Duo Radius Proxy Logs to external server

Dear Duo Community members,
I am using duo radius proxy, and its really simple and great and very reliable,
yet I have a problem, I want to ship its logs to an external server to save the auth-logs for longer period of time and to process them through my siem. is there a built-in way to ship the logs? I skimmed all the documentation and didn’t found a way to accomplish that. furthermore, I tried with NXLOG with no success (if anyone can help with a piece of configuration it will be awesome!)
if anyone has an idea, I’ll be more than thankful, and many thanks in advance.

Hi @Nimrod ,

Yes, you can have Auth Proxy logs shipped to a SIEM via the following: https://help.duo.com/s/article/3959

The above creates a secondary log file that is suitable for SIEM consumption via Splunk Universal Forwarder or similar function. It is a JSON formatted file that logs primary and secondary authentication events that occur on the respective Auth Proxy.

I would also suggest that you consume Authentication Logs, Telephony Logs, Administrator Logs, and Trust Monitor Logs (if applicable) using our Duo Log Sync utility: https://help.duo.com/s/article/1269

Hope this helps!

Hi, Thanks for answering,
I came across these articles, yet, there is no way to send the logs, you need the SIEM to read from the machine’s log file.
I need that the duo proxy will send its logs forward, not to a file, but to UDP/TCP and to another IP address (aka collector) (for example - syslog udp/514). I couldn’t find a way to do so.

thanks in advance.

At this time, the Auth Proxy does not have a way to natively ship its logs (events captured in either authproxy.log or authevents.log) directly to a SIEM. Please submit this as a Feature Request via your Duo Account Executive, Customer Success Manager (if applicable), or our Support Team.

What type of events from the Auth Proxy are you most concerned about? I noticed you had mentioned “auth-logs” but please note that Duo’s Authentication Logs can be shipped to a SIEM via API, as mentioned earlier (Auth Proxy is not required).

Hi, Thanks for the answer,
I would like to catch the “User locked” events and alert the users.

When a user becomes locked out of Duo, you may choose to configure & receive an email alert. Please see https://help.duo.com/s/article/7219 for more information.

When a user becomes locked out, the event is not recorded in the Authentication Log. However, if a user tries to authenticate after they have become locked out, the "reason": "locked_out" will be recorded in the Authentication Log. If you have these logs shipped to your SIEM, you may also choose to alert on events that show "reason": "user_marked_fraud" since that means a user denied a Push that they themselves did not initiate (potential Push Phishing).