auth.duo
Introduction
The tags beginning with auth.duo
identify events generated by Duo Security.
Tag structure
The full tag must have at least 3 levels. The first two are fixed as auth.duo
. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Duo platform |
|
|
|
| |
|
| |
|
| |
|
| |
|
|
For more information, read more About Devo tags.
How is the data sent to Devo?
To send logs to these tables, you can use either Duo Log Sync or our Devo Duo collector to send the required events to your Devo domain. Learn more about this in this article.
Note that sending events to auth.duo.authenticationProxy.events
is not supported by either of the methods mentioned above. To send events to this tag, you must enable logging by setting the parameter log_auth_events
to True
in the authproxy.cfg
file. Check the Duo Authentication Proxy documentation for more information.
Once you have your local log file created (authevents.log
), you can monitor it and forward the events using the normal methods, as described in Monitoring files using rsyslog.
Table structure
These are the fields displayed in these tables: