All Apps and Add-ons

Duo configuration is not replicable?

nick405060
Motivator

Hi there,

I had the Duo app configured on my Splunk 6.3 indexer, and as a test, I can also set it up successfully on my Splunk 7.2 search head. However I cannot set it up on my Splunk 7.2 indexer, where it needs to be. I'm using the exact same ikey, skey, and API host that I do on the 6.3 indexer and on the 7.2 search head. I've even tried scp-ing the inputs.conf file over from the search head. Lots of reboots attempted, tried uninstalling app, reinstalling, changing permissions, purging everything Duo, etc. How can I troubleshoot and figure this out? I get the error:

Encountered the following error while trying to save: Could not connect to API host api-abcdefghijk.duosecurity.com. Please check that your host is spelled correctly.

One of these days, I'm going to install a Splunk app and it's actually going to work. One of these days.

Tags (1)
0 Karma
1 Solution

nick405060
Motivator

Here's what I did to fix it, after over 5 hours. Fun times.

*Running "find /opt/splunk -name '*duo*' " and deleting everything, and reinstalling the app. Nothing
*Running as root. Nothing
*Copying over every single possible Duo related file from my working SH and rebooting. Nothing
*Permissions stuff. Nothing
*Messing with inputs.conf and authorize.conf as much as possible. Nothing
*Lots of other things. Nothing. I must have rebooted Splunk 50+ times.

Eventually I rebooted the server (which was NOT something we do very often, nor was this fun) and that fixed the issue. I also want it to be known that Splunk is connected to a TON of other APIs on the same server without a problem, so I have no idea how it could have been anything to do with the server's networking config. Also this server was cloned in VMware two months ago from the working SH and since then there has been no non-Splunk related configuration changes to the server....

Sigh.

View solution in original post

0 Karma

nick405060
Motivator

Here's what I did to fix it, after over 5 hours. Fun times.

*Running "find /opt/splunk -name '*duo*' " and deleting everything, and reinstalling the app. Nothing
*Running as root. Nothing
*Copying over every single possible Duo related file from my working SH and rebooting. Nothing
*Permissions stuff. Nothing
*Messing with inputs.conf and authorize.conf as much as possible. Nothing
*Lots of other things. Nothing. I must have rebooted Splunk 50+ times.

Eventually I rebooted the server (which was NOT something we do very often, nor was this fun) and that fixed the issue. I also want it to be known that Splunk is connected to a TON of other APIs on the same server without a problem, so I have no idea how it could have been anything to do with the server's networking config. Also this server was cloned in VMware two months ago from the working SH and since then there has been no non-Splunk related configuration changes to the server....

Sigh.

View solution in original post

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!