Authentication log forwarding to sumologic via API

avs1 · ‎09-27-2016

We would like to see an option to forward user authentication log to sumologic via API.
Currently log forwarding requires an intermediate host to pul the logs from the service via duo API and storing the logs locally, then forwarding.
We would like to eliminate the dependency on an intermediate host.

gleezy1 · ‎09-27-2016

Hey avs,

This seems like a Sumologic feature request. Splunk has this ability. http://blogs.splunk.com/2013/06/18/getting-data-from-your-rest-apis-into-splunk/

I would start here: https://help.sumologic.com/Start_Here/Getting_Started/Get_Help#Feature_Request

Cheers

avs1 · ‎09-27-2016

duosec does not have any ability to forward syslog messages.

gleezy1 · ‎09-28-2016

Hey avs,

Perhaps I misunderstood, I thought you meant using the Duo Admin API to pull logs from the service as described here: https://duo.com/docs/adminapi

Are you talking about logs from Authentication Proxy? Those logs have some configurability - https://duo.com/docs/authproxy_reference#main-section -but are going to be logged locally. For those logs, they will need to go from the AP host and be shipped out to Sumologic as you describe.

Cheers

avs1 · ‎09-28-2016

can I forward the logs from Duo to Sumlogic via https?
https://help.sumologic.com/Send_Data/Sources/HTTP_Source/Upload_Data_to_an_HTTP_Source
other alternative is syslog forwarding:
https://help.sumologic.com/Beta/Beta_-Sources/Beta-_Cloud_Syslog_Source

gleezy1 · ‎10-03-2016

Hey avs,

Looking at the docs here: http://blogs.splunk.com/2013/06/18/getting-data-from-your-rest-apis-into-splunk/

REST Modular Input is the one you are after. Here are the details you can use to get it all working: https://duo.com/docs/adminapi#api-details

Cheers

avs1 · ‎10-05-2016

I got the response from SumoLogic:
They have an ability to run a script on their side as
described at https://help.sumologic.com/Send_Data/Sources/Script_Source

this script for log collection can be tailored to for Duo