All Apps and Add-ons

Can you configure the Duo Splunk Connector to use a web proxy?

ejwade
Contributor

I'm trying to configure the Duo Splunk Connector on a Splunk heavy forwarder to leverage the web proxy configuration I have in Splunk's server.conf. This configuration works for all Splunk web communication, but doesn't seem to apply for the Duo inputs.

0 Karma

imarks005
Explorer

Did you ever figure out a work around for this? I am facing the same issue right now.

0 Karma

ejwade
Contributor

Never did. Not sure the add-on supports it.

0 Karma

david2510
Engager

@ejwade @imarks005 

This is a very "hacky" way but it works. I.e. fixing the app is beyond my scope of capabilities. Any updates to the app will almost certainly wipeout these modifications.

The Add-On uses the python module "duo_client" to make its api calls to DUO. I am modifying the duo_input.py file with an addition line of code in two if its functions. The file is located here:

$SPLUNK_HOME/etc/apps/duo_splunkapp/bin

Look for #Added the below line for the additional code in each code snippet.

Replace "proxyaddr" and "proxyport" with your proxy details.

First function: validate_arguments

def validate_arguments(ikey, skey, host, interval, offset_seconds=-140):
    '''
    Ensures that the provided credentials have access to different log types

    Also check that the interval is >= 120 seconds to avoid rate limiting.
    '''

    logger = logging.getLogger()

    if interval < 120:
        logger.error("User entered an interval under 120 seconds")
        print_error('The interval needs to be greater than or equal to 120 '
                    'seconds')
        raise ValueError("User entered an interval under 120 seconds")

    admin = duo_client.admin.Admin(
        ikey=ikey,
        skey=skey,
        host=host,
        ca_certs=duo_client.client.DEFAULT_CA_CERTS,
    )
    #Added the below line
    admin.set_proxy("proxyaddr", "proxyport")

    current_unix_ts = int(utils.get_time())

 

Second Function: run_script

 

def run_script():
    """Method will instantiate a duo_client.Admin object with the configured
    ikey/skey/api_host. In addition, it will call each log collector class to
    poll the Duo adminapi for JSON encoded data that gets written to stdout.
    """

    config = get_config()

    admin_api = duo_client.Admin(
        ikey=config['ikey'],
        skey=config['skey'],
        host=config['api_host'],
        ca_certs=None,
    )
    #Added the below line
    admin_api.set_proxy("proxyaddr", "proxyport")
    
    logclasses = (
        PaginatedAccountLog,
        PaginatedTelephonyLog,
        PaginatedAdministratorLog,
        PaginatedAuthenticationLog,
        PaginatedEndPointLog
    )


Hopefully the app is updated to include configuring a proxy via the UI.

AndySplunks
Communicator

For anyone reading this, these functions are 

admin.set_proxy

and 

admin_api.set_proxy

You can't fill in your variables in the first section and paste it in the second.

0 Karma

Mr2
New Member

We added proxy support as well has adding the proxy server/port in the web configurator.

I tried to get this merged into the base splunk connector app but after dealing with support and account managers at cisco and getting nowhere I decided to make a diff/patch and instructions, these are as follows..

# Obtain duo_splunkapp_1.1.9.spl
wget https://dl.duosecurity.com/duo_splunkapp_1.1.9.spl

# Rename
mv duo_splunkapp_1.1.9.spl duo_splunkapp_1.1.9.tgz

# Obtain patch
wget https://www.focb.co.nz/duo_splunk/README
wget https://www.focb.co.nz/duo_splunk/duo_splunkapp_1.1.9_proxy.patch

# Unzip splunkapp
tar -zxvf duo_splunkapp_1.1.9.tgz

# Patch
patch -p0 < duo_splunkapp_proxy.patch

# Rezip
tar -zcvf duo_splunkapp_1.1.9_proxy.tgz duo_splunkapp

# Rename
mv duo_splunkapp_1.1.9_proxy.tgz duo_splunkapp_1.1.9_proxy.spl

# Additional reading
Install Instructions: https://duo.com/docs/splunkapp#install-duo-splunk-connector
Splunkbase App: https://splunkbase.splunk.com/app/3504

Credit:
The thread at https://community.splunk.com/t5/All-Apps-and-Add-ons/Can-you-configure-the-Duo-Splunk-Connector-to-use-a-web-proxy/m-p/486022
The guys at Shelde: https://au.linkedin.com/company/wiproshelde
Cisco and Duo support for rejecting my attempts at getting this to be merged into teh splunk connector base code.
0 Karma

Mr2
New Member

The patch actually had a different name on my webserver, I've fixed that now, sorry 😞


Also, for the latest (as of sept) splunk app, the update functions and changes are the same if you want to add "fixed/static" proxy entries. I'm currently testing to make sure is actually correct but I'm hopeful 🙂

In the function validate_arguments

def validate_arguments(ikey: str, skey: str, host: str, interval: int, offset_seconds: int=-140):
    """
    Ensures that the provided credentials have access to different log types

    Also check that the interval is >= 120 seconds to avoid rate limiting.
    :param ikey: Integration key of Admin Panel API
    :param skey: Secret key of Admin Panel API
    :param host: Host of Admin Panel API
    :param interval: How often Splunk runs this input script, in seconds.
    :param offset_seconds: Number of seconds to subtract from current time, for the validation
            request
    """
    if interval < 120:
        LOGGER.error("The interval must be greater than or equal to 120 seconds")
        print_error('The interval must be greater than or equal to 120 seconds')
        raise ValueError("The interval must be greater than or equal to 120 seconds")

    admin = duo_client.admin.Admin(ikey=ikey, skey=skey, host=host)
    if host == LOCAL_API_HOST:
        admin.ca_certs = "DISABLE"

    # Update the bellow to set a fixed proxy server
    admin.set_proxy("proxyserver","proxyport")

    current_unix_ts = int(time.time())

and then in the function run_script a little further down

def run_script():
    """
    Method will instantiate a duo_client.Admin object with the configured
    ikey/skey/api_host. In addition, it will call each log collector class to
    poll the Duo adminapi for JSON encoded data that gets written to stdout.
    """
    LOGGER.info("Getting input configuration.")
    config, splunk_session_key = get_config()
    LOGGER.info("Configuration processing completed. Setting LOGGER level for %s to %s",
                config['name'], config['logging_level'])
    LOGGER.setLevel(config['logging_level'])

    splunk_session_args = {
        'token': splunk_session_key,
        'user': 'nobody',
        'app': 'duo_splunkapp'
    }

    local_mode: bool = config['api_host'] == LOCAL_API_HOST

    admin_api = duo_client.Admin(
        ikey=config['ikey'],
        skey=config['skey'],
        host=config['api_host'],
        ca_certs="DISABLE" if local_mode else None,
        digestmod=hashlib.sha512
    )

    # Update the bellow to set a fixed proxy server
    admin_api.set_proxy("proxyserver","proxyport")

Once this is done I will attempt to make a patch file that allows you to specify a proxy server and port via the UI. Hopefully this is enough to get anyone rolling with the new version.

 

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...