1Password collector

[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 API limits ] [ 5 Minimum configuration required for basic pulling ] [ 6 Accepted authentication methods ] [ 7 Vendor setup ] [ 8 Run the collector ] [ 9 Collector services detail ] [ 10 Troubleshooting ] [ 11 Collector operations ] [ 12 Change log ]

Overview

With 1Password Collector, you can send your account activity to Devo using the 1Password Events Reporting API. This API can report 1Password activity like sign-in attempts, item usage, and audit events.

Devo collector features

Feature	Details

Feature	Details
Allow parallel downloading (`multipod`)	`not allowed`
Running environments	`collector server` `on premise`
Populated Devo events	`table`
Flattening pre-processing	`no`
Allowed source events obfuscation	`yes`

Data sources

Data source	Description	API endpoint	Collector service name	Devo table	Available from release

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Audit Events	Returns a list of audit events from the Activity Log.	`/api/v1/auditevents`	`audit`	`auth.agilebits.onepassword.audit`	`v1.0.1`
Item Usage Actions	Returns a list of account activity events.	`/api/v1/itemusages`	`item_usage`	`auth.agilebits.onepassword.itemusage`	`v1.0.0`
Sign-in Attempts	Returns a list of sign-in attempts.	`/api/v1/signinattempts`	`sign_in_attempts`	`auth.agilebits.onepassword.signinattempt`	`v1.0.0`

API limits

The Events API limits requests to 600 per minute and up to 30,000 per hour. Exceeding these limits will return an error "429 Too many requests".

The API can access data from the last 120 days. If you need to access data from more than 120 days ago, you can use the Activity Log in your 1Password account.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

Setting	Details

Setting	Details
`base_url`	A token can access data for one or more events, depending on which events were scoped when the token was created. Make sure the bearer token you use has access to the events you want to request. You can verify this from the Events Reporting integration details in the Integrations section of your 1Password account or through a GET request to the introspection endpoint.
`token`	The `base_url` is required to authenticate the requests. This is the URL for the different requests.

Accepted authentication methods

Every call to the 1Password Events API must be authorized with a bearer token. You must include your bearer token in the collector configuration.

For example:

Authentication method	Details

Authentication method	Details
`token`	You will need your `token` to connect to the `base_url`.

Vendor setup

Before you can use the 1Password Events API, you'll need to:

Sign up for 1Password Business.
Set up an Events Reporting integration in your account.
Create a bearer token and select the event features it can access.

To create a bearer token:

Sign in to your account on http://1Password.com and click Integrations in the sidebar.
Choose the Events Reporting integration where you want to issue a token and click Add a token.
Enter a name for the bearer token and choose when it will expire. Select or deselect the event types the token has access to, then click Issue Token.
Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

Treat your token like a password

The security of your 1Password application is tied to the security of your token. Secure it as you would any sensitive credential. Do not share it with unauthorized individuals or email it to anyone under any circumstances!

Connectivity requirements

The 1Password Events API is a REST-style API that follows the OpenAPI 3.0 Specifications. All communications between clients and servers are over HTTPS.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

For all the services

Devo categorization and destination

Please check the section Data Source Description to learn about the target tables for each service.

Restart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the start_time_value to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Configuration errors

Error type	Error ID	Error message	Cause	Solution

Error type	Error ID	Error message	Cause	Solution
`InitVariablesError`	1	The parameter configuration is missing and it is mandatory	The parameter is missing in the configuration	Check the documentation and update the configuration accordingly
`InitVariablesError`	2	The parameter setting must be a valid instance of <`type_A`> not <`type_B`>	The parameter type in the configuration is incorrect	Check the documentation and update the configuration accordingly
`InitVariablesError`	3	The parameter setting must not be an empty string	The parameter is present in the configuration but it is empty	Check the documentation and update the configuration accordingly
`PrePullError`	200	<Variable_text>	Some errors happened when accessing the persistence	Contact Devo Support
`Error`	4xx-5xx	The execution of the 1Password request is having an unexpected response	Some errors happened when accessing the 1Password API	Usually, this error gets fixed in the next iteration. If it is a repeating error, please get in touch with Devo Support

Collector operations

Verify collector operations

This is for the standalone mode only. You can check the information in the following sections to verify the correct collector operation.

Initialization

The initialization module validates the given configuration and runs the setup, the input (pulling logic), and output (delivering logic) services. A successful run has the following output messages for the initializer module:

2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-test-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "C:\git\collectors2\devo-collector-<name>\config\config.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False

Event delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all the events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:

2023-01-10T15:23:00.788    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842    INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)",

Sender services

The Integrations Factory Collector SDK has 3 different sender services depending on the event type to deliver (internal, standard, and lookup). This collector uses the following Sender Services:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

Sender manager internal queue size: 0

Displays the items available in the internal sender queue.

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events were sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

By default, these traces will be shown every 10 minutes.

Sender statistics

Each service displays its performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace	Description

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

Sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:

57 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
0 events were sent to Devo between the last UTC checkpoint and now.
Those 0 events required 0.00 seconds to be delivered.

Check memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

  INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
  INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Change log

Release	Released on	Release type	Details	Recommendations

Release	Released on	Release type	Details	Recommendations
`v1.1.0`	`2024-08-30`	IMPROVEMENTS	Updated DC SDK to `v1.12.4` Upgraded Docker Base image to `1.3.0`.	`Recommended version`
`v1.0.1`	`2023-11-08`	IMPROVEMENTS	Update default tag for audit logs	`Upgrade`
`v1.0.0`	`2023-11-01`	IMPROVEMENTS	Updated DCSDK from `1.4.1` to `1.9.2`: Upgrade internal dependencies Store lookup instances into DevoSender to avoid creation of new instances for the same lookup Ensure service_config is a dict into templates Ensure special characters are properly sent to the platform Changed log level to some messages from info to debug Changed some wrong log messages Upgraded some internal dependencies Changed queue passed to setup instance constructor Ability to validate collector setup and exit without pulling any data Ability to store in the persistence the messages that couldn't be sent after the collector stopped Ability to send messages from the persistence when the collector starts and before the puller begins working Ensure special characters are properly sent to the platform Added a lock to enhance sender object Added new class attrs to the setstate and getstate queue methods Fix sending attribute value to the setstate and getstate queue methods Added log traces when queues are full and have to wait Added log traces of queues time waiting every minute in debug mode Added method to calculate queue size in bytes Block incoming events in queues when there are no space left Send telemetry events to Devo platform Upgraded internal Python dependency Redis to v4.5.4 Upgraded internal Python dependency DevoSDK to v5.1.3 Fixed obfuscation not working when messages are sent from templates d New method to figure out if a puller thread is stopping Upgraded internal Python dependency DevoSDK to v5.0.6 Improved logging on messages/bytes sent to Devo platform Fixed wrong bytes size calculation for queues New functionality to count bytes sent to Devo Platform (shown in console log) Upgraded internal Python dependency DevoSDK to v5.0.4 Fixed bug in persistence management process, related to persistence reset Aligned source code typing to be aligned with Python 3.9.x Inject environment property from user config Obfuscation service can be now configured from user config and module definiton Obfuscation service can now obfuscate items inside arrays	`Upgrade`
`v0.1.2`	`2023-01-18`	IMPROVEMENTS	Added More log traces related to execution environment details Global rate limiters functionality Extra checks for supporting MacOS as a development environment Obfuscation functionality Changed Some log traces now are shown less frequently The default value for the logging frequency for "main" processes has been changed (to 120 seconds) Updated some Python Packages Controlled stopping functionality more stable when using the "template" Improved some log messages related to Devo certificates (when using the Devo sender) Validate JSON objects before saving them to persistence (using the filesystem)	`Upgrade`