Duo collector
Description
Duo is a powerful access security platform. There are two ways of sending Duo logs to Devo automatically:
Duo collector - Collector deployed by Devo. If you want to use this option to deploy the collector, contact us.
Duo Log Sync - Python library developed by Duo Security. To start sending Duo logs to Devo using this library, follow the steps below.
Getting the required credentials
Access the Duo Admin Panel and follow these steps:
- Â Create an Admin API application in the Duo Admin Panel.
- Get your integration key, secret key, and API hostname.
- Once you have these three values, go to the following section if you're using Duo Log Sync utility, or contact us if you want us to set up the Duo collector to send your logs.
Devo relay rules
Set up 4 custom relay rules for these tables:
Administrator Login rule (#1) needs to be placed before Administrator Events rule (#2), since we want events with action_
in the source data to go to auth.duo.administrator.login only. Also, both rules require the same port (in this case is 13010).
Authentication and Telephony events rules use the same basic settings as the Administrator events rule (just different port and tag).Â
- auth.duo.administrator.login (for
admin_
actions)
- auth.duo.administrator.events
- auth.duo.authentication.events
- auth.duo.telephony.events
Duo Log Sync settings
- Edit the
config.yml
file:- Provide your Admin API obtained in the previous steps (lines 24-26).
- Provide your Devo relay connection settings obtained in the previous steps (lines 7-21).
- Map Duo endpoints with Devo server IDs (lines 28-36).Â
config.ymlversion: '1.0.0' dls_settings: checkpointing: enabled: True servers: - id: 'devo-duo-administrator' hostname: '192.168.0.99' port: 13010 protocol: 'TCP' - id: 'devo-duo-authentication' hostname: '192.168.0.99' port: 13011 protocol: 'TCP' - id: 'devo-duo-telephony' hostname: '192.168.0.99' port: 13012 protocol: 'TCP' account: ikey: 'NQ0XXXABC69XXXXYZI0F' skey: 'Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT' hostname: 'api-1a2b3c4d.duosecurity.com' endpoint_server_mappings: - endpoints: ['adminaction'] server: 'devo-duo-administrator' - endpoints: ['auth'] server: 'devo-duo-authentication' - endpoints: ['telephony'] server: 'devo-duo-telephony' is_msp: False
Execute this command:
duologsync config.yml
Check that
duologsync.log
was generated without errors.2021-04-05 16:59:48 INFO Starting DuoLogSync 2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13010 2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13011 2021-04-05 16:59:48 INFO DuoLogSync: Opening connection to 192.168.0.99:13012 2021-04-05 16:59:48 INFO duo_client Admin initialized for ikey: DQ0XXXABC69XXXXYZIF0, host: api-3af829fb.duosecurity.com 2021-04-05 16:59:48 ERROR Could not read checkpoint file for adminaction logs, consuming logs from {log_offset} timestamp 2021-04-05 16:59:48 ERROR Could not read checkpoint file for auth logs, consuming logs from {log_offset} timestamp 2021-04-05 16:59:48 ERROR Could not read checkpoint file for telephony logs, consuming logs from {log_offset} timestamp 2021-04-05 16:59:48 INFO adminaction producer: fetching next logs after 120 seconds 2021-04-05 16:59:48 INFO adminaction consumer: waiting for logs 2021-04-05 16:59:48 INFO auth producer: fetching next logs after 120 seconds 2021-04-05 16:59:48 INFO auth consumer: waiting for logs 2021-04-05 16:59:48 INFO telephony producer: fetching next logs after 120 seconds 2021-04-05 16:59:48 INFO telephony consumer: waiting for log
The Could not read checkpoint file errors are expected the first time you run
duologsync
because checkpointing was enabled in theconfig.yml
file (line 5). It is recommended to enable this value to avoid sending the same events to Devo every timeduologsync
is restarted.ÂIn subsequent reboots, you’ll have these checkpoint files:
adminaction_checkpoint_data.txt
,auth_checkpoint_data.txt
, andtelephony_checkpoint_data.txt
with the latest epoch values in seconds. Therefore, those errors should not occur again.
Validation
After 2 mins, duologsync
will fetch and send logs to Devo (that’s the minimum timeout that Duo allows between API calls). Then, go to Devo and see if you have Duo events in all auth.duo.* tables. Learn more about these tables in auth.duo.