Document toolboxDocument toolbox

JumpCloud collector

Configuration requirements

To run this collector, there are some configurations detailed below that you need to consider.

Configuration

Details

Configuration

Details

JumpCloud credentials

It is necessary to have your credentials so you can configure the collector.

API token

It is necessary to have API Token.

API Key

You need to save your API key.

More information

Refer to the Vendor setup section to know more about these configurations.

Overview

JumpCloud works as a directory-as-a-service software solution that is designed to manage and connect hundreds of users to their respective applications, files, networks, and systems.

Directory insights allow you to read event logs, view activity in your directory, and monitor user authentications to the console, RADIUS, LDAP, and SSO apps. Directory insights analyze the audit trails that lead to critical events so you know what, where, how, and who of your directory activities.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

  • Not allowed

Running environments

  • Collector server

  • On-premise

Populated Devo events

  • Table

Flattening preprocessing

  • No

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

directory

Logs on activity in the Portal, including admin changes in the directory and admin/user authentications to the Portal.

/directory/v1/events
data body:

  • service: “

directory“

directory

auth.jumpcloud.directory.events

v1.0.0

systems

Logs about user authentications to systems including agent related events on lockout, password changes, and File Disk Encryption key updates.

/directory/v1/events
data body:

  • service: "

systems"

systems

auth.jumpcloud.system.events

v1.0.0

sso

Logs on user authentications to SAML applications.

/directory/v1/events
data body:

  • service: "

sso"

sso

auth.jumpcloud.sso.events

v1.0.0

radius

Logs on user authentications to RADIUS used for wifi and VPNs.

/directory/v1/events
data body:

  • service: "

radius"

radius

auth.jumpcloud.radius.events

v1.0.0

ldap

Logs about user authentications to LDAP, including LDAP bind and search events types.

/directory/v1/eventsdata body:

service: "

ldap"

ldap

auth.jumpcloud.ldap.events

v1.0.0

mdm

Logs about MDM command results.

/directory/v1/events
data body:

  • service: “

mdm“

mdm

auth.jumpcloud.mdm.events

v1.0.0

All events

Logs about all events.

/directory/v1/events
data body:

  • service: “

all“

all

It has autocategorization, it depends on the type of event:

  • auth.jumpcloud.directory.events

  • auth.jumpcloud.system.events

  • auth.jumpcloud.sso.events

  • auth.jumpcloud.radius.events

  • auth.jumpcloud.ldap.events

  • auth.jumpcloud.mdm.events

v1.0.0

Flattening preprocessing

Data source

Collector service

Optional

Flattening details

Data source

Collector service

Optional

Flattening details

Source

Service

No

Flattening steps

Vendor setup

There are some requirements to set up this collector:

Generate API Token

  1. Login into JumpCloud.

  2. In the Administration Center go to the username drop-down in the upper right corner.

     

  3. Retrieve your API key from the API settings.

API Considerations

This API key is associated with the currently logged-in administrator. The API keys will be different for other administrators.

Keep the API Key

Keep this API key secret as it grants full access to any data accessible via your JumpCloud console account. You can also reset your API key in the same location in the JumpCloud Admin Console.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

api_key

Token for use JumpCloud API

Accepted authentication methods

Authentication method

Api key

Authentication method

Api key

Api key

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Events service

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

INFO InputProcess::MainThread -> CollectorJumpCloudPullerSetup(andrea_jumpcloud_test,jumpcloud_collector#12345,mdm#predefined) -> Starting thread INFO InputProcess::CollectorJumpCloudPullerSetup(andrea_jumpcloud_test,jumpcloud_collector#12345,mdm#predefined) -> Starting the execution of setup() INFO InputProcess::CollectorJumpCloudPullerSetup(andrea_jumpcloud_test,jumpcloud_collector#12345,mdm#predefined) -> The token/header/authentication is defined INFO InputProcess::CollectorJumpCloudPullerSetup(andrea_jumpcloud_test,jumpcloud_collector#12345,mdm#predefined) -> The token/header/authentication is valid INFO InputProcess::CollectorJumpCloudPullerSetup(andrea_jumpcloud_test,jumpcloud_collector#12345,mdm#predefined) -> Finalizing the execution of setup() INFO InputProcess::CollectorJumpCloudPullerSetup(andrea_jumpcloud_test,jumpcloud_collector#12345,mdm#predefined) -> Setup for module <CollectorJumpCloudPuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) Starting the execution of pre_pull() INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Reading persisted data INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Data retrieved from the persistence: {'last_polled_timestamp': 1667460688.0, 'historic_date_utc': 1664564634.0, 'ids_with_same_timestamp': ['63636e50ace1cf7d597b249a'], '@persistence_version': 0} INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Running the persistence upgrade steps INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Running the persistence corrections steps INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Running the persistence resetting steps INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> No changes detected in the persistence INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) Finalizing the execution of pre_pull() INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Starting data collection every 600 seconds INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Pull Started INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Number of mdm events received: 1000 INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Removing the duplicate detections if present... INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Number of mdm events sent to Devo: 999 INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> State last_polled_timestamp is updated with retrieving timestamp INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Saved state: {'last_polled_timestamp': 1667508039.0, 'historic_date_utc': 1664564634.0, 'ids_with_same_timestamp': ['636427473406b53302125184'], '@persistence_version': 0} INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1667547361635):Number of requests made: 1; Number of events received: 1000; Number of duplicated events filtered out: 1; Number of events generated and sent: 999; Average of events per second: 628.017. INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Number of mdm events received: 186 INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Removing the duplicate detections if present... INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Number of mdm events sent to Devo: 186 INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> State last_polled_timestamp is updated with retrieving timestamp INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Saved state: {'last_polled_timestamp': 1667547294.0, 'historic_date_utc': 1664564634.0, 'ids_with_same_timestamp': ['6364c09e528074dade39318b'], '@persistence_version': 0} INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1667547361635):Number of requests made: 2; Number of events received: 1186; Number of duplicated events filtered out: 1; Number of events generated and sent: 1185; Average of events per second: 587.138. INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1667547361635):Number of requests made: 2; Number of events received: 1186; Number of duplicated events filtered out: 1; Number of events generated and sent: 1185; Average of events per second: 586.865. INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> The data is up to date! INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Data collection completed. Elapsed time: 2.024 seconds. Waiting for 597.976 second(s) until the next one

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

INFO InputProcess::CollectorJumpCloudPuller(jumpcloud_collector,12345,mdm,predefined) -> Statistics for this pull cycle (@devo_pulling_id=1667547361635):Number of requests made: 2; Number of events received: 1186; Number of duplicated events filtered out: 1; Number of events generated and sent: 1185; Average of events per second: 586.865.

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the historic_date_utc parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

 

Error type

Error ID

Error message

Cause

Solution

Error type

Error ID

Error message

Cause

Solution

SetupError

100

The remote data is not pullable with the given credentials. Check the error traces for details.

This error is raised when remote data cannot be accessed with current credentials.

Check that the credentials are correct and that they have the necessary permissions.

101

The token/header/authentication was refreshed but is still expired. Check the error traces for details.

This error is raised when the token cannot be refreshed.

Check that the credentials are correct and contact the internal team if the problem persists.

InitVariablesError

1

The user config did not pass the format validation. Check error traces for details and visit our documentation.

This error is raised when the user configuration information does not comply with the json schema validation.

Check in the collector documentation what are the allowed parameters and their formats.

2

<rate_limiter> setting has been defined with wrong type.'Expected <dict> but received <{type(rate_limiter_config)>

This error is raised when the required rate_limiter property in the collector_definitions.yaml is not a dictionary.

This is an internal issue. Contact with Devo Support team.

3

The user config did not pass the format validation. Check error traces for details and visit our documentation.

This error is raised when the user configuration information does not comply with the json schema validation.

Check in the collector documentation what are the allowed parameters and their formats.

10

Required setting, historic_date_utc not of expected type: str

This error is raised when the parameter historic_date_utc is not in str format.

Update the historic_date_utc parameter in the configuration file so that it is in str format

11

Invalid value is provided for the historic_date. Provide the date in %Y-%m-%d "
f"%H:%M:%S format. Error message: <str(e)>

This error is raised when the parameter historic_date_utc does not meet the required format.

Update the historic_date_utc parameter in the configuration file so that it is in the required format.

12

Time format for historic date must be <date_format>. e.g. <example_date>

This error is raised when the parameter historic_date_utc does not meet the required format.

Update the historic_date_utc parameter in the configuration file so that it is in the required format.

12

historic datetime cannot be greater than the present UTC time

This error is raised when the parameter historic_date_utc is greater than the present UTC time.

Modify the historic_date_utc parameter in the config file to be less than the current date

PullError

300

Error occurred while retrieving events from JumpCloud server. Error details: <str(e)>

This error is raisedwhen an unknown error occurs in the Jumpcloud request.

This is an internal issue. Contact with Devo Support team.

301

The API Key provided is incorrect. Please specify the correct key. Status code: 401. Error message: <response.text>

This error is raised when the API key entered in the configuration file is incorrect.

Edit the config file with a correct API key.

302

The provided API Key is valid but they do not have the permission to get data token. status code: 403. Error message: <response.text>

This error is raised when the credentials does not have sufficient permissions to access the data.

Give the credentials the correct permissions to access the data.

303

Unexpected error occurred at the JumpCloud server. status code: <response.status_code>. Error message: <response.text>

This error is raised when an unknown error occurs in the Jumpcloud request.

This is an internal issue. Contact with Devo Support team.

304

After <max_number_of_retries> retries still getting the too many requests error.

This error is raised when the maximum number of attempts is reached after a 429 error (too many requests)

This is an internal issue. Contact with Devo Support team.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Initialization

The initialization module is in charge of setup and running the input (pulling logic) and output (delivering logic) services and validating the given configuration.

A successful run has the following output messages for the initializer module:

Events delivery and Devo ingestion

The event delivery module receives the events from the internal queues where all events are injected by the pullers and delivering them using the selected compatible delivery method.

A successful run has the following output messages for the initializer module:

Sender services

The Integrations Factory Collector SDK has 3 different senders services depending on the event type to delivery (internal, standard, and lookup). This collector uses the following Sender Services:

Sender services

Description

Sender services

Description

internal_senders

In charge of delivering internal metrics to Devo such as logging traces or metrics.

standard_senders

In charge of delivering pulled events to Devo.

Sender statistics

Each service displays its own performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displayes the number of events from the last time and following the given example, the following conclusions can be obtained:

  • 44 events were sent to Devo since the collector started.

  • The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.

  • 21 events where sent to Devo between the last UTC checkpoint and now.

  • Those 21 events required 0.007 seconds to be delivered.

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

  • The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.

  • The global pressure of the available memory is displayed in the global value.

  • All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

Change log for v1.x.x

 

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

v1.0.0

Nov 4, 2022

NEW FEATURE

 

New features:

Released first version of Jumpcloud collector with the following services:

  • directory: Logs activity in the Admin Portal, including admin changes in the directory and admin/user authentications to the Admin Portal.

  • radius: Logs user authentications to RADIUS, used for Wi-Fi and VPNs.

  • sso: Logs user authentications to SAML applications.

  • systems: Logs user authentications to MacOS, Windows, and Linux systems, including agent-related events on lockout, password changes, and File Disk Encryption key updates.

  • ldap: Logs user authentications to LDAP, including LDAP Bind and Search event types.

  • mdm: Logs MDM command results.

  • all: all the Logs.

 

Recommended version