Pulling Logs via API


My organization is coming up on our go-live for requiring Duo for a variety of platforms. We are trying to get auth, admin, and telephony logs to our SIEM (LogRhythm) prior to go-live. Since there is no connector/plugin for Duo that leaves the method of pulling the logs down via API and ingesting them as a flat file or csv format. I am aware of these resources for accomplishing this: https://duo.com/docs/adminapi#logs and https://github.com/duosecurity. However, the team that operates our SIEM does not have a strong scripting background and this process will live on their platform. Are there more resources I am missing that could help them get this going?

The fact that Duo does not provide a more seamless process, or does not put more effort into working with SIEM vendors to make it seamless, IMO is a major drawback of the product. Any corporation with any compliance or regulatory restrictions will need to have these logs ingested into a SIEM. This should not be a manual, custom process that is prone to human error.


I agree, but it may be useful to try the script here. You shouldn’t need significant background other than just installing python and changing a couple of variables. This will convert the logs to syslog to send to your SIEM. Our team uses something very similar.


Thank you @rhys_samson. I will forward this on to my team and hopefully it helps them.


We are working to improve Duo’s integration with SIEMs. For example, we released a Splunk connector earlier this year.

We’ll prioritize exploring integrations with specific SIEM vendors based on customer interest, so if you haven’t already done so please contact Duo Support or your Duo Customer Success Manager to submit a feature request for a LogRhythm connector or integration.


We have a similar need for Sumologic.
Can I run libresec/Duo-Log-Grabber on AWS? If so do you have any document which can assist with the config?


Can I run this on AWS? What are the requirements?


Hello avs,

If you have specific questions about libresec’s Duo-Log-Grabber utility you may wish to direct them to libresec himself on GitHub.

You can probably run it on an Amazon Linux AWS instance (or any other Linux) with Python, then follow the install instructions.


It would be nice if there were more of a push feature. Maybe write out to AWS SQS or even s3 buckets?


We are using a 3rd party solution for that. take a look at skyformation. AFAIK they support any SIEM and also remove the need to parse and classify the events.