Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8018
Views
3
Helpful
9
Replies

Pulling Logs via API

Steve_M
Level 1
Level 1

‎07-12-2017 06:14 AM

My organization is coming up on our go-live for requiring Duo for a variety of platforms. We are trying to get auth, admin, and telephony logs to our SIEM (LogRhythm) prior to go-live. Since there is no connector/plugin for Duo that leaves the method of pulling the logs down via API and ingesting them as a flat file or csv format. I am aware of these resources for accomplishing this: https://duo.com/docs/adminapi#logs and https://github.com/duosecurity. However, the team that operates our SIEM does not have a strong scripting background and this process will live on their platform. Are there more resources I am missing that could help them get this going?

The fact that Duo does not provide a more seamless process, or does not put more effort into working with SIEM vendors to make it seamless, IMO is a major drawback of the product. Any corporation with any compliance or regulatory restrictions will need to have these logs ingested into a SIEM. This should not be a manual, custom process that is prone to human error.

Labels:
9 Replies 9

rhys_samson
Level 1
Level 1

‎07-12-2017 07:07 AM

I agree, but it may be useful to try the script here. You shouldn’t need significant background other than just installing python and changing a couple of variables. This will convert the logs to syslog to send to your SIEM. Our team uses something very similar.

Steve_M
Level 1
Level 1
In response to rhys_samson

‎07-12-2017 07:32 AM

Thank you @rhys_samson. I will forward this on to my team and hopefully it helps them.

0 Helpful

avs1
Level 1
Level 1
In response to rhys_samson

‎12-03-2017 08:51 PM

We have a similar need for Sumologic.
Can I run libresec/Duo-Log-Grabber on AWS? If so do you have any document which can assist with the config?
Thanks,

0 Helpful

avs1
Level 1
Level 1
In response to rhys_samson

‎12-09-2017 04:14 PM

Can I run this on AWS? What are the requirements?

0 Helpful

DuoKristina
Cisco Employee
Cisco Employee
In response to avs1

‎12-11-2017 06:52 AM

Hello avs,

If you have specific questions about libresec’s Duo-Log-Grabber utility you may wish to direct them to libresec himself on GitHub.

You can probably run it on an Amazon Linux AWS instance (or any other Linux) with Python, then follow the install instructions.

Duo, not DUO.
0 Helpful

DuoKristina
Cisco Employee
Cisco Employee

‎07-13-2017 11:49 AM

We are working to improve Duo’s integration with SIEMs. For example, we released a Splunk connector earlier this year.

We’ll prioritize exploring integrations with specific SIEM vendors based on customer interest, so if you haven’t already done so please contact Duo Support or your Duo Customer Success Manager to submit a feature request for a LogRhythm connector or integration.

Duo, not DUO.
0 Helpful

gimmic
Level 1
Level 1

‎03-14-2018 09:23 AM

It would be nice if there were more of a push feature. Maybe write out to AWS SQS or even s3 buckets?

0 Helpful

janereed
Level 1
Level 1

‎04-25-2018 08:50 AM

We are using a 3rd party solution for that. take a look at skyformation. AFAIK they support any SIEM and also remove the need to parse and classify the events.

0 Helpful

Pranav_Jariwala
Level 1
Level 1

‎02-19-2020 11:43 PM

This is very outdated solution . Do we have anyhting to integrate with elastic search

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents