All Apps and Add-ons

DUO Splunk Connector: Error "Validation for scheme=duo failed: The script returned with exit status 1" while trying to set up Modular Input for DUO logs

jwiedemann_splu
Splunk Employee
Splunk Employee

When attempting to fill out the inputs for DUO logs in the UI, we get the following cryptic error...

Encountered the following error while trying to save: Splunkd daemon is not responding: ("Error connecting to /servicesNS/emcdaniel/duo_splunkapp/data/inputs/duo_input: ('The read operation timed out',)",)

We also saw the following in splunkd logs

07-20-2016 18:45:36.396 -0400 WARN  ModularInputs - Validation for scheme=duo failed: The script returned with exit status 1.

Anyone have any idea what is happening here?

0 Karma
1 Solution

jwiedemann_splu
Splunk Employee
Splunk Employee

Just wanted to answer my own question here since we were able to figure out what was going on here.

  1. You populate your DUO information in the Modular Inputs section of Splunk Web
  2. You click next/continue to save your Modular Inputs config
  3. Behind the scenes Splunk asks the Mod Input to validate that your input settings, and it does so by calling the main DUO python script in validation mode
  4. For the DUO input, the validation of your settings consists of attempting to connect to the DUO web servers with your provided credentials
  5. Splunk Mod Inputs framework expects the validate function to return in under 3 seconds (as of 6.5.x) and once it takes longer than that, splunk forcibly terminates the python script and returns a cryptic error to the UI
  6. Since validation failed, your inputs.conf file is never created

If you figure this out, or you just give up and create your inputs.conf file manually, everything works fine because the validation workflow above only occurs when building out your modular inputs from the UI. The 3 second timeout only applies to validation of your inputs when building the input config. The timeout for the script when actually fetching the data (if one exists at all) is sufficiently long enough to fetch the data.

View solution in original post

jwiedemann_splu
Splunk Employee
Splunk Employee

Just wanted to answer my own question here since we were able to figure out what was going on here.

  1. You populate your DUO information in the Modular Inputs section of Splunk Web
  2. You click next/continue to save your Modular Inputs config
  3. Behind the scenes Splunk asks the Mod Input to validate that your input settings, and it does so by calling the main DUO python script in validation mode
  4. For the DUO input, the validation of your settings consists of attempting to connect to the DUO web servers with your provided credentials
  5. Splunk Mod Inputs framework expects the validate function to return in under 3 seconds (as of 6.5.x) and once it takes longer than that, splunk forcibly terminates the python script and returns a cryptic error to the UI
  6. Since validation failed, your inputs.conf file is never created

If you figure this out, or you just give up and create your inputs.conf file manually, everything works fine because the validation workflow above only occurs when building out your modular inputs from the UI. The 3 second timeout only applies to validation of your inputs when building the input config. The timeout for the script when actually fetching the data (if one exists at all) is sufficiently long enough to fetch the data.

wrangler2x
Motivator

I'm having this same problem. I can see that ~/etc/apps/duo_splunkapp/default/inputs.conf has fields for ikey, skey and api_host, but where does the name (requested in the Duo Splunk Input setup screen) go?

ylucena
Explorer

Did you ever figured that out?

0 Karma

wrangler2x
Motivator

No, I never did. A co-worker wrote a custom app and we chucked this one

0 Karma

ylucena
Explorer

Oh, man... I'm trying everything I can, but no success so far. Very frustrating.

Thanks for the quick response!

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...