Authentication log forwarding to sumologic via API


#1

We would like to see an option to forward user authentication log to sumologic via API.
Currently log forwarding requires an intermediate host to pul the logs from the service via duo API and storing the logs locally, then forwarding.
We would like to eliminate the dependency on an intermediate host.


#2

Hey avs,

This seems like a Sumologic feature request. Splunk has this ability. http://blogs.splunk.com/2013/06/18/getting-data-from-your-rest-apis-into-splunk/

I would start here: https://help.sumologic.com/Start_Here/Getting_Started/Get_Help#Feature_Request

Cheers


#3

duosec does not have any ability to forward syslog messages.


#4

Hey avs,

Perhaps I misunderstood, I thought you meant using the Duo Admin API to pull logs from the service as described here: https://duo.com/docs/adminapi

Are you talking about logs from Authentication Proxy? Those logs have some configurability - https://duo.com/docs/authproxy_reference#main-section -but are going to be logged locally. For those logs, they will need to go from the AP host and be shipped out to Sumologic as you describe.

Cheers


#5

can I forward the logs from Duo to Sumlogic via https?
https://help.sumologic.com/Send_Data/Sources/HTTP_Source/Upload_Data_to_an_HTTP_Source
other alternative is syslog forwarding:
https://help.sumologic.com/Beta/Beta_-Sources/Beta-_Cloud_Syslog_Source


#6

Hey avs,

Looking at the docs here: http://blogs.splunk.com/2013/06/18/getting-data-from-your-rest-apis-into-splunk/

REST Modular Input is the one you are after. Here are the details you can use to get it all working: https://duo.com/docs/adminapi#api-details

Cheers


#7

I got the response from SumoLogic:
They have an ability to run a script on their side as
described at https://help.sumologic.com/Send_Data/Sources/Script_Source

this script for log collection can be tailored to for Duo