Document toolboxDocument toolbox

auth.duo

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
4 min read

Introduction

The tags beginning with auth.duo identify events generated by Duo Security.

Tag structure

The full tag must have 4 levels. The first two are fixed as auth.duo. The third level identifies the type of events sent, and the fourth level indicates the event subtype.

Technology

Brand

Type

Subtype

auth

duo

  • administrator
  • authentication
  • telephony
  • authentication-proxy
  • login
  • events

Therefore, the valid tags and tables include:

  • auth.duo.administrator.login
  • auth.duo.administrator.events
  • auth.duo.authentication.events
  • auth.duo.telephony.events
  • auth.duo.authentication-proxy.events

How is the data sent to Devo?

To send logs to these tables, you can use either Duo Log Sync or our Devo Duo collector to send the required events to your Devo domain. Learn more about this in Duo collector

Note that sending events to auth.duo.authentication-proxy.events is not supported by either of the methods mentioned above. To send events to this tag, you must enable logging by setting the parameter log_auth_events  to True in the authproxy.cfg file. Check the Duo Authentication Proxy documentation for more information.

Once you have your local log file created (authevents.log), you can monitor it and forward the events using the normal methods, as described in Monitoring files using rsyslog.

Log samples

The following are sample logs sent to each of the auth.duo tables. Also, find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

auth.duo.administrator.login

2021-04-05 21:01:49.732 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.login: {"action": "admin_login", "description": "{\"ip_address\": \"11.22.33.44\", \"device\": \"888-683-9010\", \"factor\": \"sms\", \"primary_auth_method\": \"Password\"}", "isotimestamp": "2021-03-23T16:11:49+00:00", "object": null, "timestamp": 1616515909, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-05 21:01:49.732

timestamp


hostname

192.168.0.113

str


host

api-1a2b3c4d.duosecurity.com

str


isotimestamp

2021-03-23T16:11:49+00:00

str


timestamp

1616515909

timestamp


eventtype

administrator

str


username

Roberto

str


action

admin_login

str


ip_address

11.22.33.44

ip


primary_auth_method

Password

str


factor

sms

str


device

888-683-9010

str


email

null

str


error

null

str


description

{"ip_address": "11.22.33.44", "device": "888-683-9010", "factor": "sms", "primary_auth_method": "Password"}

str


rawMessage

{"action": "admin_login", "description": "{\"ip_address\": \"11.22.33.44\", \"device\": \"888-683-9010\", \"factor\": \"sms\", \"primary_auth_method\": \"Password\"}", "isotimestamp": "2021-03-23T16:11:49+00:00", "object": null, "timestamp": 1616515909, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}

str


hostchain

192.168.0.113=192.168.0.113/devorelay=11.22.33.44

str

✓

tag

auth.duo.administrator.login

str

✓

raw

2021-04-05 21:01:49.732 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.login: {"action": "admin_login", "description": "{\"ip_address\": \"11.22.33.44\", \"device\": \"888-683-9010\", \"factor\": \"sms\", \"primary_auth_method\": \"Password\"}", "isotimestamp": "2021-03-23T16:11:49+00:00", "object": null, "timestamp": 1616515909, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}

str

✓

auth.duo.administrator.events

2021-04-05 21:01:49.685 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.events: {"action": "integration_create", "description": "{\"greeting\": \"\", \"notes\": \"\", \"offline_auth_enabled\": 0, \"offline_max_days\": 0, \"offline_max_attempts\": 0, \"type\": \"Admin API\", \"name\": \"Admin API\", \"self_service_allowed\": false, \"username_normalization_policy\": \"None\", \"missing_web_referer_policy\": \"deny\", \"networks_for_api_access\": \"\", \"group_access\": \"\"}", "isotimestamp": "2021-03-22T23:00:38+00:00", "object": "Admin API", "timestamp": 1616454038, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-05 21:01:49.685

timestamp


hostname

192.168.0.113

str


host

api-1a2b3c4d.duosecurity.com

str


isotimestamp

2021-03-22T23:00:38+00:00

str


timestamp

1616454038

timestamp


eventtype

administrator

str


username

Roberto

str


action

integration_create

str


object

Admin API

str


description

{"greeting": "", "notes": "", "offline_auth_enabled": 0, "offline_max_days": 0, "offline_max_attempts": 0, "type": "Admin API", "name": "Admin API", "self_service_allowed": false, "username_normalization_policy": "None", "missing_web_referer_policy": "deny", "networks_for_api_access": "", "group_access": ""}

str


rawMessage

{"action": "integration_create", "description": "{"greeting": "", "notes": "", "offline_auth_enabled": 0, "offline_max_days": 0, "offline_max_attempts": 0, "type": "Admin API", "name": "Admin API", "self_service_allowed": false, "username_normalization_policy": "None", "missing_web_referer_policy": "deny", "networks_for_api_access": "", "group_access": ""}", "isotimestamp": "2021-03-22T23:00:38+00:00", "object": "Admin API", "timestamp": 1616454038, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}

str


hostchain

192.168.0.113=192.168.0.113/devorelay=11.22.33.44

str

✓

tag

auth.duo.administrator.events

str

✓

raw

2021-04-05 21:01:49.685 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.events: {"action": "integration_create", "description": "{\"greeting\": \"\", \"notes\": \"\", \"offline_auth_enabled\": 0, \"offline_max_days\": 0, \"offline_max_attempts\": 0, \"type\": \"Admin API\", \"name\": \"Admin API\", \"self_service_allowed\": false, \"username_normalization_policy\": \"None\", \"missing_web_referer_policy\": \"deny\", \"networks_for_api_access\": \"\", \"group_access\": \"\"}", "isotimestamp": "2021-03-22T23:00:38+00:00", "object": "Admin API", "timestamp": 1616454038, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}



str

✓

auth.duo.authentication.events

2021-04-05 21:01:51.352 192.168.0.113=192.168.0.113/devorelay=11.22.33.544 auth.duo.authentication.events: {"access_device": {"browser": null, "browser_version": null, "flash_version": null, "hostname": "mylinuxhost", "ip": "192.168.0.112", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": null, "location": {"city": null, "country": null, "state": null}, "os": null, "os_version": null}, "alias": "", "application": {"key": "DI11Y5VSGF2HB0LM17CV", "name": "UNIX Application"}, "auth_device": {"ip": "11.22.33.44", "location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}, "email": "roberto@example.com", "event_type": "authentication", "factor": "duo_push", "isotimestamp": "2021-03-23T00:01:48.721183+00:00", "ood_software": null, "reason": "user_mistake", "result": "denied", "timestamp": 1616457708, "txid": "5a845249-1cb8-476f-a620-cfe31464d417", "user": {"groups": [], "key": "DU30ASO0S57OOCCI7XHB", "name": "roberto"}, "eventtype": "authentication", "host": "api-1a2b3c4d.duosecurity.com"}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-05 21:01:51.352

timestamp


hostname

192.168.0.113

str


host

api-1a2b3c4d.duosecurity.com

str


isotimestamp

2021-03-23T00:01:48.721183+00:00

str


timestamp

1616457708

timestamp


eventtype

authentication

str


event_type

authentication

str


txid

5a845249-1cb8-476f-a620-cfe31464d417

str


factor

duo_push

str


reason

user_mistake

str


result

denied

str


user_key

DU30ASO0S57OOCCI7XHB

str


user_name

roberto

str


email

roberto@example.com

str


alias


str


user_groups_str


str


trusted_endpoint_status

null

str


ood_software

null

str


application_key

DI11Y5VSGF2HB0LM17CV

str


application_name

UNIX application

str


auth_device_ip

11.22.33.44

ip


auth_device_name

Work (888-683-9010)

str


auth_device_location_country

United States

str


auth_device_location_state

Massachusetts

str


auth_device_location_city

Cambridge

str


auth_device

{"location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}

json


access_device_hostname2

mylinuxhost

str


access_device_ip

192.168.0.112

ip


access_device_location_country

null

str


access_device_location_state

null

str


access_device_location_city

null

str


access_device_os

null

str


access_device_os_version

null

str


access_device_browser

null

str


access_device_browser_version

null

str


access_device_java_version

null

str


access_device_flash_version

null

str


access_device

{"is_encryption_enabled":"unknown","is_password_set":"unknown","flash_version":null,"is_firewall_enabled":"unknown","os":null,"java_version":null,"location":{"state":null,"city":null,"country":null},"os_version":null,"ip":"192.168.0.112","browser":null,"browser_version":null,"hostname":"mylinuxhost"}

json


rawMessage

{"access_device": {"browser": null, "browser_version": null, "flash_version": null, "hostname": "mylinuxhost", "ip": "192.168.0.112", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": null, "location": {"city": null, "country": null, "state": null}, "os": null, "os_version": null}, "alias": "", "application": {"key": "DI11Y5VSGF2HB0LM17CV", "name": "UNIX Application"}, "auth_device": {"ip": "11.22.33.44", "location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}, "email": "roberto@example.com", "event_type": "authentication", "factor": "duo_push", "isotimestamp": "2021-03-23T00:01:48.721183+00:00", "ood_software": null, "reason": "user_mistake", "result": "denied", "timestamp": 1616457708, "txid": "5a845249-1cb8-476f-a620-cfe31464d417", "user": {"groups": [], "key": "DU30ASO0S57OOCCI7XHB", "name": "roberto"}, "eventtype": "authentication", "host": "api-1a2b3c4d.duosecurity.com"}

str


hostchain

192.168.0.113=192.168.0.113/devorelay=11.22.33.44

str

✓

tag

auth.duo.authentication.events

str

✓

raw

2021-04-05 21:01:51.352 192.168.0.113=192.168.0.113/devorelay=11.22.33.544 auth.duo.authentication.events: {"access_device": {"browser": null, "browser_version": null, "flash_version": null, "hostname": "mylinuxhost", "ip": "192.168.0.112", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": null, "location": {"city": null, "country": null, "state": null}, "os": null, "os_version": null}, "alias": "", "application": {"key": "DI11Y5VSGF2HB0LM17CV", "name": "UNIX Application"}, "auth_device": {"ip": "11.22.33.44", "location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}, "email": "roberto@example.com", "event_type": "authentication", "factor": "duo_push", "isotimestamp": "2021-03-23T00:01:48.721183+00:00", "ood_software": null, "reason": "user_mistake", "result": "denied", "timestamp": 1616457708, "txid": "5a845249-1cb8-476f-a620-cfe31464d417", "user": {"groups": [], "key": "DU30ASO0S57OOCCI7XHB", "name": "roberto"}, "eventtype": "authentication", "host": "api-1a2b3c4d.duosecurity.com"}

str

✓

auth.duo.telephony.events

2021-04-05 21:01:49.559 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.telephony.events: {"context": "administrator login", "credits": 1, "isotimestamp": "2021-04-05T20:11:39+00:00", "phone": "+18886839010", "timestamp": 1617653499, "type": "sms", "eventtype": "telephony", "host": "api-1a2b3c4d.duosecurity.com"}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-05 21:01:49.559

timestamp


hostname

192.168.0.113

str


host

api-1a2b3c4d.duosecurity.com

str


isotimestamp

2021-04-05T20:11:39+00:00

str


timestamp

1617653499

timestamp


eventtype

telephony

str


context

administrator login

str


type

sms

str


phone

+18886839010

str


credits

1

int


rawMessage

{"context": "administrator login", "credits": 1, "isotimestamp": "2021-04-05T20:11:39+00:00", "phone": "+18886839010", "timestamp": 1617653499, "type": "sms", "eventtype": "telephony", "host": "api-1a2b3c4d.duosecurity.com"}

str


hostchain

192.168.0.113=192.168.0.113/devorelay=11.22.33.44

str

✓

tag

auth.duo.telephony.events

str

✓

raw

2021-04-05 21:01:49.559 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.telephony.events: {"context": "administrator login", "credits": 1, "isotimestamp": "2021-04-05T20:11:39+00:00", "phone": "+18886839010", "timestamp": 1617653499, "type": "sms", "eventtype": "telephony", "host": "api-1a2b3c4d.duosecurity.com"}

str

✓

auth.duo.authentication-proxy.events

2021-04-21 13:32:41 2019-emea-0427 auth.duo.authentication-proxy.events: {"timestamp": "2021-03-17T10:13:13.980350Z", "msg": "Primary credentials rejected - No reply message in packet", "username": "johnsmith", "auth_stage": "Primary authentication", "status": "Reject", "client_ip": null, "server_section": "radius_server_auto2", "server_section_ikey": "DIIOD1ZLTNJNUDN3CY58", "factor": null, "hostname": "ny1-yoda", "log_logger": {"unpersistable": true}, "log_level": {"name": "info", "__class_uuid__": "02e59486-f24d-46ad-8224-3acdf2a5732a"}, "log_namespace": "duoauthproxy.lib.log", "log_source": null, "log_format": null, "log_time": 1615975993.9803507}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2021-04-21 13:32:41

timestamp


hostname

2019-emea-0427

str


timestamp

2021-03-17 10:13:14

timestamp


msg

Primary credentials rejected - No reply message in packet

str


username

pwilkin

str


auth_stage

Primary authentication

str


status

Reject

str


client_ip

None

str


server_section

radius_server_auto2

str


server_section_ikey

DIIOD1ZLTNJNUDN3CY58

str


factor

None

str


hostname2

ny1-yoda

str


log_logger__unpersistable

TRUE

bool


log_level__name

info

str


log_level____class_uuid__

02e59486-f24d-46ad-8224-3acdf2a5732a

str


log_namespace

duoauthproxy.lib.log

str


log_source

None

str


log_format

None

str


log_time

1.62E+09

float8


rawMessage

{"timestamp": "2021-03-17T10:13:13.980350Z", "msg": "Primary credentials rejected - No reply message in packet", "username": "johnsmith", "auth_stage": "Primary authentication", "status": "Reject", "client_ip": null, "server_section": "radius_server_auto2", "server_section_ikey": "DIIOD1ZLTNJNUDN3CY58", "factor": null, "hostname": "ny1-yoda", "log_logger": {"unpersistable": true}, "log_level": {"name": "info", "__class_uuid__": "02e59486-f24d-46ad-8224-3acdf2a5732a"}, "log_namespace": "duoauthproxy.lib.log", "log_source": null, "log_format": null, "log_time": 1615975993.9803507}

str


hostchain

2019-emea-0427=10.15.100.101

str

✓

tag

auth.duo.authentication-proxy.events

str

✓

raw

2021-04-21 13:32:41 2019-emea-0427 auth.duo.authentication-proxy.events: {"timestamp": "2021-03-17T10:13:13.980350Z", "msg": "Primary credentials rejected - No reply message in packet", "username": "johnsmith", "auth_stage": "Primary authentication", "status": "Reject", "client_ip": null, "server_section": "radius_server_auto2", "server_section_ikey": "DIIOD1ZLTNJNUDN3CY58", "factor": null, "hostname": "ny1-yoda", "log_logger": {"unpersistable": true}, "log_level": {"name": "info", "__class_uuid__": "02e59486-f24d-46ad-8224-3acdf2a5732a"}, "log_namespace": "duoauthproxy.lib.log", "log_source": null, "log_format": null, "log_time": 1615975993.9803507}

str

✓