1Password Configuration

A Log Shipper Designed for 1Password Events

Install Integration

Please click on the Install Integration button to configure your stack for this source.

Set up an Events Reporting integration

To get started, sign in to your 1Password account, click Integrations in the sidebar, and choose Elastic.

Then follow these steps to add an the integration to your 1Password account and create a bearer JSON web token:

  • Enter a name for the integration, then click Add Integration.
  • Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
  • Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.
  • You can now use your bearer token to authenticate the 1Password Events API Beat with Elasticsearch.

You can issue or revoke bearer tokens at any time.

Install 1Password Events API Beat

Download and install the 1Password Events API Elastic Beat from the 1Password GitHub repository (opens in a new tab).

The 1Password Events API Beat returns information from 1Password through requests to the Events API and sends that data securely to your Logit.io Stack via Logstash.

Configure 1Password Events API Beat

In the directory you installed the Beat rename the eventsapibeat-sample.yml configuration file to eventsapibeat.yaml.

Below is an example of the configuration file. If you are logged into your Logit.io account this configuration file is pre-configured to send data to your Logit.io Stack via Logstash and is set up to monitor three different types of events from 1Password: signin attempts, item usages, and audit events.

Add your 1Password bearer token to the auth_token fields for each event type you want to monitor and update the starting_cursor limit and date / time as appropriate.

###################### Logit.io eventsapibeat Configuration ########################
# ============================== eventsapibeat inputs ==============================
eventsapibeat:
  insecure_skip_verify: false
  signin_attempts:
    enabled: true
    auth_token: "<YOUR_BEARER_TOKEN>"
    sample_frequency: "10s"
    cursor_state_file: "signinattempts.eventsapibeatstate"
    starting_cursor: >
      { "limit": 1000, "start_time": "2024-10-30T00:00:00Z" }
  item_usages:
    enabled: true
    auth_token: "<YOUR_BEARER_TOKEN>"
    sample_frequency: "10s"
    cursor_state_file: "itemusages.eventsapibeatstate"
    starting_cursor: >
      { "limit": 1000, "start_time": "2024-10-30T00:00:00Z" }
  audit_events:
    enabled: true
    auth_token: "<YOUR_BEARER_TOKEN>"
    sample_frequency: "10s"
    cursor_state_file: "auditevents.eventsapibeatstate"
    starting_cursor: >
      { "limit": 1000, "start_time": "2024-10-30T00:00:00Z" }
 
# ================================== Outputs ===================================
# ------------------------------ Logstash Output -------------------------------
output.logstash:
  hosts: ["@logstash.host:@logstash.sslPort"]
  loadbalance: true
  ssl.enabled: true

Run 1Password Events API Beat

Run the following command in the directory where you installed the 1Password Events API Beat to start the Beat and begin monitoring events from your 1Password account:

./eventsapibeat -c eventsapibeat.yml -e

You can now monitor events from your 1Password account in your Logit.io Stack. The returned data will follow the Elastic Common Schema specifications.

Launch Logs to View Data

Launch Logs

How to diagnose no data in your stack

If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.