Dear Duo Community members,
I am using duo radius proxy, and its really simple and great and very reliable,
yet I have a problem, I want to ship its logs to an external server to save the auth-logs for longer period of time and to process them through my siem. is there a built-in way to ship the logs? I skimmed all the documentation and didn’t found a way to accomplish that. furthermore, I tried with NXLOG with no success (if anyone can help with a piece of configuration it will be awesome!)
if anyone has an idea, I’ll be more than thankful, and many thanks in advance.
Hi @Nimrod ,
Yes, you can have Auth Proxy logs shipped to a SIEM via the following: https://help.duo.com/s/article/3959
The above creates a secondary log file that is suitable for SIEM consumption via Splunk Universal Forwarder or similar function. It is a JSON formatted file that logs primary and secondary authentication events that occur on the respective Auth Proxy.
I would also suggest that you consume Authentication Logs, Telephony Logs, Administrator Logs, and Trust Monitor Logs (if applicable) using our Duo Log Sync utility: https://help.duo.com/s/article/1269
Hope this helps!
Hi, Thanks for answering,
I came across these articles, yet, there is no way to send the logs, you need the SIEM to read from the machine’s log file.
I need that the duo proxy will send its logs forward, not to a file, but to UDP/TCP and to another IP address (aka collector) (for example - syslog udp/514). I couldn’t find a way to do so.
thanks in advance.
At this time, the Auth Proxy does not have a way to natively ship its logs (events captured in either authproxy.log or authevents.log) directly to a SIEM. Please submit this as a Feature Request via your Duo Account Executive, Customer Success Manager (if applicable), or our Support Team.
What type of events from the Auth Proxy are you most concerned about? I noticed you had mentioned “auth-logs” but please note that Duo’s Authentication Logs can be shipped to a SIEM via API, as mentioned earlier (Auth Proxy is not required).
When a user becomes locked out of Duo, you may choose to configure & receive an email alert. Please see https://help.duo.com/s/article/7219 for more information.
When a user becomes locked out, the event is not recorded in the Authentication Log. However, if a user tries to authenticate after they have become locked out, the
"reason": "locked_out" will be recorded in the Authentication Log. If you have these logs shipped to your SIEM, you may also choose to alert on events that show
"reason": "user_marked_fraud" since that means a user denied a Push that they themselves did not initiate (potential Push Phishing).
I'm facing a challenge with my Cisco ASA firewall setup and could use some guidance. I attempted to establish a VPN connection using the Cisco AnyConnect client, but I encountered an issue. Despite entering the correct credentials and server details you can see here https://smamepestimate.com/, the connection seems to be stuck at "Connecting..." and doesn't progress any further. I've checked the configuration on both the firewall and the client side, and everything appears to be in order. I even restarted the firewall. I'm not seeing any relevant error messages in the logs either.
Make sure NXLog is installed on the machine where the Duo Radius Proxy logs are located. Here's a basic example configuration for NXLog to collect logs from a text file and forward them to an external server using TCP
define ROOT C:\Program Files\nxlog Module xm_fileop <Input duo_radius_logs> Module im_file File "C:\\path\\to\\duo_radius_logs.log" SavePos TRUE </Input> <Output duo_to_external_server> Module om_tcp Host your_external_server_IP Port 514 # Change this to your SIEM server's port </Output> <Route duo_logs_to_siem> Path duo_radius_logs => duo_to_external_server </Route>