- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: DUO Log Add-on for Splunk: Why am I getting er...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DUO Log Add-on for Splunk: Why am I getting error "ModularInputs - Validation for scheme=duo failed: The script returned with exit status 1."?
I get the following error for the DUO log Add-on for Splunk:
07-20-2016 18:45:36.396 -0400 WARN ModularInputs - Validation for scheme=duo failed: The script returned with exit status 1.
Wondering if this requires Splunk on Linux?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran across what I think is the same problem and posted a separate question and answer for it here: https://answers.splunk.com/answers/513409/duo-splunk-connector-error-validation-for-schemedu.html
If you're running into the same issue we were this error occurs because the Mod Inputs validation on allows the validation to run for 3 seconds before forcibly terminating it. Workaround is to build the inputs.conf file manually
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The folder "C:\Program Files\Splunk\var\lib\splunk\modinputs\duo\" exists however it is empty.
What file should be created after the data input configuration? There is no inputs.conf under apps//local/ so not sure where to validate the history setting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it depends on the context where you access the inputs config from, it might be in etc\apps\search\local\
I'm not sure the equivalent way to do this on Windows, but on Linux you can find it with this command;
splunk cmd btool inputs list --debug | grep '\['
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is where it was located.
I redid the config forcing the app context to the Duo 2FA app and it puts the inputs.conf in \local under the app folder. Shows history = 60 but still nothing populates "C:\Program Files\Splunk\var\lib\splunk\modinputs\duo\" and there are no references to authentication on the duo site. Same kind of outputs in the splunk log showing checkpoint time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, it sounds like duo is probably returning an error that isn't getting handled. Maybe you are using an ikey that was created for Auth and not the Admin api? I'll add better handling of error returned from the api. If you can/want to try a patch;
diff --git a/bin/duo.py b/bin/duo.py
index ae8f105..1550ed5 100644
--- a/bin/duo.py
+++ b/bin/duo.py
@@ -68,6 +68,8 @@ class MyScript(smi.Script):
except RuntimeError as e:
if "429" in e.message:
ew.log( 'ERROR', "Received 429, too many requests. You may need to increase interval")
+ else:
+ raise e
return
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are exactly right, actually don't see the Admin API as an option. I've contacted Duo about this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It shouldn't require Linux, but I don't have a windows system to test from. Did you get this message while or after configuring an input?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't remember exactly. I was searching the _internal logs after installing. Today I walked through the install process again and I don't see that error, basically seeing info messages each time the script runs.
07-21-2016 15:58:16.857 -0400 INFO ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py"" no checkpoint time returned, using history value
07-21-2016 15:58:16.857 -0400 INFO ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py"" Using checkpoint time 1466539096
However not seeing anything within the splunk indexes or in the 'Auth API' log on Duo Admin panel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the time 1466539096 is about the same of the log messages, including the "no checkpoint time returned" one, so I'm guessing you might not have set a value for the history field (the number of days of data to pull initially), if it's not set or 0 the timestamp it uses would be the current time. You can try resetting the state if you want to index historical data by setting the history value, then removing the checkpoint files. They should be in "C:\Program Files\Splunk\var\lib\splunk\modinputs\duo\" assuming the path is similar to Linux.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
