Leo,
Here is a step-by-step set of instructions I’ve crafted with the assistance of our Duo Customer Solutions Engineer. It is for the Microsoft Windows environment, and is targeted towards sending logs to a Qradar SIEM, but with the necessary changes you may be able to engineer it for your environment.
- Kevin
Duo Log Sync Install – Windows
Pre-Requisites:
-
Download the current version of the Duo Log Sync app from GitHub at “GitHub - duosecurity/duo_log_sync”.
-
Download the latest version of Python for Windows (currently v3.9.5 x64) from “Download Python | Python.org”.
-
An operational Duo Authentication Proxy Server running Windows Server 2012 R2/2016/2019
Duo Admin Portal Configuration:
4. Log into the Duo Admin portal. Click on the “Applications” link in the left-side Dashboard. Click on the “Protect an Application” button:
-
In the search field, locate the “Duo Admin API” application, click the “Protect” button to create the new Admin API application:
-
Once created, make note of the Integration key, Secret Key, and API hostname. Under “Settings/Permissions”, enable the check box for the following:
Grant read information
Grant read log
Grant read resource
-
Under “Settings/Networks for API access”, restrict access to the Admin API instance to the proper external network address(es) for the corporate network and click “Save Changes” to commit:
Duo Proxy Server Configuration:
8. On the Duo Proxy server to host the Duo Log Sync instance, extract the “duo_log_sync-master.zip” contents downloaded from “GitHub - duosecurity/duo_log_sync” into a folder named “C:\Program Files\DuoLogSync”:
-
Located and execute the downloaded installer for Python x64 with the following options configured:
Install launcher for all users (recommended)
Add Python 3.9 to the system PATH
-
Click “Customize Installation” and take the defaults. Click “Next”:
-
Under “Advanced Options”, select “Install for all users”. Click “Install”
-
(Optional) Once the install is complete, click the “Disable path length limit” option or the “Close” button to finish:
-
Create the following folders in the root of “C:\”:
“C:\tmp”
“C:\admin\logs”
Configure Duo Log Sync “config.yml”:
14. Extract the contents of the downloaded “duo_log_sync-master zip” to “C:\Program Files” as a folder called “DuoLogSync”:
-
Open an Administrator command prompt. Change directory to the newly created “C:\Program Files\DuoLogSync” folder. run the command “python setup.py install”
-
Once the installation completes, locate and copy the “template_config.yml” file to “config.yml”:
-
Modify the contents of the newly created config.yml as necessary for your environment:
Define Log Filepath name
Configure Log File format
- Perform the following actions:
Enable “Checkpointing”
Change API calls offset information to “enabled: True”
Define SIEM ID name, FQDN, Port #, and Protocol sections
- Input the “Integration key”, “Secret key”, and “API hostname” as configured for the “Admin API” application under “Duo Admin Panel\Applications”:
Starting Duo Log Sync:
20. After saving the modified “config.yml” file, start the Duo Log Sync script by executing the command “duologsync "C:\Program Files\DuoLogSync\config.yml””:
- If successful, there should now be a “duologsync.log” file in the previously created “C:\admin\logs” folder:
- Opening the “duologsync.log” file should now show any events that have occurred every 120 seconds (Notepad ++ works best for this):
- Lastly, to automate the start of the script after a system reboot, save the following PowerShell code to a file named “DuoLogSyncStartup.ps1”.
Open an administrator PowerShell prompt, and execute as “.\DuoLogSyncStartup.ps1“:
##Script for Registering DuoLogSync as a Scheduled Task on Bootup
##Run this as Administrator via Powershell
##Jesse Yother – Customer Solutions Engineer - 4/7/2021
#Installation Variables. This is the only place that should need edited!
#Default Log Sync installation for Windows is:
##"
C:\Users\USERNAME\AppData\Local\Programs\Python\Python39\Scripts\duologsync.exe
$DuoLogSyncLocation = “C:\Program Files\Python39\Scripts\duologsync.exe”
$configLocation = “C:\Program Files\DuoLogSync\config.yml” #config.yml path
$description = “Task to re-enable Duo Log Sync after each reboot”
##"
#Defines the Action to initiate the Duo Log Sync executable
##"
$action = New-ScheduledTaskAction -Execute $DuoLogSyncLocation -Argument $configLocation
##"
#Adds the trigger to run the task at startup
##"
$trigger = New-ScheduledTaskTrigger -AtStartup
##"
#Defines the running user as “System” and sets to run regardless of logon at the highest privilege.
##"
$principal = New-ScheduledTaskPrincipal -UserID “NT AUTHORITY\SYSTEM” - LogonType ServiceAccount -RunLevel Highest
##"
#Registers the task variables as a new Scheduled Task in the Windows Task Scheduler and adds a description.
##"
Register-ScheduledTask -TaskName “DuoLogSync” -Action $action -Trigger $trigger -Principal $principal -Description $description
- After a successful execution, the task is now scheduled to start after a system reboot:
- This concludes the installation, configuration, and execution of the Duo Log Sync application. Special thanks to Duo Customer Solutions Engineer Jesse Yother for assistance in getting this operational.
@Amy - Happy to help out, and wouldn’t be able to present it here without our CSE’s assistance.
@wujieleo - One thing to note on the scheduled task, you may wish to modify it to the following settings utilizing a domain account with administrative permissions on your Windows Duo Auth Proxy server. After a while, we have noticed the script will crash with a Winsock error.
Also make certain under the “Actions” tab created by the PowerShell script, you encapsulate the “Program/Script” and “Add arguments (optional)” settings with double-quotes ("C:\Program Files\Python39\Scripts\duologsync.exe" and “C:\Program Files\DuoLogSync\config.yml”).
Thus far with this scheduled task configuration, if it does crash, it is restarted:
General Tab
Triggers Tab
Actions Tab
