Document toolboxDocument toolbox

auth.duo

Introduction

The tags beginning with auth.duo identify events generated by Duo Security.

Tag structure

The full tag must have at least 3 levels. The first two are fixed as auth.duo. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Duo platform

auth.duo.administrator

auth.duo.administrator

auth.duo.administrator.events

auth.duo.administrator.events

auth.duo.administrator.login

auth.duo.administrator.login

auth.duo.authentication.events

auth.duo.authentication.events

auth.duo.authenticationProxy.events

auth.duo.authenticationProxy.events

auth.duo.telephony.events

auth.duo.telephony.events

How is the data sent to Devo?

To send logs to these tables, you can use either Duo Log Sync or our Devo Duo collector to send the required events to your Devo domain. Learn more about this in this article

Note that sending events to auth.duo.authenticationProxy.events is not supported by either of the methods mentioned above. To send events to this tag, you must enable logging by setting the parameter log_auth_events  to True in the authproxy.cfg file. Check the Duo Authentication Proxy documentation for more information.

Once you have your local log file created (authevents.log), you can monitor it and forward the events using the normal methods, as described in Monitoring files using rsyslog.

Table structure