Monitor the logs to see if the integration is working - step

lbrictson / wazuh-jumpcloud-integration

A pipeline for ingesting Jumpcloud directory events into Wazuh

MIT License

15 stars 4 forks source link

Monitor the logs to see if the integration is working - step #1

Closed zmiramf closed 1 year ago

zmiramf commented 1 year ago

Hi lbrictson,

First of all, thank you for this integration, that is really helpful. I've got a specific problem, I'll appreciate any guidance.

I follow your article steps, and when I run this command (tail -f /var/ossec/logs/ossec.log) to monitor the logs to see if the integration is working, I get this error: 2023/03/21 12:15:33 wazuh-modulesd:command: WARNING: Command 'jumpcloud' returned exit code 1.

When troubleshooting with this command (/opt/jumpcloud/wazuh-jumpcloud-integration /opt/jumpcloud/config.json /opt/jumpcloud/output.log) I got this error: Error fetching events from JumpCloud API: error response from JumpCloud: 401 Unauthorized | 401 | {"message":"Unauthorized: no organization selected"}

Any idea why? suggestions on what to check?

lbrictson commented 1 year ago

@zmiramf could you output the content of this file /opt/jumpcloud/config.json (please remove your API key when posting here), it seems likely the file is either malformed or the API key is not valid

zmiramf commented 1 year ago

@lbrictson I check that this is the correct API key in the config.json

This is the /opt/jumpcloud/config.json file content:

{ "api_key":"##my-valid-API-key##", "base_url":"https://api.jumpcloud.com" }

lbrictson commented 1 year ago

@zmiramf take your API key and inject it into this curl command, it is essentially the same command the program uses internally for fetching events. Can you let me know if the output is real data or a 401?

curl --location 'https://api.jumpcloud.com/insights/directory/v1/events' --header 'x-api-key: put-your-key-here' --header 'Content-Type: application/json' --data '{"service": ["directory"], "start_time": "2023-03-01T15:00:00Z"}'

zmiramf commented 1 year ago

@lbrictson I got this error: {"message":"Unauthorized: no organization selected"}

lbrictson commented 1 year ago

@zmiramf ah fantastic, that is the data I needed. It looks like you are using a JumpClould multi-org account which I don't use myself so I never ran into that issue. I will update the code to allow it to work with configurations like yours - you will need to add one more value to your config file json "org_id: you-org-id"

Your final JSON file will look like this: { "api_key":"##my-valid-API-key##", "base_url":"https://api.jumpcloud.com/", "org_id": "your-org-id" }

I'll update you here when the code is tested and ready for you to run. For reference this is the API ref regarding this https://docs.jumpcloud.com/api/1.0/index.html#section/Multi-Tenant-Portal-Headers

lbrictson commented 1 year ago

@zmiramf new code is up and ready for you: https://github.com/lbrictson/wazuh-jumpcloud-integration/releases/tag/0.0.2