search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
187 stars 390 forks source link

Atlassian Jira (cloud): Auditing API returns "invalid date" #4391

Open Flo451 opened 1 year ago

Flo451 commented 1 year ago

Hi there,

@andrewkroh @legoguy1000

Trying to fetch audit logs from Atlassian Jira cloud fails because the API doesn't like the date format that Elastic is sending.

As this is apparently related to date format conversions I tried various things in the integration settings, e.g. interval / initial interval left blank or set to 5m vs. 300s. All that was to no avail and the Atlassian API simply doesn't like the date that the integration is sending.

As an example, JIRA cloud will reject "2022-10-05T13:38:24.262 0000" as can be seen in the log entry below. When I curl the API it will accept the same date if formatted like this "2022-10-05T13:38:24.262".

I'm not sure which date conversion goes wrong in the integration or how I could influence it.

default/filebeat-20221005-3.ndjson:{"log.level":"error","@timestamp":"2022-10-05T13:46:00.034Z","log.logger":"input.httpjson-cursor","log.origin":{"file.name":"httpjson/request.go","file.line":188},"message":"error processing response: server responded with status code 400: Invalid date \"2022-10-05T13:38:24.262 0000\"","service.name":"filebeat","id":"httpjson-atlassian_jira.audit-e7e17a7d-e9e9-4531-9ced-8878b0a863f5","input_source":"https://acme.atlassian.net/rest/api/3/auditing/record","input_url":"https://acme.atlassian.net/rest/api/3/auditing/record","ecs.version":"1.6.0"}

elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

legoguy1000 commented 1 year ago

Do u get any data in elasticsearch. I think I know where the issue is but it should only affect the 2nd request and after. I think the first request using the initial interval should work but not 100%.

Flo451 commented 1 year ago

I didn't have any luck so far extracting events from the JIRA audit API with this integration. If you have any suggestion / hotfix I'm happy to try that out.

jakob-source commented 1 year ago

Hi, I think the issue might be here as it takes timestamp from event

cursor: last_timestamp: value: "[[.first_event.created]]"

botelastic[bot] commented 5 months ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!