1Password

The 1Password Event Log Source in Observo AI enables the ingestion of JSON-formatted event logs from the 1Password Events Reporting API, supporting real-time security monitoring, compliance auditing, and user behavior analytics for 1Password Business accounts.

Purpose

The purpose of the Observo AI 1Password Event Log source is to enable users to ingest event log data from the 1Password Events Reporting API into the Observo AI platform for analysis and processing. It facilitates the collection of JSON-formatted event data, such as user activity, security events, or audit logs, from a 1Password Business account. This integration helps organizations streamline data pipelines, enhance observability, and support use cases like security monitoring, compliance auditing, and user behavior analytics by processing 1Password event data in real time or through scheduled ingestion.

Prerequisites

Before configuring the 1Password Event Log source in Observo AI, ensure the following requirements are met to facilitate seamless data ingestion:

  • Observo AI Platform Setup:

    • The Observo AI platform must be installed and operational, with support for the 1Password Event Log as a data source.

    • Verify that the platform supports JSON data format, as 1Password event logs are typically provided in JSON. Additional formats may require specific parser configurations.

  • 1Password Business Account:

    • An active 1Password Business account with access to the Events Reporting API is required.

    • Obtain the API token for the Events Reporting API from the 1Password Admin Console.

  • Authentication:

    • Prepare the following authentication method:

      • API Token: Obtain a valid API token from the 1Password Admin Console for secure access to the Events Reporting API.

      • Secret Authentication (Optional): Use a stored secret within Observo AI's secure storage for the API token.

  • Network and Connectivity:

    • Ensure Observo AI can communicate with the 1Password Events Reporting API endpoint such as events.1password.com.

    • Check for proxy settings, firewall rules, or VPC endpoint configurations that may affect connectivity to the 1Password API endpoint.

Prerequisite
Description
Notes

Observo AI Platform

Must be installed and support 1Password Event Log

Verify support for JSON; additional parsers may be needed

1Password Business Account

Active account with Events Reporting API access

Obtain API token from 1Password Admin Console

Authentication

API Token or Secret

Prepare API token as required by the endpoint

Network

Connectivity to 1Password API endpoint

Check VPC endpoints, proxies, and firewalls

Integration

The Integration section outlines the default configurations for the 1Password Event Log source. To configure the 1Password Event Log as a source in Observo AI, follow these steps to set up and test the data flow:

  1. Log in to Observo AI:

    • Navigate to the Sources tab.

    • Click the Add Source button and select Create New.

    • Choose 1Password Event Log from the list of available sources to begin configuration.

  2. General Settings:

    • Name: A unique identifier for the source, such as 1password-event-log-source-1.

    • Description (Optional): Provide a description for the source.

    • Endpoint: 1Password events server endpoint to collect data from.

      Examples

      https://events.1password.com/api/v2/auditevents

      https://events.ent.1password.com/api/v2/auditevents

    • Collection Interval: Duration between consecutive data collection requests. Default: 1m.

      Examples

      10s

      1m

    • Headers (Add as needed): Headers to include in the HTTP request. Use the format {key: value}.

  3. Checkpoint:

    • Enable Checkpoint (False): Enable incremental log collection using checkpointing.

    • Tracking Column: JSON path to the field used for tracking progress such as 'timestamp'. The value from the last log entry will be used.

      Examples

      timestamp

      message.time

      Data.created_at

    • Initial Value: Starting value for the tracking column. Will be used for the first collection.

      Example

      2025-04-06T00:00:00Z

  4. Pagination (Optional):

    • Enable Pagination (False): Enable pagination support for handling paginated responses.

    • Pagination Type: Type of pagination to use. Only 'Cursor-Based' is pagination supported for 1password and uses a reference pointer to fetch next results.

    • Maximum Pages: Maximum number of pages to retrieve in one collection cycle. Set to 0 for unlimited. Default: 50

      Examples

      50

      100

      0

    • Request Interval: Time to wait between pagination requests. Use a duration string like '100ms' or '1s'. Default: 100ms

      Examples

      100ms

      500ms

      1s

    • Cursor Field: JSON path to the cursor field in the response. Default: cursor for {"cursor": "abcdef"}.

      Example

      cursor

      meta.nextCursor

      pageInfo.endCursor

    • Cursor Placement: Where to place the cursor in the next request. Default: Request Body (requires POST)

      Select from dropdown:

      Request Body (requires POST)

      Query Parameter

      URL Path

      Full URL (cursor is a complete URL)

    • Cursor Request Field: Field name to use when sending the cursor in the request body or as a query parameter. Default: cursor.

      Examples

      cursor

      after

      next_token

    • Has More Field: JSON path to field in response that indicates if there are more pages. Example: 'has_more' for {"has_more": true}.

      Examples

      has_more

      meta.hasNext

      meta.hasNextPage

  5. TLS Configuration (Optional):

    • CA File: The CA certificate provided as an inline string in PEM format.

    • ​​Include System CA Certs Pool (True): Include the system CA certificates pool in the list of CAs used to verify the server certificate.

    • Cert File: Path to the TLS cert to use for TLS required connections.

    • Key File: Path to the TLS key to use for TLS required connections.

    • Insecure (True): Skip TLS verification when connecting to the endpoint. This is insecure and should not be used in production.

    • Insecure Skip Verify (True): Enable TLS but not verify the certificate.

    • Server Name Override: The server name to use to verify the hostname on the returned certificates.

  6. Advanced Settings (Optional):

    • Method: HTTP request method to use for requests. Supports GET and POST methods.. Default: POST

    • Body: Request body for POST method. Supports templating with $LAST_VALUE$ when using checkpointing.

      Example

      {"limit": 100,"start_time": "$LAST_VALUE$"}

    • Response Log Path: JSON path to logs array in responses. Leave empty if the response is a direct array of logs.

      Examples

      items

      data

      resource.logs

    • Proxy URL: URL of the proxy server to use when connecting to the endpoint.

    • Read Buffer Size: Size of the read buffer in bytes.

    • Write Buffer Size: Size of the write buffer in bytes.

    • Timeout: Timeout for the HTTP request. Use a number followed by a unit, such as '30s' or '1m'. Default: 10s

    • Compression: Compression algorithm to use for the request body.

      Select from dropdown:
      Description

      Gzip

      Widely used compression, based on DEFLATE algorithm

      Zlib

      Lightweight DEFLATE wrapper, used in programming libraries

      Deflate

      Core algorithm combining LZ77 and Huffman coding

      Snappy

      Very fast compression, lower compression ratio

      Zstd

      High compression ratio and decompression speed

      Lz4

      Extremely fast compression with modest compression ratio

    • Max Idle Connections: Maximum number of idle connections to keep open to the endpoint.

    • Idle Connection Timeout: Timeout for idle connections to the endpoint. Use a number followed by a unit, such as '30s' or '1m'.

    • HTTP 2 Read Idle Timeout: Timeout for HTTP/2 read idle connections to the endpoint. Use a number followed by a unit, such as '30s' or '1m'.

    • HTTP 2 Read Ping Timeout: Timeout for HTTP/2 read ping connections to the endpoint. Use a number followed by a unit, such as '30s' or '1m'.

  7. Parser Config:

    • Enable Source Log parser: (False)

    • Toggle Enable Source Log parser Switch to enable

      • Select appropriate Parser from the Source Log Parser dropdown

      • Add additional Parsers as needed

  8. Pattern Extractor:

    • Refer to Observo AI’s Pattern Extractor documentation for details on configuring pattern-based data extraction.

  9. Archival Destination:

    • Toggle Enable Archival on Source Switch to enable

    • Under Archival Destination, select from the list of Archival Destinations (Required)

  10. Save and Test Configuration:

    • Save the configuration settings in Observo AI.

    • Send sample data to the 1Password Events Reporting API endpoint and verify ingestion in the Analytics tab to confirm data flow.

Example Scenarios

UrbanTrend Retail Co., a fictitious mid-sized retail chain specializing in fashion and accessories, uses a 1Password Business account to manage secure access to its internal systems, point-of-sale applications, and employee credentials. To enhance security monitoring and compliance auditing, UrbanTrend wants to integrate the 1Password Events Reporting API with the Observo AI platform to ingest and analyze event log data, such as user activity and audit logs. This integration will help UrbanTrend monitor employee access patterns, detect potential security incidents, and maintain compliance with retail industry regulations like PCI DSS.

Standard 1Password Event Log Source Setup

Here is a standard 1Password Event Log Source configuration example. Only the required sections and their associated field updates are displayed in the table below:

General Settings

Field
Value
Description

Name

urbantrend-1password-event-log

Unique identifier for the 1Password Event Log source.

Description

Ingest 1Password event logs for security and compliance monitoring

Optional description of the source's purpose.

Endpoint

https://events.1password.com/api/v2/auditevents

1Password Events Reporting API endpoint for audit events.

Collection Interval

1m

Data collection occurs every minute to ensure near real-time monitoring.

Headers

{ "Authorization": "Bearer $API_TOKEN$" }

HTTP header with API token for secure access (token stored securely).

Checkpoint

Field
Value
Description

Enable Checkpoint

True

Enables incremental log collection to avoid duplicate data ingestion.

Tracking Column

timestamp

JSON path to the 'timestamp' field for tracking progress of log collection.

Initial Value

2025-07-09T00:00:00Z

Starting timestamp for the first collection cycle.

Pagination

Field
Value
Description

Enable Pagination

True

Enables pagination to handle large datasets from the API.

Pagination Type

Cursor-Based

Uses cursor-based pagination as supported by the 1Password API.

Maximum Pages

50

Limits retrieval to 50 pages per collection cycle to manage API load.

Request Interval

100ms

100ms delay between pagination requests to avoid rate limiting.

Cursor Field

cursor

JSON path to the cursor field in the API response (e.g., {"cursor": "abc"}).

Cursor Placement

Query Parameter

Cursor is sent as a query parameter in the next request.

Cursor Request Field

cursor

Field name for the cursor in the query parameter.

Has More Field

has_more

JSON path to the field indicating if more pages are available.

TLS Configuration

Field
Value
Description

CA File

-----BEGIN CERTIFICATE-----...

Inline PEM-formatted CA certificate for verifying the 1Password API server.

Include System CA Certs Pool

True

Includes system CA certificates for broader certificate validation.

Cert File

/path/to/tls-cert.pem

Path to the TLS certificate for secure connections to the API endpoint.

Key File

/path/to/tls-key.pem

Path to the TLS key for secure connections to the API endpoint.

Insecure

False

Disables insecure connections (TLS verification is enforced).

Insecure Skip Verify

False

Ensures TLS certificate verification is performed.

Server Name Override

events.1password.com

Specifies the server name for verifying the hostname on certificates.

Advanced Settings

Field
Value
Description

Method

POST

HTTP POST method used for requests to the 1Password Events Reporting API.

Body

{"limit": 100, "start_time": "$LAST_VALUE$"}

Request body with limit and checkpointed start time for incremental pulls.

Response Log Path

items

JSON path to the logs array in the API response (e.g., {"items": [...] }).

Proxy URL

http://proxy.urbantrend.com:8080

Proxy server URL for routing API requests through the corporate network.

Read Buffer Size

8192

8KB read buffer size for efficient data handling.

Write Buffer Size

8192

8KB write buffer size for efficient data handling.

Timeout

30s

30-second timeout for HTTP requests to handle potential network latency.

Compression

Gzip

Uses Gzip compression for request body to reduce bandwidth usage.

Max Idle Connections

10

Limits to 10 idle connections to optimize resource usage.

Idle Connection Timeout

30s

Closes idle connections after 30 seconds to free resources.

HTTP 2 Read Idle Timeout

30s

30-second timeout for HTTP/2 read idle connections.

HTTP 2 Read Ping Timeout

15s

15-second timeout for HTTP/2 read ping connections.

Troubleshooting

If issues arise with the 1Password Event Log source in Observo AI, use the following steps to diagnose and resolve them:

  • Verify Configuration Settings:

    • Ensure all fields, such as Endpoint, API Token, and parser settings, are correctly entered and match the 1Password API setup.

    • Confirm that the HTTP method such as GET aligns with the 1Password Events Reporting API requirements.

  • Check Authentication:

    • Verify that the API token is valid and not expired.

    • For Secret Authentication, confirm the secret is accessible in Observo AI’s secure storage.

  • Validate Network Connectivity:

    • Check for firewall rules, proxy settings, or VPC endpoint configurations that may block access to the 1Password API endpoint (events.1password.com).

    • Test connectivity using tools like curl or Postman with similar proxy configurations to verify access.

  • Common Error Messages:

    • "Inaccessible host": May indicate TLS version mismatches or DNS problems. Ensure the host supports the required TLS version and check DNS settings.

    • "Authentication failed": Verify that the API token is correct and has the necessary permissions.

    • "Request timeout": Check the Timeout setting and network latency; consider increasing the timeout value.

  • Monitor Logs and Data:

    • Verify that data is being ingested by monitoring the 1Password API endpoint activity.

    • Use the Analytics tab in the targeted Observo AI pipeline to monitor data volume and ensure expected throughput.

    • Check Observo AI logs for errors or warnings related to data ingestion from the 1Password Event Log source.

Issue
Possible Cause
Resolution

Data not ingested

Incorrect endpoint or parser configuration

Verify Endpoint and parser settings

Authentication errors

Invalid or expired API token

Check API token validity

Connectivity issues

Firewall or proxy blocking access

Test network connectivity and VPC endpoints

"Inaccessible host"

TLS or DNS issues

Ensure TLS compatibility and check DNS

"Authentication failed"

Misconfigured API token

Verify API token and permissions

"Request timeout"

Network latency or low timeout setting

Increase Timeout setting or check network

Resources

For additional guidance and detailed information, refer to the following resources:

PreviousGCP PubSubNextCisco Duo

Last updated

Was this helpful?