Trust Monitor alerts and Splunk Connector

Looking to ingest the alerts generated by Trust Monitor into Splunk using the Splunk connector. I see that the directory path to the logs is different from what the Splunk connector is looking for. Is there a way to configure the connector to ingest trust monitor alerts as well? Would rather not have to use two log forwarding methods, one currently in place for Duo auth and one just for trust monitor. If I need to direct to Splunk I can was not sure who controls the connector.

Hi @Ricker_Cyber ,

The Splunk Connector integration uses v1 of our Auth Log handlers and does not support the Trust Monitor endpoint. In order to ingest Trust Monitor logs into Splunk, you can configure Duo Log Sync as this not only supports v2 Auth Log handlers but also the Trust Monitor endpoint (JSON only). You can then replace the Splunk Connector with DLS going forward so that they are consolidated into one data input for Splunk.

Does Duo Log Sync export Duo Trust Monitor logging?

Hope this helps!

1 Like