11-13-2022 08:16 PM
Hi there,
We’re running DUO Splunk connector (https://splunkbase.splunk.com/app/3504) for few years: version 1.1.3 on Splunk 7.0.
Recently we upgraded DUO Splunk connector 1.1.9 on Splunk to 9.0.0.1 using the same application setting (skey, ikey, api host). It works when first enabled, however, it stops collecting logs after running less than 60 minutes, with message, e.g.
[snipped]
11-11-2022 14:58:45.247 +0800 INFO ExecProcessor [4173186 ExecProcessor] - message from “/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py” PaginatedAuthenticationLog Params: {‘mintime’: ‘1665648592’}
11-11-2022 14:58:47.885 +0800 INFO ExecProcessor [4173186 ExecProcessor] - message from “/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py” Fetching page of Authentication Logs from adminapi, now=1668149927
11-11-2022 14:58:47.901 +0800 INFO ExecProcessor [4173186 ExecProcessor] - message from “/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py” Attempting to write timestamp: 1665649918, last_timestamp: 1665649918, mintime: 1665648592
11-11-2022 14:58:47.902 +0800 INFO ExecProcessor [4173186 ExecProcessor] - message from “/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py” Non-Legacy PaginatedEndPointLog timestamp detected: 1668144759
11-11-2022 14:58:47.903 +0800 INFO ExecProcessor [4173186 ExecProcessor] - message from “/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py” PaginatedEndPointLog timestamp from file: 1668144759, old mintime: 1665557927
1-11-2022 13:32:49.645 +0800 INFO ExecProcessor [4158501 ExecProcessor] - message from “/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/duo_splunkapp/bin/duo_input.py” Skipping Endpoint collection because it last ran within 86400 seconds from now(1668144769.645649).
Fallback to 1.1.3 on Splunk 7.0 works without problem.
Would anyone please help?
Thanks a lot.
11-23-2022 12:59 PM
If you haven’t yet please reach out to Duo Support.
11-30-2022 01:06 AM
Thanks. Waiting for reply from Duo Support …
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide