Getting Data In

Why is the Duo Splunk Connector indexing very few events and throwing some python errors?

bensec01
Explorer

Hey folks,

   I just installed the Duo Splunk Connector (v1.1.7) on a heavy forwarder running Splunk Enterprise v7.2.4.2.  The docs on Duo's site instructed me to install on an *indexer*, which isn't going to happen, I think they may need to update the docs a bit.  🙂

   The app installs fine, and I followed the setup to add my integration key, my secret key, the API host, etc.  The only advanced option I changed was the index to send events to (and I *did* change the macro to the same value), I left everything else the same.

   I'm getting *some* data - the overview page now shows values for Total Users, Telephony Credits, New Enrollments, and Bypass Codes, but the rest of the page remains "No results found."  All panels on the "Duo Authentication" view show "No results found."

   So, searching for events from today shows three events with eventtype=account, and that's it.  Hmmmm, I know that it may take some time to pull events from their API, but I've let it sit for a bit and still only had the three events.

   Looking in the splunkd.log on that HF, I find a number of Python errors periodically from the app:

12-02-2020 22:00:53.588 +0000 INFO ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" Running script
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" Traceback (most recent call last):
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py", line 382, in <module>
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" run_script()
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py", line 368, in run_script
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" log.run()
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/logclasses/paginated_base_log.py", line 56, in run
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" self.update_mintime_from_timestamp(last_timestamp_file_path)
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" File "/opt/splunk/etc/apps/duo_splunkapp/bin/logclasses/BaseLog.py", line 105, in update_mintime_from_timestamp
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" extracted_ts = int(f.read().strip())
12-02-2020 22:00:53.739 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py" ValueError: invalid literal for int() with base 10: ''

   Hmmm.  I'm unsure if this is what's preventing more data from coming in, or if I'm just not waiting long enough for the app to do its job.  I'd expect to see more events after 30 minutes, but I still only have the three and the errors appear each time the input attempts to run (every 120 seconds I believe). 

   Has anyone else run into this with this version of the app?  I need to get this data indexed for InfoSec and compliance reasons, but I'm hoping someone with some deeper knowledge knows what the issue is and can lend a hand before I start debugging Python.

Thanks so much!

Chris

Labels (2)
0 Karma

anm_mporter
Explorer

I know this is old, but for the benefits of future generations:

This is caused by the "*_last_timestamp_*.duosecurity" files being blank.

This can happen if you run out of disk space, for example. Duo is trying to read a timestamp form these files, getting a null instead, and attempting to treat it like a number.

The fix is to simply delete all of the "*.duosecurity" files form "$SPLUNK_HOME/etc/apps/duo_splunkapp/bin" and restart Splunk. The app will recreate these files with proper timestamps.

0 Karma

spodda01da
Path Finder

Not sure if its going to help but I re-install DUO app which fixed my issue.

0 Karma

bwindham
Path Finder

Did you get this resolved?  I am running into the exact same issue.  v1.1.7

0 Karma

bsanjeeva
Explorer

Is this issue resolved? I have the same problem

0 Karma

bensec01
Explorer

Nope.  Thunderous silence from everyone.  Apparently it works for some.  🙂

 

0 Karma

bsanjeeva
Explorer

Was a support ticket raised with Duo(app owner) to address this? I have done one, awaiting their response.

0 Karma

bensec01
Explorer

No, sorry, you're the first person to respond here.  No progress elsewhere.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...