Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Overview
The 1Password collector pulls data from With 1Password Collector, you can send your account activity to Devo using the 1Password Events Reporting API. This API and forwards to Devocan report 1Password activity like sign-in attempts, item usage, and audit events.
Devo collector features
Feature | Details |
---|---|
Allow parallel downloading ( |
|
Running environments |
|
Populated Devo events |
standard
| |
Flattening pre-processing |
|
Allowed source events obfuscation |
|
Data sources
Data source | Description | API |
---|
endpoint | Collector |
---|
service name | Devo |
---|
table | Available from release | ||||
---|---|---|---|---|---|
Audit Events | Returns a list of audit events from the Activity Log. |
| |
|
|
Item Usage |
Actions | Returns a list of account activity events. |
|
|
TBD
|
|
Sign-in Attempts | Returns |
a list of sign-in attempts. |
|
|
|
|
/api/v1/signinattempts
sign_in_attempts
TBD
v1.0.0
Vendor setup
Generate a bearer token
...
|
API limits
The Events API limits requests to 600 per minute and up to 30,000 per hour. Exceeding these limits will return an error "429 Too many requests".
The API can access data from the last 120 days. If you need to access data from more than 120 days ago, you can use the Activity Log in your 1Password account.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Setting | Details |
---|---|
| A token can access data for one or more events, depending on which events were scoped when the token was created. Make sure the bearer token you use has access to the events you want to request. You can verify this from the Events Reporting integration details in the Integrations section of your 1Password account or through a GET request to the introspection endpoint. |
| The |
Accepted authentication methods
Every call to the 1Password Events API must be authorized with a bearer token. You must include your bearer token in the collector configuration.
For example:
Authentication method | Details |
---|---|
| You will need your |
Vendor setup
Before you can use the 1Password Events API, you'll need to:
Set up an Events Reporting integration in your account.
Create a bearer token and select the event features it can access.
To create a bearer token:
Sign in to your account on Password Manager for Families, Businesses, Teams | 1Password http://1Password.com and click Integrations in the sidebar.
Choose the Events Reporting integration where you want to issue a token and click “Add Add a token”token.
Enter a name for the bearer token and choose when it will expire. Select or deselect the event types the token has access to, then click Issue Token.
Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.
Info |
---|
Additional Information: Get started with 1Password Events Reporting | issue or revoke bearer tokens |
Identify Your 1Password server
The URL of the server that hosts your 1Password account is required in order to make requests to the 1Password Events API.
...
If your account is on:
...
Your Events API URL is:
...
Treat your token like a password
The security of your 1Password application is tied to the security of your token. Secure it as you would any sensitive credential. Do not share it with unauthorized individuals or email it to anyone under any circumstances!
Connectivity requirements
The 1Password Events API is a REST-style API that follows the OpenAPI 3.0 Specifications. All communications between clients and servers are over HTTPS.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
We use a piece of software called Collector Server to host and manage all our available collectors. To enable the collector for a customer:
Editing the JSON configuration
Please replace the placeholders with real world values following the description table below:
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config.yaml file
Replace the placeholders with your required values following the description table below:
|
...
|
...
|
...
|
...
|
...
Info |
---|
Additional Information: Get started with 1Password Events Reporting | Servers |
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Info |
---|
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details. |
...
Setting
...
Details
...
base_url
...
The URL of the server that hosts your 1Password account
...
token
...
Access token created in the 1Password console.
Info |
---|
See the Accepted authentication methods section to verify what settings are required based on the desired authentication method. |
Run the collector
...
Download the Docker imageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
The Docker image can be deployed on the following services: DockerExecute the following command on the root directory
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
|
Collector services detail
For all the services
Devo categorization and destination
Please check the section Data Source Description to learn about the target tables for each service.
Restart the persistence
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
Edit the configuration file.
Change the value of the
start_time_value
to a different one.Save the changes.
Restart the collector.
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Configuration errors
Error type | Error ID | Error message | Cause | Solution |
---|---|---|---|---|
| 1 | The parameter configuration is missing and it is mandatory | The parameter is missing in the configuration | Check the documentation and update the configuration accordingly |
| 2 | The parameter setting must be a valid instance of < | The parameter type in the configuration is incorrect | Check the documentation and update the configuration accordingly |
| 3 | The parameter setting must not be an empty string | The parameter is present in the configuration but it is empty | Check the documentation and update the configuration accordingly |
| 200 | <Variable_text> | Some errors happened when accessing the persistence | Contact Devo Support |
| 4xx-5xx | The execution of the 1Password request is having an unexpected response | Some errors happened when accessing the 1Password API | Usually, this error gets fixed in the next iteration. If it is a repeating error, please get in touch with Devo Support |
Collector operations
Verify collector operations
This is for the standalone mode only. You can check the information in the following sections to verify the correct collector operation.
Initialization
The initialization module validates the given configuration and runs the setup, the input (pulling logic), and output (delivering logic) services. A successful run has the following output messages for the initializer module:
Code Block |
---|
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-test-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "C:\git\collectors2\devo-collector-<name>\config\config.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False |
Event delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all the events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:
Code Block |
---|
2023-01-10T15:23:00.788 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842 INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)", |
Sender services
The Integrations Factory Collector SDK has 3 different sender services depending on the event type to deliver (internal, standard, and lookup). This collector uses the following Sender Services:
Logging trace | Description |
---|---|
Number of available senders: 1 | Displays the number of concurrent senders available for the given Sender Service. |
Sender manager internal queue size: 0 | Displays the items available in the internal sender queue. This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders. |
Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds) | Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:
By default, these traces will be shown every 10 minutes. |
Sender statistics
Each service displays its performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace | Description |
---|---|
Number of available senders: 1 | Displays the number of concurrent senders available for the given Sender Service. |
Sender manager internal queue size: 0 | Displays the items available in the internal sender queue. |
Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds | Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:
|
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
Code Block |
---|
INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB) |
Change log
Release | Released on | Release type | Details | Recommendations | ||||||
---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
| ||||||
|
|
|
|
| ||||||
|
|
|
|
| ||||||
|
|
| Added
Changed
|
|