...
This guide will walk you through the process of updating your configuration from versions <2.0.0 to version versions 2.0x.0x. This version introduces significant improvements and changes to the configuration style to enhance performance, usability, and security.
Version Versions 2.0x.0 is x are incompatible with previous versions . The new version needs (1.x.x). New versions need some adjustments to the configuration file to ensure a smooth migration process. The following sections will guide you through the necessary steps to update your configuration.
...
Backup your current configuration: Make sure you have a backup of your existing configuration files to prevent any data loss.
Review the new configuration documentation: Familiarize yourself with the new configuration options available in version 2.0x.0x.
Migration steps
Step 1: Update credentials
...
Code Block |
---|
# Old version (<21.0x.0x) account: ikey: 'NQ0XXXABC69XXXXYZI0F' skey: 'Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT' hostname: 'api-1a2b3c4d.duosecurity.com' |
Code Block |
---|
# New version (2.0x.0x) credentials: integration_key: NQ0XXXABC69XXXXYZI0F secret_key: Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT hostname: api-1a2b3c4d.duosecurity.com |
...
The <start_datetime_utc_value>
has the format "YYYY-MM-DDTHH:MM:SS.000Z"
. For example, a valid start_datetime_utc_value
would be "2024-07-01T00:00:00.000Z"
.
...
Rw ui steps macro | |||||
---|---|---|---|---|---|
Sign up for a Duo account. If you use a 30-day free Duo Advantage trial, this includes Admin API access.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the entry for Admin API in the applications list. Click Protect on the far right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more information on protecting applications in Duo and additional application options.
Determine the permissions you want to grant to this Admin API application. Refer to the API endpoint descriptions throughout this document for information about required permissions for operations. For these logs, you will need Grant read log API permissions.
Optionally, specify which IP addresses or ranges are allowed to use this Admin API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Admin API application may be accessed from any network. The Admin API performs the IP check after verifying the authentication signature in a request. If you restrict the allowed networks for API access and see logged events for blocked Admin API requests from unrecognized unrecognised IP addresses, this may indicate a compromise of your Admin API application's secret key. |
...
The security of your Duo application is tied to the security of your secret key (skey
). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!.
Connectivity requirements
...
Rw ui tabs macro | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config.yaml file
Replace the placeholders with your required values following the description table below: | ||||||||||||
Parameter | Data type | Type | Value range / Format | Details | ||||||||
|
|
| true / false | If the value is | ||||||||
|
|
| Use this parameter to identify the Devo Cloud where the events will be sent. | |||||||||
|
|
| minimum length: 4 maximum length: 20 | Use this parameter to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | ||||||||
|
|
| minimum length: 4 maximum length: 20 | Use this parameter to identify the file.cert downloaded from your Devo domain. | ||||||||
|
|
| minimum length: 4 maximum length: 20 | Use this parameter to identify the file.key downloaded from your Devo domain. | ||||||||
|
|
| UTC datetime string having datetime string format | This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data (one month back for example) before downloading new events.
| ||||||||
|
|
| The objects in the array look like this:
| Each object represents the necessary configuration to obfuscate messages before these are sent to Devo.
| ||||||||
|
|
| minimum length: 3 | An optional lookup name to use for the IOCs lookup service. By default the collector uses
| ||||||||
Collector Docker image | SHA-256 hash | |||||||||||
|
Code Block |
---|
gunzip -c <image_file>-<version>.tgz | docker load |
Note |
---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Code Block |
---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
Note |
---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/
directory.
Code Block |
---|
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/
directory:
Code Block |
---|
IMAGE_VERSION=<version> docker-compose up -d |
Note |
---|
Replace |
Rw tab | ||
---|---|---|
|
|
We use a piece of software called Collector Server to host and manage all our available collectors.
To enable the collector for a customer:
In the Collector Server GUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create
Table
events, but mandatory for those that createLookups
.In the Parameters section, establish the Collector Parameters as follows below:
Editing the JSON configuration
Code Block |
---|
{
"global_overrides": {
"debug": false
},
"inputs": {
"duo": {
"id": "<short_unique_id>",
"enabled": true,
"credentials": {
"integration_key": "<integration_key_value>",
"secret_key": "<secret_key_value>",
"hostname": "<hostname_value>"
},
"services": {
"administrator": {
"start_datetime_utc": "<start_datetime_utc_value>",
"override_base_tag": "<override_base_tag_value>"
},
"authentication": {
"start_datetime_utc": "<start_datetime_utc_value>",
"override_tag": "<override_tag_value>"
},
"telephony": {
"start_datetime_utc": "<start_datetime_utc_value>",
"override_tag": "<override_tag_value>"
}
}
}
}
} |
Info |
---|
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Please replace the placeholders with real world values following the description table below:
Parameter | Data type | Requirement | Value range / Format | Description |
|
| Mandatory | Min length: 1 | Short, unique ID for input service, used in persistence addressing. Avoid duplicates to prevent collisions. |
|
| Mandatory | Min length: 1 | Client ID for Duo authentication. |
|
| Mandatory | Min length: 1 | Client secret for Duo authentication. |
|
| Mandatory | Min length: 1 | Host for Duo requests. This is different for each customer. |
|
| Optional |
| If present, the family of administrator logs will have a |
|
| Optional |
| If present, the authentication and telephony logs will have a |
|
| Optional |
| If present, it will be the start date and time for pulling events. If not, the current date and time will be used. Example: |
Rw tab | ||
---|---|---|
|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
Code Block |
---|
<any_directory>
└── devo-collectors/
└── <product_name>/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
├── state/
└── config/
└── config.yaml |
Note |
---|
Replace |
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/
. Learn more about security credentials in Devo here.
Note |
---|
Replace |
Editing the config.yaml file
Code Block |
---|
globals:
debug: false
id: not used
name: duo
persistence:
type: filesystem
config:
directory_name: state
outputs:
devo_1:
type: devo_platform
config:
address: <devo_address>
port: 443
type: SSL
chain: <chain_filename>
cert: <cert_filename>
key: <key_filename>
inputs:
duo:
id: <short_unique_id>
enabled: true
credentials:
integration_key: <integration_key_value>
secret_key: <secret_key_value>
hostname: <hostname_value>
services:
administrator:
start_datetime_utc: <start_datetime_utc_value>
override_base_tag: <override_base_tag_value>
authentication:
start_datetime_utc: <start_datetime_utc_value>
override_tag: <override_base_tag_value>
telephony:
start_datetime_utc: <start_datetime_utc_value>
override_tag: <override_base_tag_value> |
Replace the placeholders with your required values following the description table below:
Parameter | Data type | Requirement | Value range / Format | Description |
|
| Mandatory | Min length: 1 | Short, unique ID for input service, used in persistence addressing. Avoid duplicates to prevent collisions. |
|
| Mandatory | Min length: 1 | Client ID for Duo authentication. |
|
| Mandatory | Min length: 1 | Client secret for Duo authentication. |
|
| Mandatory | Min length: 1 | Host for Duo requests. This is different for each customer. |
|
| Optional |
| If present, the family of administrator logs will have a |
|
| Optional |
| If present, the authentication and telephony logs will have a |
|
| Optional |
| If present, it will be the start date and time for pulling events. If not, the current date and time will be used. Example: |
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Collector Docker image | SHA-256 hash |
---|---|
|
Use the following command to add the Docker image to the system:
Code Block |
---|
gunzip -c <image_file>-<version>.tgz | docker load |
Note |
---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
Code Block |
---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
Note |
---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/
directory.
Code Block |
---|
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/
directory:
Code Block |
---|
IMAGE_VERSION=<version> docker-compose up -d |
Note |
---|
Replace |
Collector services detail
This section is intended to explain how to proceed with specific actions for services.
For all the services
Devo categorization and destination
Please check the section Data Source Description to learn about the target tables for each service.
Restart the persistence
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
Edit the configuration file.
Change the value of the
start_datetime_utc_value
to a different one.Save the changes.
Restart the collector.
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Configuration errors
Error type | Error ID | Error message | Cause | Solution |
---|---|---|---|---|
InitVariablesError | 0 | Invalid content detected in the metadata config | The internal config did not pass the format validation. Contact Devo Support. | Check the documentation and update the configuration accordingly |
InitVariablesError | 1 | Invalid content detected in the user config | The user config did not pass the format validation | Check the documentation and update the configuration accordingly |
InitVariablesError | 3 | Invalid content detected in the requests_limits config | The user config did not pass the format validation. | Check error traces for details and visit our documentation. |
DuoSetupException | 103 | Missing required credentials | Missing or empty credentials in the configuration | Include the proper credentials in the configuration |
DuoException | 100 | Service not supported | An unexpected service definition was found | Configure the available services: |
DuoException | 101 | Tag not found for | An override tag value is found and it is empty or not valid | Configure the proper base_tag override for the |
DuoException | 102 | Base tag not found for | An override base_tag value is found and it is empty or not valid | Configure the proper base_tag override for the |
Collector operations
Verify collector operations
This is for the standalone mode only. You can check the information in the following sections to verify the correct collector operation.
Initialization
The initialization module validates the given configuration and runs the setup, the input (pulling logic), and output (delivering logic) services. A successful run has the following output messages for the initializer module:
Code Block |
---|
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-test-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "C:\git\collectors2\devo-collector-<name>\config\config.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False |
Event delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all the events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:
Code Block |
---|
2023-01-10T15:23:00.788 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842 INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)", |
Sender services
The Integrations Factory Collector SDK has 3 different sender services depending on the event type to deliver (internal, standard, and lookup). This collector uses the following Sender Services:
Logging trace | Description |
---|---|
Number of available senders: 1 | Displays the number of concurrent senders available for the given Sender Service. |
Sender manager internal queue size: 0 | Displays the items available in the internal sender queue. This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders. |
Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds) | Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:
By default, these traces will be shown every 10 minutes. |
Sender statistics
Each service displays its performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace | Description |
---|---|
Number of available senders: 1 | Displays the number of concurrent senders available for the given Sender Service. |
Sender manager internal queue size: 0 | Displays the items available in the internal sender queue. |
Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds | Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:
|
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
Code Block |
---|
INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB) |
Change log
Release | Released on | Release type | Details | Recommendations | ||||||
---|---|---|---|---|---|---|---|---|---|---|
|
| Bug fixing
|
| |||||||
|
|
| Improvements
|
|