- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- DUO Log Add-on for Splunk: When creating a new DUO...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try and create a new DUO API input, I get the following error:
Encountered the following error while trying to update: In handler 'duo': Received 403 Access forbidden
I'm also seeing this in the forwarder logs:
11-28-2016 22:31:25.201 +0000 WARN ModularInputs - Validation for scheme=duo failed: Received 403 Access forbidden
And this... a 400 HTTP return code?
127.0.0.1 - admin [28/Nov/2016:22:31:24.883 +0000] "POST /servicesNS/admin/TA-DUOSecurity2FA/data/inputs/duo HTTP/1.0" 400 167 - - - 319ms
Running Splunk 6.4.4 on CentOS 2.6.32-642.3.1.el6.x86_64
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most likely this is because the ikey (integration key) is for the Auth API endpoint and not the Admin API. DUO doesn't allow an Auth ikey to access the Admin API. https://duo.com/docs/adminapi#first-steps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most likely this is because the ikey (integration key) is for the Auth API endpoint and not the Admin API. DUO doesn't allow an Auth ikey to access the Admin API. https://duo.com/docs/adminapi#first-steps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like it was the correct API key, but they hadn't given me permissions yet. I'm seeing events. Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem as the original post. I have been working with Duo support, and even tried a new set of keys. Still getting the 403. But of course, they say they cannot support Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DUO has some basic instructions for setting up access to the APIs here;
https://duo.com/docs/adminapi#first-steps
The add-on uses these APIs from DUO, https://duo.com/docs/adminapi#logs and https://duo.com/docs/adminapi#account-info
so your Ikey needs to be an Admin API key and have access to logs and account-info (if you are trying to pull the account summary) APIs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was able to get it working. Duo support helped me out- there needed to be specific permissions set in the Admin App on Duo's side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @responsys_cm - If bawood was able help you out, please don't forget to click "Accept" below the answer to close out this question so that other users can easily find it. Thanks!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
