I installed the DUO Log Add-on for Splunk on one of my search heads, configured the local input with the API Host, both keys and selected all three logs to be extracted and set the collection interval to 600 seconds. The configuration saved without any errors. However, I am not receiving any data. There are no errors showing up in the Splunkd log. I am currently using Splunk Enterprise 6.4.3.
Any help on what to check would be appreciated.
I've updated the version of the add-on available on Splunkbase 1.1.0, it has some improved error checking. The default version is still set to 1.0, but you should be able to select 1.1.0 to download. Can you update your install to this version and see if you get any more info the logs?
I upgraded to 1.1.0 and restarted Splunk. Looking at wireshark, I see the client and server hellos and the handshakes appear to being completed without error.
I saw the new checkbox on the app for "Enable DUO account info summary input" and checked that. When I tried to save, i get this message - "Encountered the following error while trying to update: In handler 'duo': 'builtin_function_or_method' object has no attribute 'getitem'" and have to cancel out of the app.
Thanks for the help on this.
After re-generating the key, and only enabling the Enable DUO authentication log input, no data show up.
The only tidbit of information I can find in the logs are the following messages -
09-19-2016 13:29:07.728 -0500 INFO ExecProcessor - message from "python E:\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py" Using checkpoint time 1471717747
09-19-2016 13:29:07.728 -0500 INFO ExecProcessor - message from "python E:\Splunk\etc\apps\TA-DUOSecurity2FA\bin\duo.py" no checkpoint time returned, using history value
It sounds like DUO is probably returning an error that isn't being caught by this version of the add-on. You should verify that the ikey you are using was created for the DUO Admin api and not for the Auth api. DUO doesn't allow Auth key access to the admin api or vis-a-versa. If it was created for the Admin api, make sure it has access to the appropriate calls.
The key was re-generated and installed. I am still not seeing any data coming in and no errors in splunkd.log.
Looking at the E:\Splunk\etc\apps\TA-DUOSecurity2FA folder, it doesn't seem to follow the format of other TAs. There is no inputs.conf. The only config file it default\app.conf. Could I have not installed the TA correctly?
Splunk adds the config to the local directory of whatever app context the input was added from ( e.g. if you are in the main search app when you clicked add input, it will be in search/local/inputs.conf ).