Versions Compared

Old Version 10

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

compared with

New Version 11

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

...

Overview

Duo Security is a powerful access security platform. There are two ways of sending Duo logs to Devo automatically:

  • Duo collector - Collector deployed by Devo. If you want to use this option to deploy the collector, contact us.

  • Duo Log Sync - Python library developed by Duo Security. To start sending Duo logs to Devo using this library, follow the steps below.

...

Getting the required credentials

Access the Duo Admin Panel and follow these steps:

Rw ui steps macro
Rw step

 Create an Admin API application in the Duo Admin Panel.

Image Removed
Rw step

Add the required permissions for the collector.

Image Removed
Rw step

Get your integration key, secret key, and API hostname.

Image Removed
Rw step

Once you have these three values, go to the following section if you're using Duo Log Sync utility, or contact us if you want us to set up the Duo collector to send your logs.

...

Devo relay rules

Set up 4 custom relay rules for these tables:

Note

Administrator Login rule (#1) needs to be placed before Administrator Events rule (#2), since we want events with action_ in the source data to go to auth.duo.administrator.login only. Also, both rules require the same port (in this case is 13010).

Authentication and Telephony events rules use the same basic settings as the Administrator events rule (just different port and tag). 

  • auth.duo.administrator.login (for admin_ actions)

...

  • auth.duo.administrator.events

...

  • auth.duo.authentication.events

...

  • auth.duo.telephony.events

...

Duo Log Sync settings

Rw ui steps macro
Rw step

Edit the config.yml file:

  1. Provide your Admin API obtained in the previous steps (lines 24-26).

    • Provide your Devo relay connection settings obtained in the previous steps (lines 7-21).

    • Map Duo endpoints with Devo server IDs (lines 28-36). 

Code Block
version: '1.0.0'

dls_settings:
  checkpointing:
    enabled: True

servers:
    - id: 'devo-duo-administrator'
      hostname: '192.168.0.99'
      port: 13010
      protocol: 'TCP'

    - id: 'devo-duo-authentication'
      hostname: '192.168.0.99'
      port: 13011
      protocol: 'TCP'

    - id: 'devo-duo-telephony'
      hostname: '192.168.0.99'
      port: 13012
      protocol: 'TCP'

account: 
  ikey: 'NQ0XXXABC69XXXXYZI0F'
  skey: 'Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT'
  hostname: 'api-1a2b3c4d.duosecurity.com'

  endpoint_server_mappings:
    - endpoints: ['adminaction']
      server: 'devo-duo-administrator'

    - endpoints: ['auth']
      server: 'devo-duo-authentication' 
   
    - endpoints: ['telephony']
      server: 'devo-duo-telephony' 

  is_msp: False
Rw step

Execute this command:

Code Block
duologsync config.yml
Rw step

Check that duologsync.log was generated without errors.

Code Block
2021-04-05 16:59:48 INFO Starting DuoLogSync
2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13010
2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13011
2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13012
2021-04-05 16:59:48 INFO duo_client Admin initialized for ikey: DQ0XXXABC69XXXXYZIF0, host: api-3af829fb.duosecurity.com
2021-04-05 16:59:48 ERROR Could not read checkpoint file for adminaction logs, consuming logs from {log_offset} timestamp
2021-04-05 16:59:48 ERROR Could not read checkpoint file for auth logs, consuming logs from {log_offset} timestamp
2021-04-05 16:59:48 ERROR Could not read checkpoint file for telephony logs, consuming logs from {log_offset} timestamp
2021-04-05 16:59:48 INFO adminaction producer: fetching next logs after 120 seconds
2021-04-05 16:59:48 INFO adminaction consumer: waiting for logs
2021-04-05 16:59:48 INFO auth producer: fetching next logs after 120 seconds
2021-04-05 16:59:48 INFO auth consumer: waiting for logs
2021-04-05 16:59:48 INFO telephony producer: fetching next logs after 120 seconds
2021-04-05 16:59:48 INFO telephony consumer: waiting for log
Note

The Could not read checkpoint file errors are expected the first time you run duologsync because checkpointing was enabled in the config.yml file (line 5). It is recommended to enable this value to avoid sending the same events to Devo every time duologsync is restarted. 

In subsequent reboots, you’ll have these checkpoint files: adminaction_checkpoint_data.txt, auth_checkpoint_data.txt, and telephony_checkpoint_data.txt with the latest epoch values in seconds. Therefore, those errors should not occur again.

Validation

After 2 mins, duologsync will fetch and send logs to Devo (that’s the minimum timeout that Duo allows between API calls). Then, go to Devo and see if you have Duo events in all auth.duo.* tables. Learn more about these tables in auth.duocloud-based access security provider that offers multi-factor authentication (MFA), endpoint security, and remote access solutions to protect users and their devices against unauthorized access and cyber threats. It is designed to ensure that only authorized users and secure devices can access applications and data, regardless of where the applications or users are located.

Duo collector migration guide

This guide will walk you through the process of updating your configuration from versions <2.0.0 to version 2.0.0. This version introduces significant improvements and changes to the configuration style to enhance performance, usability, and security.

Version 2.0.0 is incompatible with previous versions. The new version needs some adjustments to the configuration file to ensure a smooth migration process. The following sections will guide you through the necessary steps to update your configuration.

Preparing for migration

Before starting the migration process, we recommend the following steps:

  1. Backup your current configuration: Make sure you have a backup of your existing configuration files to prevent any data loss.

  2. Review the new configuration documentation: Familiarize yourself with the new configuration options available in version 2.0.0.

Migration steps

Step 1: Update credentials

An example of the old and new configuration is shown below:

Code Block
# Old version (<2.0.0)
account:
  ikey: 'NQ0XXXABC69XXXXYZI0F'
  skey: 'Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT'
  hostname: 'api-1a2b3c4d.duosecurity.com'
Code Block
# New version (2.0.0)
credentials:
  integration_key: NQ0XXXABC69XXXXYZI0F
  secret_key: Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT
  hostname: api-1a2b3c4d.duosecurity.com

Step 2: Update start date

An example of the new configuration is shown below:

Code Block
services:
  administrator:
    start_datetime_utc: "<start_datetime_utc_value>"
  authentication:
    start_datetime_utc: "<start_datetime_utc_value>"
  telephony:
    start_datetime_utc: "<start_datetime_utc_value>"

The <start_datetime_utc_value> has the format "YYYY-MM-DDTHH:MM:SS.000Z". For example, a valid start_datetime_utc_value would be "2024-07-01T00:00:00.000Z".

Devo collector features

Feature

Details

Allow parallel downloading (multipod)

no

Running environments

  • collector server

  • on premise

Populated Devo events

table

Flattening pre-processing

no

Allowed source events obfuscation

no

Data source description

This collector extracts data from 3 log services available from Duo:

  • Administrator: Returns a list of administrator log events.

  • Authentication: Returns a paged list of authentication log events.

  • Telephony: Returns a list of telephony log events.

Data source

Description

API endpoint

Collector service name

Devo table

Available from release

Administrator

Returns a list of administrator log events.

/admin/v1/logs/administrator

administrator

auth.duo.administrator.login
auth.duo.administrator.events

v0.9

Authentication

Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two-minute delay in the availability of new authentications in the API response. Duo operates a large-scale distributed system, and this two-minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

/admin/v2/logs/authentication

authentication

auth.duo.authentication.events

v0.9

Telephony

Returns a list of telephony log events.

/admin/v1/logs/telephony

telephony

auth.duo.telephony.events

v0.9

API limits

  • Administrator:

    • Only the 1000 earliest events (maximum) will be returned with each page; the collector will be called multiple times to page through the entire log.

    • The recommended limit suggests requesting logs no more than once per minute.

  • Authentication:

    • Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

    • The recommended limit suggests requesting logs no more than once per minute.

  • Telephony:

    • Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new telephony events in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.

    • The recommended limit suggests requesting logs no more than once per minute.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required for basic data pulling are below.

Note

This minimum configuration refers exclusively to those specific parameters of this integration. Additional parameters related to the generic behavior of the collector are required. Check the setting sections for details.

Setting

Details

integration_key_value

The integration key is required to authenticate the requests. The integration key acts as the HTTP username

secret_key_value

The secret key is required to authenticate the requests. The secret key acts as the HTTP password

hostname_value

The hostname is required to authenticate the requests. This is the URL for the different requests

Accepted authentication methods

Authentication method

Details

user/pass

You will need your integration_key_value and secret_key_value to connect to the hostname_value.

Vendor setup

You need the owner role to perform these steps. Learn more here.

Rw ui steps macro
Rw step

Sign up for a Duo account. If you use a 30-day free Duo Advantage trial, this includes Admin API access.

Rw step

Log in to the Duo Admin Panel and navigate to Applications.

image-20240723-102041.pngImage Added
Rw step

Click Protect an Application and locate the entry for Admin API in the applications list. Click Protect on the far right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information on protecting applications in Duo and additional application options.

image-20240723-102053.pngImage Added
Rw step

Determine the permissions you want to grant to this Admin API application. Refer to the API endpoint descriptions throughout this document for information about required permissions for operations. For these logs, you will need Grant read log API permissions.

image-20240723-102114.pngImage Added
Rw step

Optionally, specify which IP addresses or ranges are allowed to use this Admin API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Admin API application may be accessed from any network.

The Admin API performs the IP check after verifying the authentication signature in a request. If you restrict the allowed networks for API access and see logged events for blocked Admin API requests from unrecognized IP addresses, this may indicate a compromise of your Admin API application's secret key.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Connectivity requirements

This application communicates with Duo's service on SSL TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337. Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.