Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5229
Views
1
Helpful
10
Comments

Announcing Duo Log Sync: Fetch Duo logs for ingestion into a SIEM

Kelly4
Level 1
Level 1

on ‎06-01-2020 12:06 PM

Hello everyone!

We’re excited to announce the launch of a new Duo-developed utility called Duo Log Sync that allows you to fetch logs from Duo and feed them to a SIEM (security information and event management) application.

Duo Log Sync allows you to retrieve logs from Duo’s Auth API and Admin API endpoints over HTTPS. It can export to a SIEM in multiple formats over multiple transport protocols, such as TCP, TCP over SSL, and UDP. Read more on the Duo blog.

Duo Log Sync also features:

  • The ability to pick up from the last event or log and continue sending it even if there is a dropped connection, helping you stay on top of events.
  • The ability to configure which endpoints you want to query.

It is compatible with version 1 and version 2 of Duo’s API endpoints, as well as Python versions 3.6, 3.7, and 3.8. Duo Log Sync is currently officially supported only on UNIX systems.

If you have used the third-party tool Log Grabber in the past, we recommend switching to Duo Log Sync, which is supported by Duo and will receive ongoing improvements, including providing access to the latest Duo API endpoints.

Duo Log Sync is an open-source utility available via Github.

Let us know what you think about this new tool!

0 Helpful
Comments
grs177
Level 1
Level 1
‎06-02-2020 02:11 PM

We currently use the Duo Splunk connector. Would there be any differences between the two? Thanks!

duo-danj
Level 1
Level 1
‎06-03-2020 07:36 AM

Hi Grs177,
The DLS has more features and can be used on both V1/V2 endpoints meaning more information can be sent, compared to the Splunk Connector that only has the V1 endpoints.

There’s also more customizability for the DLS compared to the Splunk Connector as well.

Hope that helps!

Cheers,

Dan

mleather
Level 1
Level 1
‎06-09-2020 06:24 AM

Would this be compatible with a 3rd party SEIM, such as Dell SecureWorks?

duo-danj
Level 1
Level 1
‎06-09-2020 06:48 AM

Hi mleather,
As long as Dell SecureWorks allows for the ingestion of JSON that can be sent over TCP/TCP Encyrpted then it should work!

Cheers,

Dan

gera1
Level 1
Level 1
‎10-02-2020 09:49 AM

Hello, this look very promising.
What would be the recommended way to get these logs into a secured elk instance?

Since the connection methods are TCP, TCPSSL or UDP, would you just use a logstansh instance?

Thank you!

Kelly4
Level 1
Level 1
‎10-02-2020 11:27 AM

Hi gera,

Thanks for your interest in Duo Log Sync! I checked with the engineering team that works on Log Sync and they have encountered at least one other customer using Filebeat plus Logstash with Duo Log Sync. Duo Log Sync can send data over any of the supported connection methods you mentioned, so it would just be a matter of choosing the method that your receiving utility can accept. I hope this helps!

finEmployee
Level 1
Level 1
‎10-05-2020 07:35 AM

Can this be used to send logs from the DUO server to a SIEM?

Kelly4
Level 1
Level 1
‎10-05-2020 08:17 AM

Hi finEmployee!

Yes, there are several ways to get Duo logs into a SIEM, including Duo Log Sync. This KB article walks through the different options: https://help.duo.com/s/article/1269

Hope this helps!

Ian_Jam
Level 1
Level 1
‎11-18-2020 08:50 PM

Hi Duo, I’ve just started testing DLS with ElasticsearchCloud.The configuration is DLS and Elastic FIlebeat running on the same server with Filebeat forwarding to Elastic Cloud. In my initial tests I left the Offset at 180 days and all seemed good. Elastic received and indexed about 27000 records, then however DLS loses the connection and stops. I ran this twice (after deleting checkpoints) with the same result. I then tried changing Timeout to 300 seconds, still the same result.

Now however with no other config changes it times out without returning any logs and producing only a single adminaction checkpoint file.

Any insight as to what these issues might be?

Otherwise, thanks this appears that it is going to be the perfect tool for ingesting the DUO logs for both reporting and SIEM

Kelly4
Level 1
Level 1
‎11-23-2020 06:57 AM

Hi Ian!

Thanks for trying out Duo Log Sync. I spoke to the team that works on DLS and they think they know what the issue might be, but troubleshooting would require taking a look at your logs. These should not be shared publicly, so please reach out to Duo Support for assistance!

Edited to add: Please be sure to include this post for reference when you open a case, so you don’t have to repeat the info you have shared here.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents