topic Re: Pulling Logs via API in APIs

Pulling Logs via API

Steve_M — Wed, 12 Jul 2017 13:14:59 GMT

My organization is coming up on our go-live for requiring Duo for a variety of platforms. We are trying to get auth, admin, and telephony logs to our SIEM (LogRhythm) prior to go-live. Since there is no connector/plugin for Duo that leaves the method of pulling the logs down via API and ingesting them as a flat file or csv format. I am aware of these resources for accomplishing this: https://duo.com/docs/adminapi#logs and https://github.com/duosecurity. However, the team that operates our SIEM does not have a strong scripting background and this process will live on their platform. Are there more resources I am missing that could help them get this going?

The fact that Duo does not provide a more seamless process, or does not put more effort into working with SIEM vendors to make it seamless, IMO is a major drawback of the product. Any corporation with any compliance or regulatory restrictions will need to have these logs ingested into a SIEM. This should not be a manual, custom process that is prone to human error.

Re: Pulling Logs via API

rhys_samson — Wed, 12 Jul 2017 14:07:21 GMT

I agree, but it may be useful to try the script here. You shouldn’t need significant background other than just installing python and changing a couple of variables. This will convert the logs to syslog to send to your SIEM. Our team uses something very similar.

Re: Pulling Logs via API

Steve_M — Wed, 12 Jul 2017 14:32:34 GMT

Thank you @rhys_samson. I will forward this on to my team and hopefully it helps them.

Re: Pulling Logs via API

DuoKristina — Thu, 13 Jul 2017 18:49:13 GMT

We are working to improve Duo’s integration with SIEMs. For example, we released a Splunk connector earlier this year.

We’ll prioritize exploring integrations with specific SIEM vendors based on customer interest, so if you haven’t already done so please contact Duo Support or your Duo Customer Success Manager to submit a feature request for a LogRhythm connector or integration.

Re: Pulling Logs via API

avs1 — Mon, 04 Dec 2017 04:51:58 GMT

We have a similar need for Sumologic.
Can I run libresec/Duo-Log-Grabber on AWS? If so do you have any document which can assist with the config?
Thanks,

Re: Pulling Logs via API

avs1 — Sun, 10 Dec 2017 00:14:15 GMT

Can I run this on AWS? What are the requirements?

Re: Pulling Logs via API

DuoKristina — Mon, 11 Dec 2017 14:52:38 GMT

Hello avs,

If you have specific questions about libresec’s Duo-Log-Grabber utility you may wish to direct them to libresec himself on GitHub.

You can probably run it on an Amazon Linux AWS instance (or any other Linux) with Python, then follow the install instructions.

Re: Pulling Logs via API

gimmic — Wed, 14 Mar 2018 16:23:44 GMT

It would be nice if there were more of a push feature. Maybe write out to AWS SQS or even s3 buckets?

Re: Pulling Logs via API

janereed — Wed, 25 Apr 2018 15:50:21 GMT

We are using a 3rd party solution for that. take a look at skyformation. AFAIK they support any SIEM and also remove the need to parse and classify the events.

Re: Pulling Logs via API

Pranav_Jariwala — Thu, 20 Feb 2020 07:43:09 GMT

This is very outdated solution . Do we have anyhting to integrate with elastic search