I'm trying to configure the Duo Splunk Connector on a Splunk heavy forwarder to leverage the web proxy configuration I have in Splunk's server.conf. This configuration works for all Splunk web communication, but doesn't seem to apply for the Duo inputs.
Did you ever figure out a work around for this? I am facing the same issue right now.
Never did. Not sure the add-on supports it.
This is a very "hacky" way but it works. I.e. fixing the app is beyond my scope of capabilities. Any updates to the app will almost certainly wipeout these modifications.
The Add-On uses the python module "duo_client" to make its api calls to DUO. I am modifying the duo_input.py file with an addition line of code in two if its functions. The file is located here:
$SPLUNK_HOME/etc/apps/duo_splunkapp/bin
Look for #Added the below line for the additional code in each code snippet.
Replace "proxyaddr" and "proxyport" with your proxy details.
First function: validate_arguments
def validate_arguments(ikey, skey, host, interval, offset_seconds=-140):
'''
Ensures that the provided credentials have access to different log types
Also check that the interval is >= 120 seconds to avoid rate limiting.
'''
logger = logging.getLogger()
if interval < 120:
logger.error("User entered an interval under 120 seconds")
print_error('The interval needs to be greater than or equal to 120 '
'seconds')
raise ValueError("User entered an interval under 120 seconds")
admin = duo_client.admin.Admin(
ikey=ikey,
skey=skey,
host=host,
ca_certs=duo_client.client.DEFAULT_CA_CERTS,
)
#Added the below line
admin.set_proxy("proxyaddr", "proxyport")
current_unix_ts = int(utils.get_time())
Second Function: run_script
def run_script():
"""Method will instantiate a duo_client.Admin object with the configured
ikey/skey/api_host. In addition, it will call each log collector class to
poll the Duo adminapi for JSON encoded data that gets written to stdout.
"""
config = get_config()
admin_api = duo_client.Admin(
ikey=config['ikey'],
skey=config['skey'],
host=config['api_host'],
ca_certs=None,
)
#Added the below line
admin_api.set_proxy("proxyaddr", "proxyport")
logclasses = (
PaginatedAccountLog,
PaginatedTelephonyLog,
PaginatedAdministratorLog,
PaginatedAuthenticationLog,
PaginatedEndPointLog
)
Hopefully the app is updated to include configuring a proxy via the UI.
For anyone reading this, these functions are
admin.set_proxy
and
admin_api.set_proxy
You can't fill in your variables in the first section and paste it in the second.
We added proxy support as well has adding the proxy server/port in the web configurator.
I tried to get this merged into the base splunk connector app but after dealing with support and account managers at cisco and getting nowhere I decided to make a diff/patch and instructions, these are as follows..
# Obtain duo_splunkapp_1.1.9.spl
wget https://dl.duosecurity.com/duo_splunkapp_1.1.9.spl
# Rename
mv duo_splunkapp_1.1.9.spl duo_splunkapp_1.1.9.tgz
# Obtain patch
wget https://www.focb.co.nz/duo_splunk/README
wget https://www.focb.co.nz/duo_splunk/duo_splunkapp_1.1.9_proxy.patch
# Unzip splunkapp
tar -zxvf duo_splunkapp_1.1.9.tgz
# Patch
patch -p0 < duo_splunkapp_proxy.patch
# Rezip
tar -zcvf duo_splunkapp_1.1.9_proxy.tgz duo_splunkapp
# Rename
mv duo_splunkapp_1.1.9_proxy.tgz duo_splunkapp_1.1.9_proxy.spl
# Additional reading
Install Instructions: https://duo.com/docs/splunkapp#install-duo-splunk-connector
Splunkbase App: https://splunkbase.splunk.com/app/3504
Credit:
The thread at https://community.splunk.com/t5/All-Apps-and-Add-ons/Can-you-configure-the-Duo-Splunk-Connector-to-use-a-web-proxy/m-p/486022
The guys at Shelde: https://au.linkedin.com/company/wiproshelde
Cisco and Duo support for rejecting my attempts at getting this to be merged into teh splunk connector base code.
The patch actually had a different name on my webserver, I've fixed that now, sorry 😞
Also, for the latest (as of sept) splunk app, the update functions and changes are the same if you want to add "fixed/static" proxy entries. I'm currently testing to make sure is actually correct but I'm hopeful 🙂
In the function validate_arguments
def validate_arguments(ikey: str, skey: str, host: str, interval: int, offset_seconds: int=-140):
"""
Ensures that the provided credentials have access to different log types
Also check that the interval is >= 120 seconds to avoid rate limiting.
:param ikey: Integration key of Admin Panel API
:param skey: Secret key of Admin Panel API
:param host: Host of Admin Panel API
:param interval: How often Splunk runs this input script, in seconds.
:param offset_seconds: Number of seconds to subtract from current time, for the validation
request
"""
if interval < 120:
LOGGER.error("The interval must be greater than or equal to 120 seconds")
print_error('The interval must be greater than or equal to 120 seconds')
raise ValueError("The interval must be greater than or equal to 120 seconds")
admin = duo_client.admin.Admin(ikey=ikey, skey=skey, host=host)
if host == LOCAL_API_HOST:
admin.ca_certs = "DISABLE"
# Update the bellow to set a fixed proxy server
admin.set_proxy("proxyserver","proxyport")
current_unix_ts = int(time.time())
and then in the function run_script a little further down
def run_script():
"""
Method will instantiate a duo_client.Admin object with the configured
ikey/skey/api_host. In addition, it will call each log collector class to
poll the Duo adminapi for JSON encoded data that gets written to stdout.
"""
LOGGER.info("Getting input configuration.")
config, splunk_session_key = get_config()
LOGGER.info("Configuration processing completed. Setting LOGGER level for %s to %s",
config['name'], config['logging_level'])
LOGGER.setLevel(config['logging_level'])
splunk_session_args = {
'token': splunk_session_key,
'user': 'nobody',
'app': 'duo_splunkapp'
}
local_mode: bool = config['api_host'] == LOCAL_API_HOST
admin_api = duo_client.Admin(
ikey=config['ikey'],
skey=config['skey'],
host=config['api_host'],
ca_certs="DISABLE" if local_mode else None,
digestmod=hashlib.sha512
)
# Update the bellow to set a fixed proxy server
admin_api.set_proxy("proxyserver","proxyport")
Once this is done I will attempt to make a patch file that allows you to specify a proxy server and port via the UI. Hopefully this is enough to get anyone rolling with the new version.