Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3f7fbd6

Browse files
cisco_duo: fix 400 and 401 errors in Auth and Activity (#11670)
- For Auth and Activity, fixes 40103 by creating Date header during each CEL request.- For Auth and Activity, preemptively fixes the 400 error by checking duration between mintime and maxtime doesn't cross180d.- For Auth, enable it by default to avoid it getting disabled during upgrades.
1 parent43db6a0 commit3f7fbd6

File tree

7 files changed

+124
-114
lines changed

7 files changed

+124
-114
lines changed

‎packages/cisco_duo/changelog.yml‎

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
-version:"2.2.3"
3+
changes:
4+
-description:Fix for 40103 & 400 errors in auth and activity data streams.
5+
type:bugfix
6+
link:https://github.com/elastic/integrations/pull/11670
27
-version:"2.2.2"
38
changes:
49
-description:Fix for 40103 & 400 errors in the telephony_v2 data stream.

‎packages/cisco_duo/data_stream/activity/agent/stream/cel.yml.hbs‎

Lines changed: 97 additions & 101 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,6 @@ resource.tracer.maxbackups: 5
1010
resource.tracer.maxsize: 5
1111
{{/if}}
1212

13-
regexp:
14-
"next_offset_timestamp": '^\d+'
15-
1613
state:
1714
url:{{hostname}}
1815
integration_key:{{integration_key}}
@@ -31,113 +28,112 @@ program: |
3128
state
3229
:
3330
state.with({
34-
"mintime": state.?cursor.last_published.orValue(int(now - duration(state.initial_interval)) * 1000),
35-
"maxtime": int(now - duration("2m")) * 1000,
36-
"date": now.format(time_layout.RFC1123Z),
31+
"mintime": string(int(state.?cursor.last_published.orValue(int(now - duration(state.initial_interval)) * 1000))),
3732
})
38-
).as(state, state.with(
39-
request(
40-
"GET",
41-
state.?want_more.orValue(false) ?
42-
state.next_url
43-
:
44-
state.url.trim_right("/") + "/admin/v2/logs/activity?" + {
45-
"limit": [string(int(state.limit))],
46-
"maxtime": [string(int(state.maxtime))],
47-
"mintime": [string(int(state.mintime))],
48-
"sort": ["ts:asc"],
49-
}.format_query()
50-
).with(
51-
{
33+
).as(state, state.with({
34+
// the duration between maxtime and mintime should be less than 180d to avoid error_code 400 from API.
35+
"maxtime": state.want_more ?
36+
string(state.maxtime)
37+
:
38+
string(int([
39+
int(timestamp(int(state.mintime)/1000) + duration("4320h")),
40+
int(now - duration("2m"))
41+
].min()) * 1000)
42+
})).as(state, state.with(
43+
// prepare request data
44+
{
45+
// data should be calculated for each request to avoid error 40103
46+
"date": now.format(time_layout.RFC1123Z),
47+
"method": "GET",
48+
"url_base": state.url.trim_right("/"),
49+
"url_path": "/admin/v2/logs/activity",
50+
"query_string": {
51+
"limit": [string(dyn(state).limit)],
52+
"maxtime": [string(state.maxtime)],
53+
"mintime": [string(state.mintime)],
54+
?"next_offset": state.?next_offset.optMap(v, [string(v)]),
55+
"sort": ["ts:asc"],
56+
}.format_query(),
57+
}.as(r, r.with({
58+
// add an authorization header value
59+
"authorization": "Basic " + (
60+
state.integration_key + ":" + (
61+
[
62+
r.date,
63+
r.method,
64+
r.url_base.trim_prefix("https://"),
65+
r.url_path,
66+
r.query_string,
67+
].join("\n")
68+
.hmac("sha1", bytes(state.secret_key))
69+
.hex()
70+
)
71+
).base64(),
72+
})).as(r,
73+
// do the request using the prepared data
74+
request(
75+
r.method,
76+
[r.url_base, r.url_path, "?", r.query_string].join("")
77+
).with({
5278
"Header": {
5379
"Content-Type": ["application/x-www-form-urlencoded"],
54-
"Date": [state.date],
55-
"Authorization": ["Basic " + (
56-
state.integration_key + ":" + (
57-
[
58-
state.date,
59-
"GET",
60-
state.url.trim_prefix("https://"),
61-
"/admin/v2/logs/activity",
62-
{
63-
"limit": [string(int(state.limit))],
64-
"maxtime": [string(int(state.maxtime))],
65-
"mintime": [string(int(state.mintime))],
66-
?"next_offset": has(state.next_offset) ?
67-
optional.of([string(state.next_offset)])
68-
:
69-
optional.none(),
70-
"sort": ["ts:asc"],
71-
}.format_query()
72-
].join("\n")
73-
.hmac("sha1", bytes(state.secret_key))
74-
.hex()
75-
)
76-
).base64()],
80+
"Date": [r.date],
81+
"Authorization": [r.authorization],
7782
},
78-
}
79-
).do_request().as(resp, (resp.StatusCode == 200) ?
80-
bytes(resp.Body).decode_json().as(body, has(body.?response.items)&& size(body.response.items) > 0 ?
81-
{
82-
"events": body.response.items.map(item,
83-
{
84-
"message": item.encode_json(),
85-
}
86-
),
87-
"url": state.url,
88-
"integration_key": state.integration_key,
89-
"secret_key": state.secret_key,
90-
"limit": state.limit,
91-
"mintime": state.mintime,
92-
"maxtime": state.maxtime,
93-
"want_more": has(body.?response.?metadata.next_offset),
94-
?"next_offset": (body.?response.metadata.next_offset.orValue(null) != null) ?
95-
optional.of(string(body.response.metadata.next_offset))
96-
:
97-
optional.none(),
98-
"next_url": (body.?response.metadata.next_offset.orValue(null) != null) ?
99-
(
100-
state.url.trim_right("/") + "/admin/v2/logs/activity?" + {
101-
"limit": [string(int(state.limit))],
102-
"maxtime": [string(int(state.maxtime))],
103-
"mintime": [string(int(state.mintime))],
104-
"next_offset": [string(body.response.metadata.next_offset)],
105-
"sort": ["ts:asc"],
106-
}.format_query()
107-
)
108-
:
109-
state.url,
110-
"cursor": {
111-
?"last_published": (body.?response.metadata.next_offset.orValue(null) != null) ?
112-
optional.of(body.response.metadata.next_offset.re_find("next_offset_timestamp"))
83+
}).do_request().as(resp, (resp.StatusCode == 200) ?
84+
bytes(resp.Body).decode_json().as(body, has(body.?response.items)&& size(body.response.items) > 0 ?
85+
{
86+
"events": body.response.items.map(item,
87+
{
88+
"message": item.encode_json(),
89+
}
90+
),
91+
"want_more": has(body.?response.metadata.next_offset),
92+
?"next_offset": (body.?response.metadata.next_offset.orValue(null) != null) ?
93+
optional.of(string(body.response.metadata.next_offset))
11394
:
11495
optional.none(),
96+
"cursor": {
97+
?"last_published": (has(body.?response.items)&& size(body.response.items) > 0) ?
98+
optional.of(
99+
body.response.items.map(i, i.ts).max().as(last_timestamp,
100+
!has(dyn(state).?cursor.last_published) ?
101+
last_timestamp
102+
: (last_timestamp< dyn(state).cursor.last_published) ?
103+
dyn(state).cursor.last_published
104+
:
105+
last_timestamp
106+
)
107+
)
108+
:
109+
dyn(state).?cursor.last_published,
110+
}
111+
}
112+
:
113+
{
114+
"events":[],
115+
"want_more": false,
115116
}
116-
}
117-
:
118-
{
119-
"events":[],
120-
"want_more": false,
121-
}
122117

123-
)
124-
:
125-
bytes(resp.Body).decode_json().as(body,
126-
{
127-
"events": {
128-
"error": {
129-
"code": has(body.code) ? string(body.code) : string(resp.StatusCode),
130-
"id": string(resp.Status),
131-
"message": "GET:"+(
132-
size(resp.Body) != 0 ?
133-
string(resp.Body)
134-
:
135-
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
136-
),
118+
)
119+
:
120+
bytes(resp.Body).decode_json().as(body,
121+
{
122+
"events": {
123+
"error": {
124+
"code": has(body.code) ? string(body.code) : string(resp.StatusCode),
125+
"id": string(resp.Status),
126+
"message": "GET:"+(
127+
size(resp.Body) != 0 ?
128+
string(resp.Body)
129+
:
130+
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
131+
),
132+
},
137133
},
138-
},
139-
"want_more": false,
140-
}
134+
"want_more": false,
135+
}
136+
)
141137
)
142138
)
143139
))

‎packages/cisco_duo/data_stream/auth/agent/stream/cel.yml.hbs‎

Lines changed: 17 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ state:
1919
want_more: false
2020
redact:
2121
fields:
22+
- integration_key
2223
- secret_key
2324

2425
program: |
@@ -27,20 +28,29 @@ program: |
2728
state
2829
:
2930
state.with({
30-
"mintime": state.?cursor.last_timestamp_ms.orValue(string(int(now - duration(state.initial_interval)) * 1000)),
31-
"maxtime": string(int(now - duration("2m")) * 1000),
31+
"mintime": string(int(state.?cursor.last_timestamp_ms.orValue(int(now - duration(state.initial_interval)) * 1000))),
3232
})
33-
).as(state, state.with(
33+
).as(state, state.with({
34+
// the duration between maxtime and mintime should be less than 180d to avoid error_code 400 from API.
35+
"maxtime": state.want_more ?
36+
string(state.maxtime)
37+
:
38+
string(int([
39+
int(timestamp(int(state.mintime)/1000) + duration("4320h")),
40+
int(now - duration("2m"))
41+
].min()) * 1000)
42+
})).as(state, state.with(
43+
// prepare request data
3444
{
35-
//preparerequestdata
45+
//data should be calculated for eachrequestto avoid error_code 40103.
3646
"date": now.format(time_layout.RFC1123Z),
3747
"method": "GET",
3848
"url_base": state.url.trim_right("/"),
3949
"url_path": "/admin/v2/logs/authentication",
4050
"query_string": {
41-
"limit": [string(int(state.limit))],
42-
"maxtime": [state.maxtime],
43-
"mintime": [state.mintime],
51+
"limit": [string(dyn(state).limit)],
52+
"maxtime": [string(state.maxtime)],
53+
"mintime": [string(state.mintime)],
4454
?"next_offset": state.?next_offset_joined.optMap(v, [v]),
4555
"sort": ["ts:asc"],
4656
}.format_query(),

‎packages/cisco_duo/data_stream/auth/manifest.yml‎

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,6 @@ type: logs
22
title:Cisco Duo authentication logs
33
streams:
44
-input:cel
5-
enabled:false
65
vars:
76
-name:initial_interval
87
type:text

‎packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ program: |
4242
})).as(state, state.with(
4343
{
4444
// prepare request data dynamically for each request to prevent 40103 error.
45-
"date": now().format(time_layout.RFC1123Z),
45+
"date": now.format(time_layout.RFC1123Z),
4646
"method": "GET",
4747
"url_base": state.url.trim_right("/"),
4848
"url_path": "/admin/v2/logs/telephony",
@@ -85,7 +85,7 @@ program: |
8585
"message": item.encode_json(),
8686
}
8787
),
88-
"want_more": has(body.?response.?metadata.next_offset),
88+
"want_more": has(body.?response.metadata.next_offset),
8989
?"next_offset": (body.?response.metadata.next_offset.orValue(null) != null) ?
9090
optional.of(string(body.response.metadata.next_offset))
9191
:

‎packages/cisco_duo/data_stream/trust_monitor/agent/stream/cel.yml.hbs‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ program: |
4343
// prepare the data inside r.
4444
{
4545
// data should be calculated for each request to avoid error_code 40103.
46-
"date": now().format(time_layout.RFC1123Z),
46+
"date": now.format(time_layout.RFC1123Z),
4747
"method": "GET",
4848
"url_base": state.url.trim_right("/"),
4949
"url_path": "/admin/v1/trust_monitor/events",
@@ -87,7 +87,7 @@ program: |
8787
"message": event.encode_json(),
8888
}
8989
),
90-
"want_more": has(body.?response.?metadata.next_offset),
90+
"want_more": has(body.?response.metadata.next_offset),
9191
?"next_offset": (body.?response.metadata.next_offset.orValue(null) != null) ?
9292
optional.of(string(body.response.metadata.next_offset))
9393
:

‎packages/cisco_duo/manifest.yml‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
format_version:"3.0.2"
22
name:cisco_duo
33
title:Cisco Duo
4-
version:"2.2.2"
4+
version:"2.2.3"
55
description:Collect logs from Cisco Duo with Elastic Agent.
66
type:integration
77
categories:

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2026 Movatter.jp