Getting Data In

Duo Splunk Connector indexing very few events, throwing some python errors

Explorer

Hey folks,

 

   I just installed the Duo Splunk Connector (v1.1.7) on a heavy forwarder running Splunk Enterprise v7.2.4.2.  The docs on Duo's site instructed me to install on an *indexer*, which isn't going to happen, I think they may need to update the docs a bit.  🙂

 

   The app installs fine, and I followed the setup to add my integration key, my secret key, the API host, etc.  The only advanced option I changed was the index to send events to (and I *did* change the macro to the same value), I left everything else the same.

 

   I'm getting *some* data - the overview page now shows values for Total Users, Telephony Credits, New Enrollments, and Bypass Codes, but the rest of the page remains "No results found."  All panels on the "Duo Authentication" view show "No results found."

 

   So, searching for events from today shows three events with eventtype=account, and that's it.  Hmmmm, I know that it may take some time to pull events from their API, but I've let it sit for a bit and still only had the three events.

 

   Looking in the splunkd.log on that HF, I find a number of Python errors periodically from the app:

 

12-02-2020 22:00:53.588 +0000 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" Running script
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" Traceback (most recent call last):
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py", line 382, in <module>
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" run_script()
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py", line 368, in run_script
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" log.run()
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/logclasses/paginated_base_log.py", line 56, in run
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" self.update_mintime_from_timestamp(last_timestamp_file_path)
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/logclasses/BaseLog.py", line 105, in update_mintime_from_timestamp
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" extracted_ts = int(f.read().strip())
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" ValueError: invalid literal for int() with base 10: ''

 

   Hmmm.  I'm unsure if this is what's preventing more data from coming in, or if I'm just not waiting long enough for the app to do its job.  I'd expect to see more events after 30 minutes, but I still only have the three and the errors appear each time the input attempts to run (every 120 seconds I believe). 

 

   Has anyone else run into this with this version of the app?  I need to get this data indexed for InfoSec and compliance reasons, but I'm hoping someone with some deeper knowledge knows what the issue is and can lend a hand before I start debugging Python.

 

Thanks so much!

 

Chris

 

Labels (2)
0 Karma

Path Finder

Did you get this resolved?  I am running into the exact same issue.  v1.1.7

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!