Versions Compared

Old Version 6

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 7

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Administrator Login rule (#1) needs to be placed before Administrator Events rule (#2), since we want events with action_ in the source data to go to auth.duo.administrator.login only. Also, both rules require the same port (in this case is 13010).

Authentication and Telephony events rules use the same basic settings as the Administrator events rule (just different port and tag). 

  • auth.duo.administrator.login (for admin_ actions)

...

  • auth.duo.administrator.events

...

  • auth.duo.authentication.events

...

  • auth.duo.telephony.events

...

Duo Log Sync settings

Rw ui steps macro
Rw step

Edit the config.yml file:

  1. Provide your Admin API obtained in the previous steps (lines 24-26).

    • Provide your Devo relay connection settings obtained in the previous steps (lines 7-21).

    • Map Duo endpoints with Devo server IDs (lines 28-36). 

Code Block
version: '1.0.0'

dls_settings:
  checkpointing:
    enabled: True

servers:
    - id: 'devo-duo-administrator'
      hostname: '192.168.0.99'
      port: 13010
      protocol: 'TCP'

    - id: 'devo-duo-authentication'
      hostname: '192.168.0.99'
      port: 13011
      protocol: 'TCP'

    - id: 'devo-duo-telephony'
      hostname: '192.168.0.99'
      port: 13012
      protocol: 'TCP'

account: 
  ikey: 'NQ0XXXABC69XXXXYZI0F'
  skey: 'Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT'
  hostname: 'api-1a2b3c4d.duosecurity.com'

  endpoint_server_mappings:
    - endpoints: ['adminaction']
      server: 'devo-duo-administrator'

    - endpoints: ['auth']
      server: 'devo-duo-authentication' 
   
    - endpoints: ['telephony']
      server: 'devo-duo-telephony' 

  is_msp: False
Rw step

Execute this command:

Code Block
duologsync config.yml
Rw step

Check that duologsync.log was generated without errors.

Code Block
2021-04-05 16:59:48 INFO Starting DuoLogSync
2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13010
2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13011
2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13012
2021-04-05 16:59:48 INFO duo_client Admin initialized for ikey: DQ0XXXABC69XXXXYZIF0, host: api-3af829fb.duosecurity.com
2021-04-05 16:59:48 ERROR Could not read checkpoint file for adminaction logs, consuming logs from {log_offset} timestamp
2021-04-05 16:59:48 ERROR Could not read checkpoint file for auth logs, consuming logs from {log_offset} timestamp
2021-04-05 16:59:48 ERROR Could not read checkpoint file for telephony logs, consuming logs from {log_offset} timestamp
2021-04-05 16:59:48 INFO adminaction producer: fetching next logs after 120 seconds
2021-04-05 16:59:48 INFO adminaction consumer: waiting for logs
2021-04-05 16:59:48 INFO auth producer: fetching next logs after 120 seconds
2021-04-05 16:59:48 INFO auth consumer: waiting for logs
2021-04-05 16:59:48 INFO telephony producer: fetching next logs after 120 seconds
2021-04-05 16:59:48 INFO telephony consumer: waiting for log
Note

The Could not read checkpoint file errors are expected the first time you run duologsync because checkpointing was enabled in the config.yml file (line 5). It is recommended to enable this value to avoid sending the same events to Devo every time duologsync is restarted. 

In subsequent reboots, you’ll have these checkpoint files: adminaction_checkpoint_data.txt, auth_checkpoint_data.txt, and telephony_checkpoint_data.txt with the latest epoch values in seconds. Therefore, those errors should not occur again.

...

After 2 mins, duologsync will fetch and send logs to Devo (that’s the minimum timeout that Duo allows between API calls). Then, go to Devo and see if you have Duo events in all auth.duo.* tables. Learn more about these tables in auth.duo.