All Apps and Add-ons

Why am not receiving any data using DUO Log Add-on for Splunk and Splunk 6.4.3?

scottrunyon
Contributor

I installed the DUO Log Add-on for Splunk on one of my search heads, configured the local input with the API Host, both keys and selected all three logs to be extracted and set the collection interval to 600 seconds. The configuration saved without any errors. However, I am not receiving any data. There are no errors showing up in the Splunkd log. I am currently using Splunk Enterprise 6.4.3.

Any help on what to check would be appreciated.

0 Karma

bawood
Path Finder

I've updated the version of the add-on available on Splunkbase 1.1.0, it has some improved error checking. The default version is still set to 1.0, but you should be able to select 1.1.0 to download. Can you update your install to this version and see if you get any more info the logs?

0 Karma

scottrunyon
Contributor

I upgraded to 1.1.0 and restarted Splunk. Looking at wireshark, I see the client and server hellos and the handshakes appear to being completed without error.

I saw the new checkbox on the app for "Enable DUO account info summary input" and checked that. When I tried to save, i get this message - "Encountered the following error while trying to update: In handler 'duo': 'builtin_function_or_method' object has no attribute 'getitem'" and have to cancel out of the app.

Thanks for the help on this.

0 Karma

bawood
Path Finder

Apologies, I found a typo in the validation code. I've uploaded a new build of 1.1.0, can you try it again?

0 Karma

scottrunyon
Contributor

After re-generating the key, and only enabling the Enable DUO authentication log input, no data show up.

The only tidbit of information I can find in the logs are the following messages -

09-19-2016 13:29:07.728 -0500 INFO ExecProcessor - message from "python E:\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py" Using checkpoint time 1471717747
09-19-2016 13:29:07.728 -0500 INFO ExecProcessor - message from "python E:\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py" no checkpoint time returned, using history value

0 Karma

bawood
Path Finder

It sounds like DUO is probably returning an error that isn't being caught by this version of the add-on. You should verify that the ikey you are using was created for the DUO Admin api and not for the Auth api. DUO doesn't allow Auth key access to the admin api or vis-a-versa. If it was created for the Admin api, make sure it has access to the appropriate calls.

0 Karma

scottrunyon
Contributor

The key was re-generated and installed. I am still not seeing any data coming in and no errors in splunkd.log.

Looking at the E:\Splunk\etc\apps\TA-DUOSecurity2FA folder, it doesn't seem to follow the format of other TAs. There is no inputs.conf. The only config file it default\app.conf. Could I have not installed the TA correctly?

0 Karma

bawood
Path Finder

Splunk adds the config to the local directory of whatever app context the input was added from ( e.g. if you are in the main search app when you clicked add input, it will be in search/local/inputs.conf ).

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...