All Apps and Add-ons

splunk-add-on-jira-alerts failing to connect to Jira

davidmills
Explorer

As per https://answers.splunk.com/answers/691950/splunk-add-on-for-atlassian-jira-alerts-is-failing.html I added verify=False, but also had to remove proxies=proxy and then the health check stopped report errors. But any attempt to use the Jira app to create a ticket failed; Splunkd.log shows:

10-14-2018 23:00:04.159 +0000 INFO  sendmodalert - action=jira STDERR -  Jira server HTTP status= 401
10-14-2018 23:00:04.159 +0000 INFO  sendmodalert - action=jira STDERR -  Jira server response:
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -  <html>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -  <head>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -      <title>Unauthorized (401)</title>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -  <!--[if IE]><![endif]-->
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -  <script type="text/javascript">
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -      (function() {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          var contextPath = '';
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          var eventBuffer = [];
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          function printDeprecatedMsg() {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              if (console && console.warn) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  console.warn('DEPRECATED JS - contextPath global variable has been deprecated since 7.4.0. Use `wrm/context-path` module instead.');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          function sendEvent(analytics, postfix) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              analytics.send({
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  name: 'js.globals.contextPath.' + postfix
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              });
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          function sendDeprecatedEvent(postfix) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              try {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  var analytics = require('jira/analytics');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  if (eventBuffer.length) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                      eventBuffer.forEach(function(value) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                          sendEvent(analytics, value);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                      });
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                      eventBuffer = [];
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  if (postfix) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                      sendEvent(analytics, postfix);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              } catch(ex) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  eventBuffer.push(postfix);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  setTimeout(sendDeprecatedEvent, 1000);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          Object.defineProperty(window, 'contextPath', {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              get: function() {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  printDeprecatedMsg();
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  sendDeprecatedEvent('get');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  return contextPath;
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              },
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              set: function(value) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  printDeprecatedMsg();
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  sendDeprecatedEvent('set');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -                  contextPath = value;
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -              }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -          });
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -      })();
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -  </script>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -  <script>

When I set the Jira creadentials via Apps-Manage Apps->"JIRA Custom Alert Action : Ticket Creation"->Setup, the only related file I see being touched is etc/apps/splunk-add-on-jira-alerts/local/alert_actions.conf, which contains all the credentials set except the password. Where might that be stored - and if it was stored correctly why is the use failing to authenticate. We have manually built a curl command that uses the values in jira.py and it works as expected when run from the command line.

0 Karma

worshamn
Contributor

It stores the password in etc/apps/splunk-add-on-jira-alerts/local/passwords.conf under a stanza called "[credential::jira_password:]" but the password= value under the stanza is a hashed version. You might be able to manually put this in and restart and see if it hashes it for you.

0 Karma

davidmills
Explorer

We have an Index master serving a 3x Search Head Cluster and a 3x Index Cluster. I have found etc/shcluster/apps/splunk-add-on-jira-alerts/local/passwords.conf on the Index master - dated 26th March and etc/apps/splunk-add-on-jira-alerts/default/passwords.conf on the Search Heads dated 11th Oct. So neither was updated when I set the password today. the 11th Oct date is probably a side effect of me putting some files under git control.

The contents of both is the same.

Are you suggested that I change the 2nd line to:

password = <plan text password>

and then restarting the Search Heads?

0 Karma

davidmills
Explorer

I tried that and ran

splunk apply shcluster-bundle -target https://..

It responded

Bundle has been pushed successfully to all the cluster members.

The result was that the Search Heads

etc/apps/splunk-add-on-jira-alerts/default/passwords.conf

files were updated - not a copy in local. The contents was still the plain text password. How can I get it to hash it?

It is not connecting to Jira - but was unable to find the project I named - I had used the project key instead of the name. I have changed to the name and we'll see what happens on the next run.

0 Karma

davidmills
Explorer

passwords.conf.example contains:

curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords -d name=user1 -d password=changeme2

Is there a varient of that to change the password in this file? Or a variant to encrypt so that I can paste the result into the file?

0 Karma

davidmills
Explorer

It's connecting, but still complaining:

10-15-2018 06:00:03.854 +0000 INFO  sendmodalert - action=jira STDERR -  Jira server HTTP status= 400
10-15-2018 06:00:03.854 +0000 INFO  sendmodalert - action=jira STDERR -  Jira server response: {"errorMessages":[],"errors":{"issuetype":"Could not fi
nd issuetype by id or name.","project":"project is required"}}
10-15-2018 06:00:03.860 +0000 INFO  sendmodalert - action=jira - Alert action script completed in duration=402 ms with exit code=0
10-15-2018 06:00:03.861 +0000 INFO  sendmodalert - Invoking modular alert action=jira for search="Test JIRA post alert" sid="scheduler__m63794__search
__RMD555abc7e95fc30e5a_at_1539583200_411_2052445C-AEC0-423C-982F-E95061B84AB5" in app="search" owner="m63794" type="saved"
10-15-2018 06:00:03.900 +0000 ERROR HttpListener - Exception while processing request from 127.0.0.1 for /servicesNS/nobody/SA-ITOA/storage/collection
s/data/dummy_collection_nvfjdnvjkfdnvjkfnvjkfnvernvjfnvjkfsdnvuenvkjfnvjka?output_mode=json: Could not find object id=dummy_collection_nvfjdnvjkfdnvjk
fnvjkfnvernvjfnvjkfsdnvuenvkjfnvjka
10-15-2018 06:00:04.146 +0000 INFO  sendmodalert - action=jira STDERR -  Jira server HTTP status= 400
10-15-2018 06:00:04.146 +0000 INFO  sendmodalert - action=jira STDERR -  Jira server response: {"errorMessages":[],"errors":{"issuetype":"Could not fi
nd issuetype by id or name.","project":"project is required"}}
10-15-2018 06:00:04.152 +0000 INFO  sendmodalert - action=jira - Alert action script completed in duration=289 ms with exit code=0

./etc/apps/splunk-add-on-jira-alerts/local/alert_actions.conf contains:

[jira]
param.issue_type = Task
param.jira_url = https://jira.aws.medibank.local
param.jira_username = splunk_user
param.project_key = FraudDetectionPOC
param.proxy_host = proxy.example.com
param.proxy_port = 8080
param.proxy_scheme = https

As stated earlier, for param.project_key I did originally have the key FRAUDPOC. The result was the same. What am I missing?

0 Karma

davidmills
Explorer

Hopefully I've just answered my own question. After posting I noticed

Invoking modular alert action=jira for search="Test JIRA post alert"

I found that alter and have corrected both the project_key and the issue_type - which differed from the settings in the application itself. We'll see how the next run goes.

0 Karma

worshamn
Contributor

Woa... a lot to take in here. Sounds like you got it connecting... I think, if so great? I wasn't sure how it would handle the password in the default folder though. I have seen Splunk hash passwords that are plain text sometimes after a restart, but I wasn't sure if it would apply here. Yeah my project keys are always all caps, let us know if you are fixed.

0 Karma

davidmills
Explorer

It's now getting errors with custom fields missing. But that's good as it means it has connected to the project successfully.

I'd still like to hash or encrypt the password. Do you know how to do that or a doc that describes how to? Presumably Splunk has an inbuilt master key for decrypting such passwords - so the process should be one where I don't get to know what that is - but can ask Splunk to encrypt on my behalf.

0 Karma

worshamn
Contributor

I imagine there is a way to do it with a REST call, but I would need to try to figure that one out. I'm guessing with your config you can't do it from the WebUI (because that is what normally hashes is)?

0 Karma

davidmills
Explorer

Yes - the UI - Setup page for splunk-add-on-jira-alerts) includes text (password) boxes for the "JIRA password", but their use is failing to effect a change.

The "release" we are running for the app is a git clone of 50ca4bb4c957cd75279ecec1d8681f3a2756c20e with a change date of 23rd March 2018. There doesn't seem to be a newer release - 0.9.0 is the latest with a release date of 2015.

I'm meeting with the person who set all this up tomorrow. If he can't shed some light on this I'll raise a support ticket with Splunk.

Thanks for your help.

0 Karma

worshamn
Contributor

Woa... a lot to take in here. Sounds like you got it connecting... I think, if so great? I wasn't sure how it would handle the password in the default folder though. I have seen Splunk hash passwords that are plain text sometimes after a restart, but I wasn't sure if it would apply here. Yeah my project keys are always all caps, let us know if you are fixed.

0 Karma