I have installed the Duo Splunk Connector (3504) App, and when I go to configure it after Splunk restarts I am running into a time out situation, summarized by these logs:
ERROR ModularInputs - Argument validation for scheme=duo_input: killing process, because executing it took too long (over 30000 msecs).
INFO ModularInputs - Argument validation for scheme=duo_input: script running failed (killed by signal 9: Killed).
Because this times out, the input.conf stanza the configuration step is supposed to create is not created, and so the app cannot do what it is supposed to do.
I'd like to extend how long Splunk waits for the remote host it is validating to be long enough for this step to complete, or to know where the Name being asked for in the configuration step is to be manually added to the configs. The other three fields are easily added, but I have no documentation on where the name goes.
Were you able to find out why the validation process took longer than 30 second? What happens is that the validation process of the modular input tries to connect to the DUO API in order to make sure the credentials you provided are correct. If it takes that long you really should do some troubleshooting like telnetting to port 443 of your DUO API host from the forwarder/indexer and take it from there.
If you want to create the input for DUO on your own, here is a spec of how it looks like:
api_host = <DUO API host>
ikey = <integration key>
index = <index>
interval = <interval to poll; I would suggest 300 secs as the minimum; the longer the better>
skey = <secret key>
sourcetype = json
source = duo
host = duo_api
Stash this in an inputs.conf file in local for this app or wherever you like. This will not fix your timeout problem, though. Hope this helps.
It's just the name of the input and it is entirely up to you. It's the same value you choose use when using splunkweb where is asks you to name the input. I always use something like "DUO" or "DUO logs".