Document toolboxDocument toolbox

Duo collector

Description

Duo is a powerful access security platform. There are two ways of sending Duo logs to Devo automatically:

  • Duo collector - Collector deployed by Devo. If you want to use this option to deploy the collector, contact us.

  • Duo Log Sync - Python library developed by Duo Security. To start sending Duo logs to Devo using this library, follow the steps below.

Getting the required credentials

Access the Duo Admin Panel and follow these steps:

Devo relay rules

Set up 4 custom relay rules for these tables:

Administrator Login rule (#1) needs to be placed before Administrator Events rule (#2), since we want events with action_ in the source data to go to auth.duo.administrator.login only. Also, both rules require the same port (in this case is 13010).

Authentication and Telephony events rules use the same basic settings as the Administrator events rule (just different port and tag). 

  • auth.duo.administrator.login (for admin_ actions)

  • auth.duo.administrator.events

  • auth.duo.authentication.events

  • auth.duo.telephony.events

Duo Log Sync settings

Validation

After 2 mins, duologsync will fetch and send logs to Devo (that’s the minimum timeout that Duo allows between API calls). Then, go to Devo and see if you have Duo events in all auth.duo.* tables. Learn more about these tables in auth.duo.