search

bawood / TA-DUOSecurity2FA

Splunk TA for indexing DUO 2 factor activity logs
2 stars 4 forks source link

Error Message in Splunk #3

Closed tonynotears closed 7 years ago

tonynotears commented 7 years ago

Hello,

After following your instructions, I got the following error:

Encountered the following error while trying to save: In handler 'duo': Argument validation for scheme=duo: script running failed (killed by signal 9: Killed)

Is there anything I could to do to troubleshoot this?

Thanks

tonynotears commented 7 years ago

any help is appreciated....still can't get this working....

bawood commented 7 years ago

can you check for any other output from duo.py in the splunkd.log. I'm not sure what would cause it be be killed. Usually if there is a problem with the credentials or connecting with the DUO api server, it will return an access denied type of error.

tonynotears commented 7 years ago

@bawood thanks a lot for replying back to me.

Unfortunately this is the error message I see:

ModularInputs - Argument validation for scheme=duo: script running failed (killed by signal 9: Killed).

Does it work in your environment? What version of python is installed? Which version of Splunk?

tonynotears commented 7 years ago

@bawood sorry for the spam. Another question? Where did you put in the ikey and skey and api host? I know you can do that in the GUI, but which file do I need to modify in the console if I want to see the CLI will change anything?

bawood commented 7 years ago

@tonynotears yes, it works in our environment and it's been tested with several different versions of Splunk. It should work fine with all versions since 6.2. We use the python version that is installed with Splunk.

I wouldn't recommend trying to edit the inputs.conf directly because the validation occurs when you configure it through the UI. However, once you have an input configured an working, the inputs.conf can basically be put in any of the "local" app directories. It usually gets created in the app local directory that was the starting context from where the input was added. (i.e. if you are in the main search app and you start the add inputs from there, the inputs.conf is written to "etc/apps/search/local"

The input spec is in TA-DUOSecurity2FA/README/inputs.conf.spec, that file is used to generate the scheme, and validate the inputs that you configure. So if that file is corrupt or has been modified, it's definitely won't work.