Closed mfinvg closed 4 months ago
mfinvg
commented
8 months ago Output looks like this:
# /opt/jumpcloud/wazuh-jumpcloud-integration /opt/jumpcloud/config.json /opt/jumpcloud/output.log
mdm
mdm
mdm
directory
directory
directory
directory
systems
systems
systems
Error fetching events from JumpCloud API: error decoding JumpCloud response: json: cannot unmarshal object into Go struct field JumpCloudSystemEvent.changes of type []struct { Field string "json:\"field\"" }Looks like there's an event on Jumpcloud's API whose JSON structure is not compatible with this integration, as I've changed the timestamp and it started working again.
mfinvg
commented
8 months ago Found another error.
Error fetching events from JumpCloud API: error decoding JumpCloud response: json: cannot unmarshal array into Go struct field BaseJumpCloudEvent.service of type string
Looks like it's failing to unmarshal the association array on the event below; I understand https://github.com/lbrictson/wazuh-jumpcloud-integration/blob/482e49733a4424deaf809f3cf99c966e12679d87/pkg/jumpcloud_api.go#L98 expects a string instead of an array.
I pinpointed it to this Jumpcloud Insights event, to illustrate the issue.
{
"initiated_by": {
"id": "xxxx",
"type": "admin",
"email": "employee.name@domain.com"
},
"geoip": {
"country_code": "XX",
"timezone": "America/xxxx",
"latitude": -xx.xxxx,
"continent_code": "xxx",
"region_name": "xx",
"longitude": -xxxx.xx,
"region_code": "X"
},
"useragent": {
"patch": "0",
"os_full": "Windows 10",
"os": "Windows",
"minor": "0",
"major": "121",
"os_major": "10",
"os_version": "10",
"name": "Chrome",
"os_name": "Windows",
"device": "Other",
"version": "121.0.0.0"
},
"association": {
"op": "add",
"action_source": "manual",
"connection": {
"from": {
"name": "AWS-TEST-IAM",
"type": "user_group",
"object_id": "xxxx"
},
"to": {
"name": "employee.username",
"type": "user",
"object_id": "xxxxx"
}
},
"attributes": null
},
"auth_method": "session",
"event_type": "association_change",
"provider": null,
"service": "directory",
"success": true,
"organization": "xxxx",
"@version": "1",
"client_ip": "xxx.xxx.xx.xxx",
"id": "xxxxxx",
"timestamp": "2024-02-19T17:45:10.655Z"
}@lbricston would you help me figuring out the struct for this?
jcopling
commented
6 months ago We are running into the same issue as well, has there been any update or solution to this?
mfinvg
commented
6 months ago I've added a few struct that map to the failing JSON (based on the timestamp for failure and a source code modification to show the actual failing log, I correlate it with Jumpcloud Insights and start from there). I've done three, which work, but I still find some logs that crash the app.
lbrictson
commented
5 months ago @mfinvg @jcopling thanks for reporting this issue and finding the root cause, this should be resolved in https://github.com/lbrictson/wazuh-jumpcloud-integration/releases/tag/0.0.4
Note events that cannot be parsed will emit a message to stdout instead of crashing the program going forward
mfinvg
commented
5 months ago @lbrictson Thanks! I'll note that I just had to edit the config file to remove the timestamp in order to process the remaining files, as it was stuck on a particular event's timestamp. Hence, the issue kind of still exists - maybe I can help with the remaining structs for those event types, I'll try to later next week.
Hi,
Yesterday I got the integration working, but today I got this error:
Maybe the Jumpcloud API changed yesterday, I think the failing line is https://github.com/lbrictson/wazuh-jumpcloud-integration/blob/482e49733a4424deaf809f3cf99c966e12679d87/pkg/jumpcloud_types.go#L85 and it's trying to unmarshal a JSON object whose structure differs from what the integration is expecting.