cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8591
Views
3
Helpful
9
Replies

Pulling Logs via API

Steve_M
Level 1
Level 1

My organization is coming up on our go-live for requiring Duo for a variety of platforms. We are trying to get auth, admin, and telephony logs to our SIEM (LogRhythm) prior to go-live. Since there is no connector/plugin for Duo that leaves the method of pulling the logs down via API and ingesting them as a flat file or csv format. I am aware of these resources for accomplishing this: https://duo.com/docs/adminapi#logs and https://github.com/duosecurity. However, the team that operates our SIEM does not have a strong scripting background and this process will live on their platform. Are there more resources I am missing that could help them get this going?

The fact that Duo does not provide a more seamless process, or does not put more effort into working with SIEM vendors to make it seamless, IMO is a major drawback of the product. Any corporation with any compliance or regulatory restrictions will need to have these logs ingested into a SIEM. This should not be a manual, custom process that is prone to human error.

9 Replies 9

rhys_samson
Level 1
Level 1

I agree, but it may be useful to try the script here. You shouldn’t need significant background other than just installing python and changing a couple of variables. This will convert the logs to syslog to send to your SIEM. Our team uses something very similar.

Thank you @rhys_samson. I will forward this on to my team and hopefully it helps them.

We have a similar need for Sumologic.
Can I run libresec/Duo-Log-Grabber on AWS? If so do you have any document which can assist with the config?
Thanks,

Can I run this on AWS? What are the requirements?

Hello avs,

If you have specific questions about libresec’s Duo-Log-Grabber utility you may wish to direct them to libresec himself on GitHub.

You can probably run it on an Amazon Linux AWS instance (or any other Linux) with Python, then follow the install instructions.

Duo, not DUO.

DuoKristina
Cisco Employee
Cisco Employee

We are working to improve Duo’s integration with SIEMs. For example, we released a Splunk connector earlier this year.

We’ll prioritize exploring integrations with specific SIEM vendors based on customer interest, so if you haven’t already done so please contact Duo Support or your Duo Customer Success Manager to submit a feature request for a LogRhythm connector or integration.

Duo, not DUO.

gimmic
Level 1
Level 1

It would be nice if there were more of a push feature. Maybe write out to AWS SQS or even s3 buckets?

janereed
Level 1
Level 1

We are using a 3rd party solution for that. take a look at skyformation. AFAIK they support any SIEM and also remove the need to parse and classify the events.

Pranav_Jariwala
Level 1
Level 1

This is very outdated solution . Do we have anyhting to integrate with elastic search

Quick Links