This is the error you will get when you're using audit mode with a Chef server that's too old (< 12.0.3)

analytics-failure.json

{"recoverable":false,"cause":"json_extraction_bolt - e2c4e453-b93c-4cc6-8da6-41d58be6c7c8 invalid payload","payload":"{\"message_type\":\"control_groups\",\"message_version\":\"0.1.0\",\"organization_name\":\"chef\",\"chef_server_fqdn\":\"ec2-54-173-52-30.compute-1.amazonaws.com\",\"recorded_at\":\"2015-03-05T21:26:25Z\",\"remote_hostname\":\"172.31.36.204\",\"request_id\":\"g3IAA2QAEGVyY2hlZkAxMjcuMC4wLjECAAN2pQAAAM4AAAAA\",\"node_name\":\"i-7093bf81\",\"id\":\"4f7e464a-69ba-4f57-a1f5-e3aa0ec2ba60\",\"run_id\":\"3225a373-d85a-496e-8767-1e38e67633a1\",\"control_groups\":[{\"name\":\"check sshd configuration\",\"status\":\"failure\",\"number_succeeded\":5,\"number_failed\":1,\"controls\":[{\"name\":\"should be installed\",\"status\":\"success\",\"details\":null,\"resource_type\":null,\"resource_name\":null,\"context\":[\"sshd package\"],\"sequence_number\":1},{\"name\":\"should exist with the right permissions\",\"status\":\"success\",\"details\":null,\"resource_type\":null,\"resource_name\":null,\"context\":[\"sshd configuration\"],\"sequence_number\":2},{\"name\":\"should not permit RootLogin\",\"status\":\"success\",\"details\":null,\"resource_type\":null,\"resource_name\":null,\"context\":[\"sshd configuration\"],\"sequence_number\":3},{\"name\":\"should explicitly not permit PasswordAuthentication\",\"status\":\"success\",\"details\":null,\"resource_type\":null,\"resource_name\":null,\"context\":[\"sshd configuration\"],\"sequence_number\":4},{\"name\":\"should force privilege separation\",\"status\":\"success\",\"details\":null,\"resource_type\":null,\"resource_name\":null,\"context\":[\"sshd configuration\"],\"sequence_number\":5},{\"name\":\"should disable X11 forwarding\",\"status\":\"failure\",\"details\":\"expected \\\"#\\\\t$OpenBSD: sshd_config,v 1.90 2013\\/05\\/16 04:09:14 dtucker Exp $\\\\n\\\\n# This is the sshd server system-wide configuration file.  See\\\\n# sshd_config(5) for more information.\\\\n\\\\n# This sshd was compiled with PATH=\\/usr\\/local\\/bin:\\/usr\\/bin\\\\n\\\\n# The strategy used for options in the default sshd_config shipped with\\\\n# OpenSSH is to specify options with their default value where\\\\n# possible, but leave them commented.  Uncommented options override the\\\\n# default value.\\\\n\\\\n# If you want to change the port on a SELinux system, you have to tell\\\\n# SELinux about this change.\\\\n# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER\\\\n#\\\\n#Port 22\\\\n#AddressFamily any\\\\n#ListenAddress 0.0.0.0\\\\n#ListenAddress ::\\\\n\\\\n# The default requires explicit activation of protocol 1\\\\n#Protocol 2\\\\n\\\\n# HostKey for protocol version 1\\\\n#HostKey \\/etc\\/ssh\\/ssh_host_key\\\\n# HostKeys for protocol version 2\\\\nHostKey \\/etc\\/ssh\\/ssh_host_rsa_key\\\\n#HostKey \\/etc\\/ssh\\/ssh_host_dsa_key\\\\nHostKey \\/etc\\/ssh\\/ssh_host_ecdsa_key\\\\n\\\\n# Lifetime and size of ephemeral version 1 server key\\\\n#KeyRegenerationInterval 1h\\\\n#ServerKeyBits 1024\\\\n\\\\n# Ciphers and keying\\\\n#RekeyLimit default none\\\\n\\\\n# Logging\\\\n# obsoletes QuietMode and FascistLogging\\\\n#SyslogFacility AUTH\\\\nSyslogFacility AUTHPRIV\\\\n#LogLevel INFO\\\\n\\\\n# Authentication:\\\\n\\\\n#LoginGraceTime 2m\\\\n#PermitRootLogin yes\\\\n#StrictModes yes\\\\n#MaxAuthTries 6\\\\n#MaxSessions 10\\\\n\\\\n#RSAAuthentication yes\\\\n#PubkeyAuthentication yes\\\\n\\\\n# The default is to check both .ssh\\/authorized_keys and .ssh\\/authorized_keys2\\\\n# but this is overridden so installations will only check .ssh\\/authorized_keys\\\\nAuthorizedKeysFile .ssh\\/authorized_keys\\\\n\\\\n#AuthorizedPrincipalsFile none\\\\n\\\\n#AuthorizedKeysCommand none\\\\n#AuthorizedKeysCommandUser nobody\\\\n\\\\n# For this to work you will also need host keys in \\/etc\\/ssh\\/ssh_known_hosts\\\\n#RhostsRSAAuthentication no\\\\n# similar for protocol version 2\\\\n#HostbasedAuthentication no\\\\n# Change to yes if you don't trust ~\\/.ssh\\/known_hosts for\\\\n# RhostsRSAAuthentication and HostbasedAuthentication\\\\n#IgnoreUserKnownHosts no\\\\n# Don't read the user's ~\\/.rhosts and ~\\/.shosts files\\\\n#IgnoreRhosts yes\\\\n\\\\n# To disable tunneled clear text passwords, change to no here!\\\\n#PasswordAuthentication yes\\\\n#PermitEmptyPasswords no\\\\nPasswordAuthentication no\\\\n\\\\n# Change to no to disable s\\/key passwords\\\\n#ChallengeResponseAuthentication yes\\\\nChallengeResponseAuthentication no\\\\n\\\\n# Kerberos options\\\\n#KerberosAuthentication no\\\\n#KerberosOrLocalPasswd yes\\\\n#KerberosTicketCleanup yes\\\\n#KerberosGetAFSToken no\\\\n#KerberosUseKuserok yes\\\\n\\\\n# GSSAPI options\\\\n#GSSAPIAuthentication no\\\\nGSSAPIAuthentication yes\\\\n#GSSAPICleanupCredentials yes\\\\nGSSAPICleanupCredentials yes\\\\n#GSSAPIStrictAcceptorCheck yes\\\\n#GSSAPIKeyExchange no\\\\n\\\\n# Set this to 'yes' to enable PAM authentication, account processing,\\\\n# and session processing. If this is enabled, PAM authentication will\\\\n# be allowed through the ChallengeResponseAuthentication and\\\\n# PasswordAuthentication.  Depending on your PAM configuration,\\\\n# PAM authentication via ChallengeResponseAuthentication may bypass\\\\n# the setting of \\\\\\\"PermitRootLogin without-password\\\\\\\".\\\\n# If you just want the PAM account and session checks to run without\\\\n# PAM authentication, then enable this but set PasswordAuthentication\\\\n# and ChallengeResponseAuthentication to 'no'.\\\\n# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several\\\\n# problems.\\\\n#UsePAM no\\\\nUsePAM yes\\\\n\\\\n#AllowAgentForwarding yes\\\\n#AllowTcpForwarding yes\\\\n#GatewayPorts no\\\\n#X11Forwarding no\\\\nX11Forwarding yes\\\\n#X11DisplayOffset 10\\\\n#X11UseLocalhost yes\\\\n#PrintMotd yes\\\\n#PrintLastLog yes\\\\n#TCPKeepAlive yes\\\\n#UseLogin no\\\\nUsePrivilegeSeparation sandbox\\\\t\\\\t# Default for new installations.\\\\n#PermitUserEnvironment no\\\\n#Compression delayed\\\\n#ClientAliveInterval 0\\\\n#ClientAliveCountMax 3\\\\n#ShowPatchLevel no\\\\n#UseDNS yes\\\\n#PidFile \\/var\\/run\\/sshd.pid\\\\n#MaxStartups 10:30:100\\\\n#PermitTunnel no\\\\n#ChrootDirectory none\\\\n#VersionAddendum none\\\\n\\\\n# no default banner path\\\\n#Banner none\\\\n\\\\n# Accept locale-related environment variables\\\\nAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\\\\nAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\\\\nAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\\\\nAcceptEnv XMODIFIERS\\\\n\\\\n# override default of no subsystems\\\\nSubsystem sftp\\\\t\\/usr\\/libexec\\/openssh\\/sftp-server\\\\n\\\\n# Uncomment this if you want to use .local domain\\\\n#Host *.local\\\\n#\\\\tCheckHostIP no\\\\n\\\\n# Example of overriding settings on a per-user basis\\\\n#Match User anoncvs\\\\n#\\\\tX11Forwarding no\\\\n#\\\\tAllowTcpForwarding no\\\\n#\\\\tForceCommand cvs server\\\\n\\\" not to match \\/^X11Forwarding yes\\/\\nDiff:\\n@@ -1,2 +1,158 @@\\n-\\/^X11Forwarding yes\\/\\n+#\\t$OpenBSD: sshd_config,v 1.90 2013\\/05\\/16 04:09:14 dtucker Exp $\\n+\\n+# This is the sshd server system-wide configuration file.  See\\n+# sshd_config(5) for more information.\\n+\\n+# This sshd was compiled with PATH=\\/usr\\/local\\/bin:\\/usr\\/bin\\n+\\n+# The strategy used for options in the default sshd_config shipped with\\n+# OpenSSH is to specify options with their default value where\\n+# possible, but leave them commented.  Uncommented options override the\\n+# default value.\\n+\\n+# If you want to change the port on a SELinux system, you have to tell\\n+# SELinux about this change.\\n+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER\\n+#\\n+#Port 22\\n+#AddressFamily any\\n+#ListenAddress 0.0.0.0\\n+#ListenAddress ::\\n+\\n+# The default requires explicit activation of protocol 1\\n+#Protocol 2\\n+\\n+# HostKey for protocol version 1\\n+#HostKey \\/etc\\/ssh\\/ssh_host_key\\n+# HostKeys for protocol version 2\\n+HostKey \\/etc\\/ssh\\/ssh_host_rsa_key\\n+#HostKey \\/etc\\/ssh\\/ssh_host_dsa_key\\n+HostKey \\/etc\\/ssh\\/ssh_host_ecdsa_key\\n+\\n+# Lifetime and size of ephemeral version 1 server key\\n+#KeyRegenerationInterval 1h\\n+#ServerKeyBits 1024\\n+\\n+# Ciphers and keying\\n+#RekeyLimit default none\\n+\\n+# Logging\\n+# obsoletes QuietMode and FascistLogging\\n+#SyslogFacility AUTH\\n+SyslogFacility AUTHPRIV\\n+#LogLevel INFO\\n+\\n+# Authentication:\\n+\\n+#LoginGraceTime 2m\\n+#PermitRootLogin yes\\n+#StrictModes yes\\n+#MaxAuthTries 6\\n+#MaxSessions 10\\n+\\n+#RSAAuthentication yes\\n+#PubkeyAuthentication yes\\n+\\n+# The default is to check both .ssh\\/authorized_keys and .ssh\\/authorized_keys2\\n+# but this is overridden so installations will only check .ssh\\/authorized_keys\\n+AuthorizedKeysFile .ssh\\/authorized_keys\\n+\\n+#AuthorizedPrincipalsFile none\\n+\\n+#AuthorizedKeysCommand none\\n+#AuthorizedKeysCommandUser nobody\\n+\\n+# For this to work you will also need host keys in \\/etc\\/ssh\\/ssh_known_hosts\\n+#RhostsRSAAuthentication no\\n+# similar for protocol version 2\\n+#HostbasedAuthentication no\\n+# Change to yes if you don't trust ~\\/.ssh\\/known_hosts for\\n+# RhostsRSAAuthentication and HostbasedAuthentication\\n+#IgnoreUserKnownHosts no\\n+# Don't read the user's ~\\/.rhosts and ~\\/.shosts files\\n+#IgnoreRhosts yes\\n+\\n+# To disable tunneled clear text passwords, change to no here!\\n+#PasswordAuthentication yes\\n+#PermitEmptyPasswords no\\n+PasswordAuthentication no\\n+\\n+# Change to no to disable s\\/key passwords\\n+#ChallengeResponseAuthentication yes\\n+ChallengeResponseAuthentication no\\n+\\n+# Kerberos options\\n+#KerberosAuthentication no\\n+#KerberosOrLocalPasswd yes\\n+#KerberosTicketCleanup yes\\n+#KerberosGetAFSToken no\\n+#KerberosUseKuserok yes\\n+\\n+# GSSAPI options\\n+#GSSAPIAuthentication no\\n+GSSAPIAuthentication yes\\n+#GSSAPICleanupCredentials yes\\n+GSSAPICleanupCredentials yes\\n+#GSSAPIStrictAcceptorCheck yes\\n+#GSSAPIKeyExchange no\\n+\\n+# Set this to 'yes' to enable PAM authentication, account processing,\\n+# and session processing. If this is enabled, PAM authentication will\\n+# be allowed through the ChallengeResponseAuthentication and\\n+# PasswordAuthentication.  Depending on your PAM configuration,\\n+# PAM authentication via ChallengeResponseAuthentication may bypass\\n+# the setting of \\\"PermitRootLogin without-password\\\".\\n+# If you just want the PAM account and session checks to run without\\n+# PAM authentication, then enable this but set PasswordAuthentication\\n+# and ChallengeResponseAuthentication to 'no'.\\n+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several\\n+# problems.\\n+#UsePAM no\\n+UsePAM yes\\n+\\n+#AllowAgentForwarding yes\\n+#AllowTcpForwarding yes\\n+#GatewayPorts no\\n+#X11Forwarding no\\n+X11Forwarding yes\\n+#X11DisplayOffset 10\\n+#X11UseLocalhost yes\\n+#PrintMotd yes\\n+#PrintLastLog yes\\n+#TCPKeepAlive yes\\n+#UseLogin no\\n+UsePrivilegeSeparation sandbox\\t\\t# Default for new installations.\\n+#PermitUserEnvironment no\\n+#Compression delayed\\n+#ClientAliveInterval 0\\n+#ClientAliveCountMax 3\\n+#ShowPatchLevel no\\n+#UseDNS yes\\n+#PidFile \\/var\\/run\\/sshd.pid\\n+#MaxStartups 10:30:100\\n+#PermitTunnel no\\n+#ChrootDirectory none\\n+#VersionAddendum none\\n+\\n+# no default banner path\\n+#Banner none\\n+\\n+# Accept locale-related environment variables\\n+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES\\n+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT\\n+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE\\n+AcceptEnv XMODIFIERS\\n+\\n+# override default of no subsystems\\n+Subsystem sftp\\t\\/usr\\/libexec\\/openssh\\/sftp-server\\n+\\n+# Uncomment this if you want to use .local domain\\n+#Host *.local\\n+#\\tCheckHostIP no\\n+\\n+# Example of overriding settings on a per-user basis\\n+#Match User anoncvs\\n+#\\tX11Forwarding no\\n+#\\tAllowTcpForwarding no\\n+#\\tForceCommand cvs server\\n\",\"resource_type\":null,\"resource_name\":null,\"context\":[\"sshd configuration\"],\"sequence_number\":6}],\"id\":\"5c5d84e0-7627-491f-8d5e-da171178b476\",\"cookbook_name\":\"openssh\",\"cookbook_version\":\"1.3.5\",\"recipe_name\":\"audit_sshd\",\"line_number\":23}],\"remote_request_id\":\"3225a373-d85a-496e-8767-1e38e67633a1\"}"}