auth.duo
- Juan Tomás Alonso Nieto (Deactivated)
Introduction
The tags beginning with auth.duo identify events generated by Duo Security.
Tag structure
The full tag must have 4 levels. The first two are fixed as auth.duo. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type | Subtype |
|---|---|---|---|
auth | duo |
|
|
Therefore, the valid tags and tables include:
auth.duo.administrator.login
auth.duo.administrator.events
auth.duo.authentication.events
auth.duo.telephony.events
auth.duo.authentication-proxy.events
How is the data sent to Devo?
To send logs to these tables, you can use either Duo Log Sync or our Devo Duo collector to send the required events to your Devo domain. Learn more about this in Duo collector.
Note that sending events to auth.duo.authentication-proxy.events is not supported by either of the methods mentioned above. To send events to this tag, you must enable logging by setting the parameter log_auth_events to True in the authproxy.cfg file. Check the Duo Authentication Proxy documentation for more information.
Once you have your local log file created (authevents.log), you can monitor it and forward the events using the normal methods, as described in Monitoring files using rsyslog.