All Apps and Add-ons

DUO Splunk Connector: Error "Validation for scheme=duo failed: The script returned with exit status 1" while trying to set up Modular Input for DUO logs

jwiedemann_splu
Splunk Employee
Splunk Employee

When attempting to fill out the inputs for DUO logs in the UI, we get the following cryptic error...

Encountered the following error while trying to save: Splunkd daemon is not responding: ("Error connecting to /servicesNS/emcdaniel/duo_splunkapp/data/inputs/duo_input: ('The read operation timed out',)",)

We also saw the following in splunkd logs

07-20-2016 18:45:36.396 -0400 WARN  ModularInputs - Validation for scheme=duo failed: The script returned with exit status 1.

Anyone have any idea what is happening here?

0 Karma
1 Solution

jwiedemann_splu
Splunk Employee
Splunk Employee

Just wanted to answer my own question here since we were able to figure out what was going on here.

  1. You populate your DUO information in the Modular Inputs section of Splunk Web
  2. You click next/continue to save your Modular Inputs config
  3. Behind the scenes Splunk asks the Mod Input to validate that your input settings, and it does so by calling the main DUO python script in validation mode
  4. For the DUO input, the validation of your settings consists of attempting to connect to the DUO web servers with your provided credentials
  5. Splunk Mod Inputs framework expects the validate function to return in under 3 seconds (as of 6.5.x) and once it takes longer than that, splunk forcibly terminates the python script and returns a cryptic error to the UI
  6. Since validation failed, your inputs.conf file is never created

If you figure this out, or you just give up and create your inputs.conf file manually, everything works fine because the validation workflow above only occurs when building out your modular inputs from the UI. The 3 second timeout only applies to validation of your inputs when building the input config. The timeout for the script when actually fetching the data (if one exists at all) is sufficiently long enough to fetch the data.

View solution in original post

jwiedemann_splu
Splunk Employee
Splunk Employee

Just wanted to answer my own question here since we were able to figure out what was going on here.

  1. You populate your DUO information in the Modular Inputs section of Splunk Web
  2. You click next/continue to save your Modular Inputs config
  3. Behind the scenes Splunk asks the Mod Input to validate that your input settings, and it does so by calling the main DUO python script in validation mode
  4. For the DUO input, the validation of your settings consists of attempting to connect to the DUO web servers with your provided credentials
  5. Splunk Mod Inputs framework expects the validate function to return in under 3 seconds (as of 6.5.x) and once it takes longer than that, splunk forcibly terminates the python script and returns a cryptic error to the UI
  6. Since validation failed, your inputs.conf file is never created

If you figure this out, or you just give up and create your inputs.conf file manually, everything works fine because the validation workflow above only occurs when building out your modular inputs from the UI. The 3 second timeout only applies to validation of your inputs when building the input config. The timeout for the script when actually fetching the data (if one exists at all) is sufficiently long enough to fetch the data.

wrangler2x
Motivator

I'm having this same problem. I can see that ~/etc/apps/duo_splunkapp/default/inputs.conf has fields for ikey, skey and api_host, but where does the name (requested in the Duo Splunk Input setup screen) go?

ylucena
Explorer

Did you ever figured that out?

0 Karma

wrangler2x
Motivator

No, I never did. A co-worker wrote a custom app and we chucked this one

0 Karma

ylucena
Explorer

Oh, man... I'm trying everything I can, but no success so far. Very frustrating.

Thanks for the quick response!

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...