Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Duo - Endpoint Logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We just installed the app and are getting data. However, we are seeing this error message:
"message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" Failed to get endpoint logs, Admin API call failed"
I don't think we subscribe to the service level that allows us to have endpoint logs. Is there a place to turn this off so we aren't generating an error every 2 minutes?
R.J.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had the same issue as you do. Our service level also doesn't support the endpoint logs and I was tired of the error showing up in splunkd.log. I just took a look at the python script, and I think I found the solution.
Go into the bin directory for the app on the indexer (SPLUNK_HOME/etc/apps/duo_splunkapp/bin) and find the duo_input.py script. This is where those API calls are being made, and it's where the error originates.
Go to the function definition for run_script, which in my script lives at line 279. Scroll down a bit more and look for the lines that say
logclasses = (AuthenticationLog, TelephonyLog, AdministratorLog, EndpointLog, AccountLog)
Delete the reference to EndpointLog, leaving the line to look like this: logclasses = (AuthenticationLog, TelephonyLog, AdministratorLog, AccountLog)
In the following lines, a for loop iterates over the logclasses and makes calls using the API on them. Removing the EndpointLog reference in the logclasses array makes sure that the API call is not made for EndpointLog.
Save the script, and you should be fine. I just made the change a little while ago, and I haven't gotten the error since then. Keep in mind that if you get endpoint logs activated in the future, you'll have to add the EndpointLog reference back into the array to make sure you receive the necessary data. It may be a good idea to back up duo_input.py to reference it later on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had the same issue as you do. Our service level also doesn't support the endpoint logs and I was tired of the error showing up in splunkd.log. I just took a look at the python script, and I think I found the solution.
Go into the bin directory for the app on the indexer (SPLUNK_HOME/etc/apps/duo_splunkapp/bin) and find the duo_input.py script. This is where those API calls are being made, and it's where the error originates.
Go to the function definition for run_script, which in my script lives at line 279. Scroll down a bit more and look for the lines that say
logclasses = (AuthenticationLog, TelephonyLog, AdministratorLog, EndpointLog, AccountLog)
Delete the reference to EndpointLog, leaving the line to look like this: logclasses = (AuthenticationLog, TelephonyLog, AdministratorLog, AccountLog)
In the following lines, a for loop iterates over the logclasses and makes calls using the API on them. Removing the EndpointLog reference in the logclasses array makes sure that the API call is not made for EndpointLog.
Save the script, and you should be fine. I just made the change a little while ago, and I haven't gotten the error since then. Keep in mind that if you get endpoint logs activated in the future, you'll have to add the EndpointLog reference back into the array to make sure you receive the necessary data. It may be a good idea to back up duo_input.py to reference it later on.
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
