I get the following error for the DUO log Add-on for Splunk:
07-20-2016 18:45:36.396 -0400 WARN ModularInputs - Validation for scheme=duo failed: The script returned with exit status 1.
Wondering if this requires Splunk on Linux?
I ran across what I think is the same problem and posted a separate question and answer for it here: https://answers.splunk.com/answers/513409/duo-splunk-connector-error-validation-for-schemedu.html
If you're running into the same issue we were this error occurs because the Mod Inputs validation on allows the validation to run for 3 seconds before forcibly terminating it. Workaround is to build the inputs.conf file manually
The folder "C:\Program Files\Splunk\var\lib\splunk\modinputs\duo\" exists however it is empty.
What file should be created after the data input configuration? There is no inputs.conf under apps//local/ so not sure where to validate the history setting.
I think it depends on the context where you access the inputs config from, it might be in etc\apps\search\local\
I'm not sure the equivalent way to do this on Windows, but on Linux you can find it with this command;
splunk cmd btool inputs list --debug | grep '\['
That is where it was located.
I redid the config forcing the app context to the Duo 2FA app and it puts the inputs.conf in \local under the app folder. Shows history = 60 but still nothing populates "C:\Program Files\Splunk\var\lib\splunk\modinputs\duo\" and there are no references to authentication on the duo site. Same kind of outputs in the splunk log showing checkpoint time.
Ok, it sounds like duo is probably returning an error that isn't getting handled. Maybe you are using an ikey that was created for Auth and not the Admin api? I'll add better handling of error returned from the api. If you can/want to try a patch;
diff --git a/bin/duo.py b/bin/duo.py index ae8f105..1550ed5 100644 --- a/bin/duo.py +++ b/bin/duo.py @@ -68,6 +68,8 @@ class MyScript(smi.Script): except RuntimeError as e: if "429" in e.message: ew.log( 'ERROR', "Received 429, too many requests. You may need to increase interval") + else: + raise e return
You are exactly right, actually don't see the Admin API as an option. I've contacted Duo about this.
It shouldn't require Linux, but I don't have a windows system to test from. Did you get this message while or after configuring an input?
I don't remember exactly. I was searching the _internal logs after installing. Today I walked through the install process again and I don't see that error, basically seeing info messages each time the script runs.
07-21-2016 15:58:16.857 -0400 INFO ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py"" no checkpoint time returned, using history value 07-21-2016 15:58:16.857 -0400 INFO ExecProcessor - message from "python "C:\Program Files\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py"" Using checkpoint time 1466539096
However not seeing anything within the splunk indexes or in the 'Auth API' log on Duo Admin panel.
It looks like the time 1466539096 is about the same of the log messages, including the "no checkpoint time returned" one, so I'm guessing you might not have set a value for the history field (the number of days of data to pull initially), if it's not set or 0 the timestamp it uses would be the current time. You can try resetting the state if you want to index historical data by setting the history value, then removing the checkpoint files. They should be in "C:\Program Files\Splunk\var\lib\splunk\modinputs\duo\" assuming the path is similar to Linux.