Document toolboxDocument toolbox

Lark Suite collector

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Last updated: Dec 02, 2024 by Pulkit Vajpayee
23 min read
[ 1 Overview ] [ 2 Devo collector features ] [ 3 Data sources ] [ 4 Flattening preprocessing ] [ 5 Minimum configuration required for basic pulling ] [ 6 API limits, delays, known Issues ] [ 7 Accepted authentication methods ] [ 8 Run the collector ] [ 9 Collector services detail ] [ 10 Collector operations ] [ 11 Change log ]

Overview

Lark is an all-in-one productivity solution that includes chat, scheduling, docs, video conferencing, auto-translation and more in a single platform.

Devo collector features

Feature

Details

Feature

Details

Allow parallel downloading (multipod)

not allowed

Running environments

  • collector server

  • on-premise

Populated Devo events

table

Flattening preprocessing

no

Data sources

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

audit_infos

Returns all the audit logs.

admin/v1/audit_infos

audit_infos

app.lark.audit.event

v1.0.0

admin_log

Returns all the aud admin logs.

aud_admin_logs

admin_log

app.lark.admin.log

v1.3.0

dlp_execute_log

Returns all the DLP Execute logs.

dlp_execute_logs

dlp_execute_log

app.lark.dlp.log

v1.3.0

For more information on how the events are parsed, visit our page.

Flattening preprocessing

Data source

Collector service

Optional

Flattening details

Data source

Collector service

Optional

Flattening details

audit_infos

audit_infos

yes

not required

admin_log

aud_admin_logs

yes

not required

dlp_execute_log

dlp_execute_logs

yes

not required

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.

This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details.

Setting

Details

Setting

Details

app_id

The app ID to generate the auth token for authentication.

app_secret

The app secret key to.generate the auth token for authentication.

API limits, delays, known Issues

The API only allows 2 valid auth tokens at a time, so you should avoid using the credentials used for the collector should not be used somewhere else while its running.

Duplicate DLP Executive Logs in API Response :

The API occasionally returns duplicate entries for the same log when queried. This behaviour occurs on the API side and is currently unresolved.

Accepted authentication methods

Authentication method

app_id

app_secret

Authentication method

app_id

app_secret

Bearer auth token

REQUIRED

REQUIRED

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

Audit info

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in a organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

2024-06-24T08:09:59.388 INFO OutputProcess::MainThread -> ConsoleSenderManager(lookup_senders,manager,console_1) -> Starting thread 2024-06-24T08:09:59.389 INFO OutputProcess::MainThread -> DevoSender(internal_senders,devo_sender_0) -> Starting thread 2024-06-24T08:09:59.390 INFO OutputProcess::ConsoleSenderManager(lookup_senders,manager,console_1) -> [EMERGENCY PERSISTENCE SYSTEM] ConsoleSenderManager(lookup_senders,manager,console_1) -> Nothing retrieved from the persistence. 2024-06-24T08:09:59.390 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(internal_senders,devo_2) -> Starting thread (every 300 seconds) 2024-06-24T08:09:59.391 INFO OutputProcess::OutputLookupConsumer(lookup_senders_consumer_0) -> [EMERGENCY PERSISTENCE SYSTEM] OutputLookupConsumer(lookup_senders_consumer_0) -> Nothing retrieved from the persistence. 2024-06-24T08:09:59.391 INFO OutputProcess::MainThread -> DevoSenderManager(internal_senders,manager,devo_2) -> Starting thread 2024-06-24T08:09:59.392 INFO OutputProcess::MainThread -> ConsoleSender(internal_senders,console_sender_0) -> Starting thread 2024-06-24T08:09:59.392 INFO OutputProcess::MainThread -> ConsoleSenderManagerMonitor(internal_senders,console_1) -> Starting thread (every 300 seconds) 2024-06-24T08:09:59.393 INFO OutputProcess::DevoSenderManager(internal_senders,manager,devo_2) -> [EMERGENCY PERSISTENCE SYSTEM] DevoSenderManager(internal_senders,manager,devo_2) -> Nothing retrieved from the persistence. 2024-06-24T08:09:59.393 INFO OutputProcess::MainThread -> ConsoleSenderManager(internal_senders,manager,console_1) -> Starting thread 2024-06-24T08:09:59.395 INFO OutputProcess::ConsoleSenderManager(internal_senders,manager,console_1) -> [EMERGENCY PERSISTENCE SYSTEM] ConsoleSenderManager(internal_senders,manager,console_1) -> Nothing retrieved from the persistence. 2024-06-24T08:10:00.212 INFO InputProcess::LarkBasePullerSetup(lark_collector,lark#964383,audit_infos#predefined) -> Successfully generated auth token for Lark API 2024-06-24T08:10:00.216 INFO OutputProcess::ConsoleSender(internal_senders,console_sender_0) -> {"message_timestamp": "2024-06-24 02:40:00.213", "message_tag": "devo.collectors.out.local.info", "message_content": "{\"msg\": \"Successfully generated auth token for Lark API\", \"time\": \"2024-06-24T02:40:00.213215Z\", \"level\": \"info\", \"collector_name\": \"lark_collector\", \"collector_version\": \"1.0.0\", \"collector_image\": null, \"job_id\": \"not_used\", \"input_name\": \"lark\", \"service_name\": \"audit_infos\", \"module_name\": \"LarkBasePuller\"}"} 2024-06-24T08:10:02.957 INFO InputProcess::LarkBasePullerSetup(lark_collector,lark#964383,audit_infos#predefined) -> Remote source is pullable 2024-06-24T08:10:02.958 INFO InputProcess::LarkBasePullerSetup(lark_collector,lark#964383,audit_infos#predefined) -> Token is valid. Skipping the generation of new auth token 2024-06-24T08:10:02.959 INFO InputProcess::LarkBasePullerSetup(lark_collector,lark#964383,audit_infos#predefined) -> Token is valid. Skipping the generation of new auth token 2024-06-24T08:10:02.959 INFO InputProcess::LarkBasePullerSetup(lark_collector,lark#964383,audit_infos#predefined) -> Setup for module <LarkBasePuller> has been successfully executed

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

2024-06-24T08:15:25.789 INFO InputProcess::LarkBasePuller(lark,964383,audit_infos,predefined) -> Pull Started 2024-06-24T08:15:25.790 INFO OutputProcess::ConsoleSender(internal_senders,console_sender_0) -> {"message_timestamp": "2024-06-24 02:45:25.788", "message_tag": "devo.collectors.out.local.warning", "message_content": "{\"msg\": \"Persistence has been updated successfully\", \"time\": \"2024-06-24T02:45:25.788960Z\", \"level\": \"warning\", \"collector_name\": \"lark_collector\", \"collector_version\": \"1.0.0\", \"collector_image\": null, \"job_id\": \"not_used\", \"input_name\": \"lark\", \"service_name\": \"audit_infos\", \"module_name\": \"LarkBasePuller\"}"} 2024-06-24T08:15:25.790 INFO OutputProcess::ConsoleSender(internal_senders,console_sender_0) -> {"message_timestamp": "2024-06-24 02:45:25.789", "message_tag": "devo.collectors.out.local.info", "message_content": "{\"msg\": \"LarkBasePuller(lark,964383,audit_infos,predefined) Finalizing the execution of pre_pull()\", \"time\": \"2024-06-24T02:45:25.789209Z\", \"level\": \"info\", \"collector_name\": \"lark_collector\", \"collector_version\": \"1.0.0\", \"collector_image\": null, \"job_id\": \"not_used\", \"input_name\": \"lark\", \"service_name\": \"audit_infos\", \"module_name\": \"LarkBasePuller\"}"} 2024-06-24T08:15:25.790 INFO OutputProcess::ConsoleSender(internal_senders,console_sender_0) -> {"message_timestamp": "2024-06-24 02:45:25.789", "message_tag": "devo.collectors.out.local.info", "message_content": "{\"msg\": \"Starting data collection every 15 seconds\", \"time\": \"2024-06-24T02:45:25.789388Z\", \"level\": \"info\", \"collector_name\": \"lark_collector\", \"collector_version\": \"1.0.0\", \"collector_image\": null, \"job_id\": \"not_used\", \"input_name\": \"lark\", \"service_name\": \"audit_infos\", \"module_name\": \"LarkBasePuller\"}"} 2024-06-24T08:15:25.791 INFO OutputProcess::ConsoleSender(internal_senders,console_sender_0) -> {"message_timestamp": "2024-06-24 02:45:25.789", "message_tag": "devo.collectors.out.local.info", "message_content": "{\"msg\": \"Pull Started\", \"time\": \"2024-06-24T02:45:25.789572Z\", \"level\": \"info\", \"collector_name\": \"lark_collector\", \"collector_version\": \"1.0.0\", \"collector_image\": null, \"job_id\": \"not_used\", \"input_name\": \"lark\", \"service_name\": \"audit_infos\", \"module_name\": \"LarkBasePuller\"}"} 2024-06-24T08:15:30.372 INFO InputProcess::LarkBasePuller(lark,964383,audit_infos,predefined) -> Retrieved 50 audit_infos event(s) 2024-06-24T08:15:30.376 INFO InputProcess::LarkBasePuller(lark,964383,audit_infos,predefined) -> Sent 50 events

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

2024-06-24T08:19:07.641 INFO InputProcess::LarkBasePuller(lark,964383,audit_infos,predefined) -> (Partial) Statistics for this pull cycle (@devo_pulling_id=1719197345217):Number of requests made: 1; Number of events received: 1; Number of duplicated events filtered out: 0; Number of events generated and sent: 1; Average of events per second: 0.414.

Aud Admin logs

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in an organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

DLP Execute logs

Once the collector has been launched, it is important to check if the ingestion is performed in a proper way. To do so, go to the collector’s logs console.

This service has the following components:

Component

Description

Component

Description

Setup

The setup module is in charge of authenticating the service and managing the token expiration when needed.

Puller

The setup module is in charge of pulling the data in an organized way and delivering the events via SDK.

Setup output

A successful run has the following output messages for the setup module:

Puller output

A successful initial run has the following output messages for the puller module:

Note that the PrePull action is executed only one time before the first run of the Pull action.

After a successful collector’s execution (that is, no error logs found), you will see the following log message:

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

  1. Edit the configuration file.

  2. Change the value of the initial_start_time_in_utc_value parameter to a different one.

  3. Save the changes.

  4. Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Note that this action clears the persistence and cannot be recovered in any way. Resetting persistence could result in duplicate or lost events.

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Error type

Error ID

Error message

Cause

Solution

Error type

Error ID

Error message

Cause

Solution

InitVariablesError

1

initial_start_time_in_utc is not set as per the datetime_format : {datetime_format}

The date in config is not as per required format

Ensure the date format is correct.

InitVariablesError

2

Date {initial_start_time_str} is in the future

The date in config is greater than current time

Ensure the datetime is less than current time

SetupError

100

HTTP error occurred while generating auth token from Lark server

Wrong credentials

Check the credentials and ensure that the collector has the necessary permissions to access the Lark API.

SetupError

101

Some error occurred while generating auth token from Lark server. Error details: {e}

Generate auth token api failed

Contact the developer with exact error message.

SetupError

102

Unable to generate auth token with status code as {response.status_code}

Generate auth token api failed

Contact the developer with exact error message.

SetupError

103

HTTP Error occurred while fetching audit infos from Lark server

Lark API call is failing

Contact the developer with exact error message.

SetupError

104

Some error occurred while fetching audit infos from Lark server. Error details: {e}

Lark API call is failing

Check the credentials and ensure that the collector has the necessary permissions to access the Lark API.

PullError

300

HTTP error occurred while fetching audit infos from Lark server

Lark API call is failing

Check the credentials and ensure that the collector has the necessary permissions to access the Lark API.

PullError

301

Some error occurred while fetching audit infos from Lark server. Error details: {e}

Lark API call is failing

Contact the developer with exact error message.

Collector operations

This section is intended to explain how to proceed with specific operations of this collector.

Change log

Release

Released on

Release type

Details

Recommendations

Release

Released on

Release type

Details

Recommendations

1.3.0

12 Nov 2024

Feature

Improvements

  • Updated the DCSDK from 1.12.4 to v1.13.1:

    • Change internal queue management for protecting against OOMK

    • Extracted ModuleThread structure from PullerAbstract

    • Improve Controlled stop when both processes fails to instantiate

    • Improve Controlled stop when InputProcess is killed

    • Fixed error related a ValueError exception not well controlled

    • Fixed error related with loss of some values in internal messages

Feature

  • Added two new services

    • 1. DLP Execute logs

    • 2. Aud Admin logs

Recomended

1.2.0

03 Oct 2024

IMPROVEMENTS

Improvements

  • Updated the DCSDK from 1.12.2 to v1.12.4:

    • Fixed error related a ValueError exception not well controlled.

    • Fixed error related with loss of some values in internal messages (collector_name, collector_id and job_id)

    • Improve Controlled stop when InputProcess is killed

    • Change internal queue management for protecting against OOMK

    • Extracted ModuleThread structure from PullerAbstract

    • Improve Controlled stop when both processes fails to instatiate

Bug fixes

  • Solved problem with a loop that caused stops in the collector

  • Updated pull and persistence logic to avoid event loss

Recomended

v1.1.0

Jul 22, 2024

IMPROVEMENTS

Improvements

  • Updated the DCSDK from 1.11.1 to v1.12.2

  • Added new sender for relay in house + TLS

  • Added persistence functionality for gzip sending buffer

  • Added Automatic activation of gzip sending

  • Improved behaviour when persistence fails

  • Upgraded DevoSDK dependency

  • Fixed console log encoding

  • Restructured python classes

  • Improved behavior with non-utf8 characters

  • Decreased defaut size value for internal queues (Redis limitation, from 1GiB to 256MiB)

  • New persistence format/structure (compression in some cases)

  • Removed dmesg execution (It was invalid for docker execution)

  • DevoSDK has been updated to version 5.4.0

Bug fixing

  • Fixed the access token invalid bug.

Update

v1.0.0

Jul 1, 2024

INITIAL VERSION



-

-