As per https://answers.splunk.com/answers/691950/splunk-add-on-for-atlassian-jira-alerts-is-failing.html I added verify=False, but also had to remove proxies=proxy and then the health check stopped report errors. But any attempt to use the Jira app to create a ticket failed; Splunkd.log shows:
10-14-2018 23:00:04.159 +0000 INFO sendmodalert - action=jira STDERR - Jira server HTTP status= 401
10-14-2018 23:00:04.159 +0000 INFO sendmodalert - action=jira STDERR - Jira server response:
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - <html>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - <head>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - <title>Unauthorized (401)</title>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR -
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - <!--[if IE]><![endif]-->
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - <script type="text/javascript">
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - (function() {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - var contextPath = '';
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - var eventBuffer = [];
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - function printDeprecatedMsg() {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - if (console && console.warn) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - console.warn('DEPRECATED JS - contextPath global variable has been deprecated since 7.4.0. Use `wrm/context-path` module instead.');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - function sendEvent(analytics, postfix) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - analytics.send({
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - name: 'js.globals.contextPath.' + postfix
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - });
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - function sendDeprecatedEvent(postfix) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - try {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - var analytics = require('jira/analytics');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - if (eventBuffer.length) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - eventBuffer.forEach(function(value) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - sendEvent(analytics, value);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - });
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - eventBuffer = [];
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - if (postfix) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - sendEvent(analytics, postfix);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - } catch(ex) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - eventBuffer.push(postfix);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - setTimeout(sendDeprecatedEvent, 1000);
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - Object.defineProperty(window, 'contextPath', {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - get: function() {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - printDeprecatedMsg();
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - sendDeprecatedEvent('get');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - return contextPath;
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - },
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - set: function(value) {
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - printDeprecatedMsg();
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - sendDeprecatedEvent('set');
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - contextPath = value;
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - }
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - });
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - })();
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - </script>
10-14-2018 23:00:04.160 +0000 ERROR sendmodalert - action=jira STDERR - <script>
When I set the Jira creadentials via Apps-Manage Apps->"JIRA Custom Alert Action : Ticket Creation"->Setup, the only related file I see being touched is etc/apps/splunk-add-on-jira-alerts/local/alert_actions.conf, which contains all the credentials set except the password. Where might that be stored - and if it was stored correctly why is the use failing to authenticate. We have manually built a curl command that uses the values in jira.py and it works as expected when run from the command line.
It stores the password in etc/apps/splunk-add-on-jira-alerts/local/passwords.conf under a stanza called "[credential::jira_password:]" but the password= value under the stanza is a hashed version. You might be able to manually put this in and restart and see if it hashes it for you.
We have an Index master serving a 3x Search Head Cluster and a 3x Index Cluster. I have found etc/shcluster/apps/splunk-add-on-jira-alerts/local/passwords.conf on the Index master - dated 26th March and etc/apps/splunk-add-on-jira-alerts/default/passwords.conf on the Search Heads dated 11th Oct. So neither was updated when I set the password today. the 11th Oct date is probably a side effect of me putting some files under git control.
The contents of both is the same.
Are you suggested that I change the 2nd line to:
password = <plan text password>
and then restarting the Search Heads?
I tried that and ran
splunk apply shcluster-bundle -target https://..
It responded
Bundle has been pushed successfully to all the cluster members.
The result was that the Search Heads
etc/apps/splunk-add-on-jira-alerts/default/passwords.conf
files were updated - not a copy in local. The contents was still the plain text password. How can I get it to hash it?
It is not connecting to Jira - but was unable to find the project I named - I had used the project key instead of the name. I have changed to the name and we'll see what happens on the next run.
passwords.conf.example contains:
curl -k -u admin:changeme https://localhost:8089/servicesNS/nobody/search/storage/passwords -d name=user1 -d password=changeme2
Is there a varient of that to change the password in this file? Or a variant to encrypt so that I can paste the result into the file?
It's connecting, but still complaining:
10-15-2018 06:00:03.854 +0000 INFO sendmodalert - action=jira STDERR - Jira server HTTP status= 400
10-15-2018 06:00:03.854 +0000 INFO sendmodalert - action=jira STDERR - Jira server response: {"errorMessages":[],"errors":{"issuetype":"Could not fi
nd issuetype by id or name.","project":"project is required"}}
10-15-2018 06:00:03.860 +0000 INFO sendmodalert - action=jira - Alert action script completed in duration=402 ms with exit code=0
10-15-2018 06:00:03.861 +0000 INFO sendmodalert - Invoking modular alert action=jira for search="Test JIRA post alert" sid="scheduler__m63794__search
__RMD555abc7e95fc30e5a_at_1539583200_411_2052445C-AEC0-423C-982F-E95061B84AB5" in app="search" owner="m63794" type="saved"
10-15-2018 06:00:03.900 +0000 ERROR HttpListener - Exception while processing request from 127.0.0.1 for /servicesNS/nobody/SA-ITOA/storage/collection
s/data/dummy_collection_nvfjdnvjkfdnvjkfnvjkfnvernvjfnvjkfsdnvuenvkjfnvjka?output_mode=json: Could not find object id=dummy_collection_nvfjdnvjkfdnvjk
fnvjkfnvernvjfnvjkfsdnvuenvkjfnvjka
10-15-2018 06:00:04.146 +0000 INFO sendmodalert - action=jira STDERR - Jira server HTTP status= 400
10-15-2018 06:00:04.146 +0000 INFO sendmodalert - action=jira STDERR - Jira server response: {"errorMessages":[],"errors":{"issuetype":"Could not fi
nd issuetype by id or name.","project":"project is required"}}
10-15-2018 06:00:04.152 +0000 INFO sendmodalert - action=jira - Alert action script completed in duration=289 ms with exit code=0
./etc/apps/splunk-add-on-jira-alerts/local/alert_actions.conf contains:
[jira]
param.issue_type = Task
param.jira_url = https://jira.aws.medibank.local
param.jira_username = splunk_user
param.project_key = FraudDetectionPOC
param.proxy_host = proxy.example.com
param.proxy_port = 8080
param.proxy_scheme = https
As stated earlier, for param.project_key I did originally have the key FRAUDPOC. The result was the same. What am I missing?
Hopefully I've just answered my own question. After posting I noticed
Invoking modular alert action=jira for search="Test JIRA post alert"
I found that alter and have corrected both the project_key and the issue_type - which differed from the settings in the application itself. We'll see how the next run goes.
Woa... a lot to take in here. Sounds like you got it connecting... I think, if so great? I wasn't sure how it would handle the password in the default folder though. I have seen Splunk hash passwords that are plain text sometimes after a restart, but I wasn't sure if it would apply here. Yeah my project keys are always all caps, let us know if you are fixed.
It's now getting errors with custom fields missing. But that's good as it means it has connected to the project successfully.
I'd still like to hash or encrypt the password. Do you know how to do that or a doc that describes how to? Presumably Splunk has an inbuilt master key for decrypting such passwords - so the process should be one where I don't get to know what that is - but can ask Splunk to encrypt on my behalf.
I imagine there is a way to do it with a REST call, but I would need to try to figure that one out. I'm guessing with your config you can't do it from the WebUI (because that is what normally hashes is)?
Yes - the UI - Setup page for splunk-add-on-jira-alerts) includes text (password) boxes for the "JIRA password", but their use is failing to effect a change.
The "release" we are running for the app is a git clone of 50ca4bb4c957cd75279ecec1d8681f3a2756c20e with a change date of 23rd March 2018. There doesn't seem to be a newer release - 0.9.0 is the latest with a release date of 2015.
I'm meeting with the person who set all this up tomorrow. If he can't shed some light on this I'll raise a support ticket with Splunk.
Thanks for your help.
Woa... a lot to take in here. Sounds like you got it connecting... I think, if so great? I wasn't sure how it would handle the password in the default folder though. I have seen Splunk hash passwords that are plain text sometimes after a restart, but I wasn't sure if it would apply here. Yeah my project keys are always all caps, let us know if you are fixed.