All Apps and Add-ons

Can you configure the Duo Splunk Connector to use a web proxy?

ejwade
Contributor

I'm trying to configure the Duo Splunk Connector on a Splunk heavy forwarder to leverage the web proxy configuration I have in Splunk's server.conf. This configuration works for all Splunk web communication, but doesn't seem to apply for the Duo inputs.

0 Karma

imarks005
Explorer

Did you ever figure out a work around for this? I am facing the same issue right now.

0 Karma

ejwade
Contributor

Never did. Not sure the add-on supports it.

0 Karma

david2510
Engager

@ejwade @imarks005 

This is a very "hacky" way but it works. I.e. fixing the app is beyond my scope of capabilities. Any updates to the app will almost certainly wipeout these modifications.

The Add-On uses the python module "duo_client" to make its api calls to DUO. I am modifying the duo_input.py file with an addition line of code in two if its functions. The file is located here:

$SPLUNK_HOME/etc/apps/duo_splunkapp/bin

Look for #Added the below line for the additional code in each code snippet.

Replace "proxyaddr" and "proxyport" with your proxy details.

First function: validate_arguments

def validate_arguments(ikey, skey, host, interval, offset_seconds=-140):
    '''
    Ensures that the provided credentials have access to different log types

    Also check that the interval is >= 120 seconds to avoid rate limiting.
    '''

    logger = logging.getLogger()

    if interval < 120:
        logger.error("User entered an interval under 120 seconds")
        print_error('The interval needs to be greater than or equal to 120 '
                    'seconds')
        raise ValueError("User entered an interval under 120 seconds")

    admin = duo_client.admin.Admin(
        ikey=ikey,
        skey=skey,
        host=host,
        ca_certs=duo_client.client.DEFAULT_CA_CERTS,
    )
    #Added the below line
    admin.set_proxy("proxyaddr", "proxyport")

    current_unix_ts = int(utils.get_time())

 

Second Function: run_script

 

def run_script():
    """Method will instantiate a duo_client.Admin object with the configured
    ikey/skey/api_host. In addition, it will call each log collector class to
    poll the Duo adminapi for JSON encoded data that gets written to stdout.
    """

    config = get_config()

    admin_api = duo_client.Admin(
        ikey=config['ikey'],
        skey=config['skey'],
        host=config['api_host'],
        ca_certs=None,
    )
    #Added the below line
    admin_api.set_proxy("proxyaddr", "proxyport")
    
    logclasses = (
        PaginatedAccountLog,
        PaginatedTelephonyLog,
        PaginatedAdministratorLog,
        PaginatedAuthenticationLog,
        PaginatedEndPointLog
    )


Hopefully the app is updated to include configuring a proxy via the UI.

AndySplunks
Communicator

For anyone reading this, these functions are 

admin.set_proxy

and 

admin_api.set_proxy

You can't fill in your variables in the first section and paste it in the second.

0 Karma

Mr2
New Member

We added proxy support as well has adding the proxy server/port in the web configurator.

I tried to get this merged into the base splunk connector app but after dealing with support and account managers at cisco and getting nowhere I decided to make a diff/patch and instructions, these are as follows..

# Obtain duo_splunkapp_1.1.9.spl
wget https://dl.duosecurity.com/duo_splunkapp_1.1.9.spl

# Rename
mv duo_splunkapp_1.1.9.spl duo_splunkapp_1.1.9.tgz

# Obtain patch
wget https://www.focb.co.nz/duo_splunk/README
wget https://www.focb.co.nz/duo_splunk/duo_splunkapp_1.1.9_proxy.patch

# Unzip splunkapp
tar -zxvf duo_splunkapp_1.1.9.tgz

# Patch
patch -p0 < duo_splunkapp_proxy.patch

# Rezip
tar -zcvf duo_splunkapp_1.1.9_proxy.tgz duo_splunkapp

# Rename
mv duo_splunkapp_1.1.9_proxy.tgz duo_splunkapp_1.1.9_proxy.spl

# Additional reading
Install Instructions: https://duo.com/docs/splunkapp#install-duo-splunk-connector
Splunkbase App: https://splunkbase.splunk.com/app/3504

Credit:
The thread at https://community.splunk.com/t5/All-Apps-and-Add-ons/Can-you-configure-the-Duo-Splunk-Connector-to-use-a-web-proxy/m-p/486022
The guys at Shelde: https://au.linkedin.com/company/wiproshelde
Cisco and Duo support for rejecting my attempts at getting this to be merged into teh splunk connector base code.
0 Karma

Mr2
New Member

The patch actually had a different name on my webserver, I've fixed that now, sorry 😞


Also, for the latest (as of sept) splunk app, the update functions and changes are the same if you want to add "fixed/static" proxy entries. I'm currently testing to make sure is actually correct but I'm hopeful 🙂

In the function validate_arguments

def validate_arguments(ikey: str, skey: str, host: str, interval: int, offset_seconds: int=-140):
    """
    Ensures that the provided credentials have access to different log types

    Also check that the interval is >= 120 seconds to avoid rate limiting.
    :param ikey: Integration key of Admin Panel API
    :param skey: Secret key of Admin Panel API
    :param host: Host of Admin Panel API
    :param interval: How often Splunk runs this input script, in seconds.
    :param offset_seconds: Number of seconds to subtract from current time, for the validation
            request
    """
    if interval < 120:
        LOGGER.error("The interval must be greater than or equal to 120 seconds")
        print_error('The interval must be greater than or equal to 120 seconds')
        raise ValueError("The interval must be greater than or equal to 120 seconds")

    admin = duo_client.admin.Admin(ikey=ikey, skey=skey, host=host)
    if host == LOCAL_API_HOST:
        admin.ca_certs = "DISABLE"

    # Update the bellow to set a fixed proxy server
    admin.set_proxy("proxyserver","proxyport")

    current_unix_ts = int(time.time())

and then in the function run_script a little further down

def run_script():
    """
    Method will instantiate a duo_client.Admin object with the configured
    ikey/skey/api_host. In addition, it will call each log collector class to
    poll the Duo adminapi for JSON encoded data that gets written to stdout.
    """
    LOGGER.info("Getting input configuration.")
    config, splunk_session_key = get_config()
    LOGGER.info("Configuration processing completed. Setting LOGGER level for %s to %s",
                config['name'], config['logging_level'])
    LOGGER.setLevel(config['logging_level'])

    splunk_session_args = {
        'token': splunk_session_key,
        'user': 'nobody',
        'app': 'duo_splunkapp'
    }

    local_mode: bool = config['api_host'] == LOCAL_API_HOST

    admin_api = duo_client.Admin(
        ikey=config['ikey'],
        skey=config['skey'],
        host=config['api_host'],
        ca_certs="DISABLE" if local_mode else None,
        digestmod=hashlib.sha512
    )

    # Update the bellow to set a fixed proxy server
    admin_api.set_proxy("proxyserver","proxyport")

Once this is done I will attempt to make a patch file that allows you to specify a proxy server and port via the UI. Hopefully this is enough to get anyone rolling with the new version.

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...