Duo collector
- Juan Tomás Alonso Nieto (Deactivated)
Description
Duo is a powerful access security platform. There are two ways of sending Duo logs to Devo automatically:
Duo collector - Collector deployed by Devo. If you want to use this option to deploy the collector, contact us.
Duo Log Sync - Python library developed by Duo Security. To start sending Duo logs to Devo using this library, follow the steps below.
Getting the required credentials
Access the Duo Admin Panel and follow these steps:
Devo relay rules
Set up 4 custom relay rules for these tables:
Administrator Login rule (#1) needs to be placed before Administrator Events rule (#2), since we want events with action_ in the source data to go to auth.duo.administrator.login only. Also, both rules require the same port (in this case is 13010).
Authentication and Telephony events rules use the same basic settings as the Administrator events rule (just different port and tag).
auth.duo.administrator.login (for
admin_actions)
auth.duo.administrator.events
auth.duo.authentication.events
auth.duo.telephony.events
Duo Log Sync settings
Validation
After 2 mins, duologsync will fetch and send logs to Devo (that’s the minimum timeout that Duo allows between API calls). Then, go to Devo and see if you have Duo events in all auth.duo.* tables. Learn more about these tables in auth.duo.