Announcing Duo Log Sync: Fetch Duo logs for ingestion into a SIEM

Hello everyone!

We’re excited to announce the launch of a new Duo-developed utility called Duo Log Sync that allows you to fetch logs from Duo and feed them to a SIEM (security information and event management) application.

Duo Log Sync allows you to retrieve logs from Duo’s Auth API and Admin API endpoints over TCP/TCP Encrypted. It outputs to JSON format for ingestion into a SIEM.

Duo Log Sync also features:

  • The ability to pick up from the last event or log and continue sending it even if there is a dropped connection, helping you stay on top of events.
  • The ability to configure which endpoints you want to query.

It is compatible with version 1 and version 2 of Duo’s API endpoints, as well as Python versions 3.6, 3.7, and 3.8. Duo Log Sync is currently officially supported only on UNIX systems.

If you have used the third-party tool Log Grabber in the past, we recommend switching to Duo Log Sync, which is supported by Duo and will receive ongoing improvements, including providing access to the latest Duo API endpoints.

Duo Log Sync is an open-source utility available via Github.

Let us know what you think about this new tool!

We currently use the Duo Splunk connector. Would there be any differences between the two? Thanks!

Hi Grs177,
The DLS has more features and can be used on both V1/V2 endpoints meaning more information can be sent, compared to the Splunk Connector that only has the V1 endpoints.

There’s also more customizability for the DLS compared to the Splunk Connector as well.

Hope that helps!



Would this be compatible with a 3rd party SEIM, such as Dell SecureWorks?

Hi mleather,
As long as Dell SecureWorks allows for the ingestion of JSON that can be sent over TCP/TCP Encyrpted then it should work!