No NAM 4.5.5 OAuth Events Seen in Analytics 5.02

Hi,

I am facing an issue whereby I can't seems to see any OAuth related events in my Analytics Dashboards. I had searched Event 002E0029 using Discover, but seems empty.

I had enabled the Identity Server Auditing, and SAML related events are captured in Analytics, just no OAuth related.

Logging to Support (SR# 02298144) and 3 weeks still haven't any response, only mentioned passed to backline team.

Can anybody give any helps how to confirm

(i) Identity Server is generating the OAuth Events and sending to Analytics

(ii) Analytics Server receive the OAuth Events and parse it.

Thanks,

Keng

Parents
  • Hi,

    After further troubleshooting using tcpdump, 

    (i) Identity Server is generating the OAuth Events and sending to Analytics - No issue

    (ii) Analytics Server receive the OAuth Events and parse it. - Logstash received the OAuth events, however there is error 400 when parsing as below

    2022-07-01T18:02:28.412411+08:00 iaa logstash[11243]: [2022-07-01T18:02:28,411][WARN ][logstash.outputs.elasticsearch][nam_events][2db9b9be27e43386baabd48d489cf2fbb591c1914edd4978bbef96f1b60bbf88] Could not index event to Elasticsearch. {:status=>400, :action=>["update", {:_id=>"<not provided>", :_index=>"dashboard_write", :routing=>nil, :_type=>"_doc", :retry_on_conflict=>1}, #<LogStash::Event:0x547b25ab>], :response=>{"update"=>{"_index"=>"dashboard-000033", "_type"=>"_doc", "_id"=>"<not provided>", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to execute script", "caused_by"=>{"type"=>"script_exception", "reason"=>"runtime error", "script_stack"=>["ctx._source.appdata.add(params.event.get('appdata'))", " ^---- HERE"], "script"=>"if(ctx._source.appdata== null) ...", "lang"=>"painless", "position"=>{"offset"=>212, "start"=>176, "end"=>228}, "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"dynamic method [java.util.LinkedHashMap, add/1] not found"}}}}}}
    2022-07-01T18:02:28.421034+08:00 iaa logstash[11243]: {
    2022-07-01T18:02:28.421692+08:00 iaa logstash[11243]: "eventType" => "idp_app",
    2022-07-01T18:02:28.422224+08:00 iaa logstash[11243]: "sid" => "<not provided>",
    2022-07-01T18:02:28.422734+08:00 iaa logstash[11243]: "appdata" => {
    2022-07-01T18:02:28.423205+08:00 iaa logstash[11243]: "appName" => "SSPR",
    2022-07-01T18:02:28.423754+08:00 iaa logstash[11243]: "accessType" => "idp_app",
    2022-07-01T18:02:28.424220+08:00 iaa logstash[11243]: "eventTime" => "Jul 1 18:02:28"
    2022-07-01T18:02:28.424719+08:00 iaa logstash[11243]: },
    2022-07-01T18:02:28.425184+08:00 iaa logstash[11243]: "userName" => "2020259606",
    2022-07-01T18:02:28.425646+08:00 iaa logstash[11243]: "deviceID" => "idpCD76CB7452DD263A",
    2022-07-01T18:02:28.426137+08:00 iaa logstash[11243]: "createDate" => "2022-07-01T10:02:28.396Z",
    2022-07-01T18:02:28.426613+08:00 iaa logstash[11243]: "eventID" => "002E0029",
    2022-07-01T18:02:28.427092+08:00 iaa logstash[11243]: "@timestamp" => 2022-07-01T10:02:28.396Z,
    2022-07-01T18:02:28.427599+08:00 iaa logstash[11243]: "ou" => "student"
    2022-07-01T18:02:28.428093+08:00 iaa logstash[11243]: }

    Any ideas what's wrong ?

    Regards,

    Keng

Reply
  • Hi,

    After further troubleshooting using tcpdump, 

    (i) Identity Server is generating the OAuth Events and sending to Analytics - No issue

    (ii) Analytics Server receive the OAuth Events and parse it. - Logstash received the OAuth events, however there is error 400 when parsing as below

    2022-07-01T18:02:28.412411+08:00 iaa logstash[11243]: [2022-07-01T18:02:28,411][WARN ][logstash.outputs.elasticsearch][nam_events][2db9b9be27e43386baabd48d489cf2fbb591c1914edd4978bbef96f1b60bbf88] Could not index event to Elasticsearch. {:status=>400, :action=>["update", {:_id=>"<not provided>", :_index=>"dashboard_write", :routing=>nil, :_type=>"_doc", :retry_on_conflict=>1}, #<LogStash::Event:0x547b25ab>], :response=>{"update"=>{"_index"=>"dashboard-000033", "_type"=>"_doc", "_id"=>"<not provided>", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to execute script", "caused_by"=>{"type"=>"script_exception", "reason"=>"runtime error", "script_stack"=>["ctx._source.appdata.add(params.event.get('appdata'))", " ^---- HERE"], "script"=>"if(ctx._source.appdata== null) ...", "lang"=>"painless", "position"=>{"offset"=>212, "start"=>176, "end"=>228}, "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"dynamic method [java.util.LinkedHashMap, add/1] not found"}}}}}}
    2022-07-01T18:02:28.421034+08:00 iaa logstash[11243]: {
    2022-07-01T18:02:28.421692+08:00 iaa logstash[11243]: "eventType" => "idp_app",
    2022-07-01T18:02:28.422224+08:00 iaa logstash[11243]: "sid" => "<not provided>",
    2022-07-01T18:02:28.422734+08:00 iaa logstash[11243]: "appdata" => {
    2022-07-01T18:02:28.423205+08:00 iaa logstash[11243]: "appName" => "SSPR",
    2022-07-01T18:02:28.423754+08:00 iaa logstash[11243]: "accessType" => "idp_app",
    2022-07-01T18:02:28.424220+08:00 iaa logstash[11243]: "eventTime" => "Jul 1 18:02:28"
    2022-07-01T18:02:28.424719+08:00 iaa logstash[11243]: },
    2022-07-01T18:02:28.425184+08:00 iaa logstash[11243]: "userName" => "2020259606",
    2022-07-01T18:02:28.425646+08:00 iaa logstash[11243]: "deviceID" => "idpCD76CB7452DD263A",
    2022-07-01T18:02:28.426137+08:00 iaa logstash[11243]: "createDate" => "2022-07-01T10:02:28.396Z",
    2022-07-01T18:02:28.426613+08:00 iaa logstash[11243]: "eventID" => "002E0029",
    2022-07-01T18:02:28.427092+08:00 iaa logstash[11243]: "@timestamp" => 2022-07-01T10:02:28.396Z,
    2022-07-01T18:02:28.427599+08:00 iaa logstash[11243]: "ou" => "student"
    2022-07-01T18:02:28.428093+08:00 iaa logstash[11243]: }

    Any ideas what's wrong ?

    Regards,

    Keng

Children
No Data