00",
"eventType": "GENERIC_EVENT"
},
"additional": {
"severity": "DEBUG",
"message": "SUCCESS - Authorization Code Generated"
}
}
]
}

Whenever I include the log_type field, the API responds with:

[ERROR] HTTP 400 Bad Request
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}

However, if I remove the log_type field, the request succeeds and returns HTTP 200 OK.

According to Google’s documentation, the log_type parameter is required and should be included in the body as shown here:
👉 https://cloud.google.com/chronicle/docs/reference/ingestion-api

Has anyone else run into this issue? Is there something I’m missing in how the log_type parameter should be structured or where it should be placed in the request body?

Thanks in advance for any insights!

+10

mikewilusz
Staff
Forum|Forum|1 month ago
October 31, 2025

If you are parsing the event into UDM with your own code and not a parser within SecOps, a log_type is not required. The log_type is for setting which parser is needed. In reviewing the docs you linked, the udmevents endpoint does not require the log_type to be set (nor does it allow it): https://cloud.google.com/chronicle/docs/reference/ingestion-api#udmevents

-mike

JSpoorSonic
Bronze 3
Forum|Forum|1 month ago
October 31, 2025

We need a log_type to be able to parse the data.

we have already defined a custom log type in SecOps, and are working on a custom parser.

We just need the ability to send the right logtype.

JSpoorSonic
Bronze 3
Forum|Forum|1 month ago
October 31, 2025

Addendum, if we do this:


    body = {
        "customerId": CUSTOMER_ID,
        "logtype" : "CSE",
        "events":     events
    }

[ERROR] HTTP 400 Bad Request
{
"error": {
"code": 400,
"message": "Invalid JSON payload received. Unknown name \"logtype\": Cannot find field.",
"status": "INVALID_ARGUMENT",
"details": [
{
"@type": "type.googleapis.com/google.rpc.BadRequest",
"fieldViolations": [
{
"description": "Invalid JSON payload received. Unknown name \"logtype\": Cannot find field."
}
]
}
]
}
}

if we do this:

    body = {
        "customerId": CUSTOMER_ID,
        "logType" : "CSE",
        "events":     events
    }

we get this

[ERROR] HTTP 400 Bad Request
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}

JSpoorSonic
Bronze 3
Forum|Forum|1 month ago
October 31, 2025

appologies if you are in dark mode, I made the actual text black…. So it got hidden...

+11

cmmartin_google
Staff
Forum|Forum|1 month ago
November 1, 2025

If you are sending raw logs you’d use import.logs, and you need a parser and can specify a log_type, but if you have already created the UDM event and are using import.events then as you have already created the UDM object it is automatically of log_type = UDM, and so you can’t specify it.

The same holds for the legacy endpoints too - https://docs.cloud.google.com/chronicle/docs/reference/ingestion-api#udmevents

JSpoorSonic
Bronze 3
Forum|Forum|1 month ago
November 3, 2025

thanx!

We are working on the parser as we speak

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded