Re: Duo Radius Proxy Logs to external server

nimrod@il.ibm.com · ‎08-21-2022

Dear Duo Community members,
I am using duo radius proxy, and its really simple and great and very reliable,
yet I have a problem, I want to ship its logs to an external server to save the auth-logs for longer period of time and to process them through my siem. is there a built-in way to ship the logs? I skimmed all the documentation and didn’t found a way to accomplish that. furthermore, I tried with NXLOG with no success (if anyone can help with a piece of configuration it will be awesome!)
if anyone has an idea, I’ll be more than thankful, and many thanks in advance.

DuoPablo · ‎08-24-2022

Hi @Nimrod ,

Yes, you can have Auth Proxy logs shipped to a SIEM via the following: https://help.duo.com/s/article/3959

The above creates a secondary log file that is suitable for SIEM consumption via Splunk Universal Forwarder or similar function. It is a JSON formatted file that logs primary and secondary authentication events that occur on the respective Auth Proxy.

I would also suggest that you consume Authentication Logs, Telephony Logs, Administrator Logs, and Trust Monitor Logs (if applicable) using our Duo Log Sync utility: https://help.duo.com/s/article/1269

Hope this helps!

nimrod@il.ibm.com · ‎08-28-2022

Hi, Thanks for answering,
I came across these articles, yet, there is no way to send the logs, you need the SIEM to read from the machine’s log file.
I need that the duo proxy will send its logs forward, not to a file, but to UDP/TCP and to another IP address (aka collector) (for example - syslog udp/514). I couldn’t find a way to do so.

thanks in advance.

DuoPablo · ‎08-28-2022

At this time, the Auth Proxy does not have a way to natively ship its logs (events captured in either authproxy.log or authevents.log) directly to a SIEM. Please submit this as a Feature Request via your Duo Account Executive, Customer Success Manager (if applicable), or our Support Team.

What type of events from the Auth Proxy are you most concerned about? I noticed you had mentioned “auth-logs” but please note that Duo’s Authentication Logs can be shipped to a SIEM via API, as mentioned earlier (Auth Proxy is not required).

nimrod@il.ibm.com · ‎08-31-2022

Hi, Thanks for the answer,
I would like to catch the “User locked” events and alert the users.

DuoPablo · ‎09-01-2022

When a user becomes locked out of Duo, you may choose to configure & receive an email alert. Please see https://help.duo.com/s/article/7219 for more information.

When a user becomes locked out, the event is not recorded in the Authentication Log. However, if a user tries to authenticate after they have become locked out, the "reason": "locked_out" will be recorded in the Authentication Log. If you have these logs shipped to your SIEM, you may also choose to alert on events that show "reason": "user_marked_fraud" since that means a user denied a Push that they themselves did not initiate (potential Push Phishing).

sv7 · ‎08-16-2023

Pls check if its helps

https://unicornsec.com/home/ingesting-duo-logs-into-a-siem-part-1

DuoKristina · ‎08-18-2023

@RyanBrooks You should probably make your question a new post in the relevant community (unclear if your question is related to Duo or just an ASA question) instead if adding it as a reply to an unrelated question.

Duo, not DUO.

karenr022 · ‎11-16-2023

Make sure NXLog is installed on the machine where the Duo Radius Proxy logs are located. Here's a basic example configuration for NXLog to collect logs from a text file and forward them to an external server using TCP

define ROOT C:\Program Files\nxlog

Module xm_fileop
<Input duo_radius_logs>
    Module  im_file
    File    "C:\\path\\to\\duo_radius_logs.log"
    SavePos TRUE
</Input>

<Output duo_to_external_server>
    Module  om_tcp
    Host    your_external_server_IP
    Port    514    # Change this to your SIEM server's port
</Output>

<Route duo_logs_to_siem>
    Path    duo_radius_logs => duo_to_external_server
</Route>

allannpottss · ‎08-21-2024

I was facing a similar issue while managing logging for my store. After digging into the problem, I realized that ensuring NXLog is properly installed on the machine where the Duo Radius Proxy logs are located is crucial. Once NXLog is set up correctly, you can configure it to forward logs to an external server. This approach, especially for businesses selling products like a dip belt with chain, allows you to maintain a long-term record of authentication events, which can be invaluable for processing through your SIEM. It took some trial and error, but after configuring NXLog to work seamlessly with the Duo Proxy, I was able to achieve the desired log forwarding and maintain better oversight of my store's security logs.