Duo collector

Overview

Duo Security is a cloud-based access security provider that offers multi-factor authentication (MFA), endpoint security, and remote access solutions to protect users and their devices against unauthorized access and cyber threats. It is designed to ensure that only authorized users and secure devices can access applications and data, regardless of where the applications or users are located.

Duo collector migration guide

This guide will walk you through the process of updating your configuration from versions <2.0.0 to version 2.0.0. This version introduces significant improvements and changes to the configuration style to enhance performance, usability, and security.

Version 2.0.0 is incompatible with previous versions. The new version needs some adjustments to the configuration file to ensure a smooth migration process. The following sections will guide you through the necessary steps to update your configuration.

Preparing for migration

Before starting the migration process, we recommend the following steps:

Backup your current configuration: Make sure you have a backup of your existing configuration files to prevent any data loss.
Review the new configuration documentation: Familiarize yourself with the new configuration options available in version 2.0.0.

Migration steps

Step 1: Update credentials

An example of the old and new configuration is shown below:

# Old version (<2.0.0)
account:
  ikey: 'NQ0XXXABC69XXXXYZI0F'
  skey: 'Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT'
  hostname: 'api-1a2b3c4d.duosecurity.com'

# New version (2.0.0)
credentials:
  integration_key: NQ0XXXABC69XXXXYZI0F
  secret_key: Kqfd1XXXX1bCX42OXXXLxNukWXXXXgUpXXX6KUaT
  hostname: api-1a2b3c4d.duosecurity.com

Step 2: Update start date

An example of the new configuration is shown below:

services:
  administrator:
    start_datetime_utc: "<start_datetime_utc_value>"
  authentication:
    start_datetime_utc: "<start_datetime_utc_value>"
  telephony:
    start_datetime_utc: "<start_datetime_utc_value>"

The <start_datetime_utc_value> has the format "YYYY-MM-DDTHH:MM:SS.000Z". For example, a valid start_datetime_utc_value would be "2024-07-01T00:00:00.000Z".

Devo collector features

Feature	Details
Allow parallel downloading (`multipod`)	`no`
Running environments	`collector server` `on premise`
Populated Devo events	`table`
Flattening pre-processing	`no`
Allowed source events obfuscation	`no`

Data source description

This collector extracts data from 3 log services available from Duo:

Administrator: Returns a list of administrator log events.
Authentication: Returns a paged list of authentication log events.
Telephony: Returns a list of telephony log events.

Data source	Description	API endpoint	Collector service name	Devo table	Available from release
Administrator	Returns a list of administrator log events.	`/admin/v1/logs/administrator`	administrator	`auth.duo.administrator.login` `auth.duo.administrator.events`	v0.9
Authentication	Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two-minute delay in the availability of new authentications in the API response. Duo operates a large-scale distributed system, and this two-minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.	`/admin/v2/logs/authentication`	authentication	`auth.duo.authentication.events`	v0.9
Telephony	Returns a list of telephony log events.	`/admin/v1/logs/telephony`	telephony	`auth.duo.telephony.events`	v0.9

API limits

Administrator:
- Only the 1000 earliest events (maximum) will be returned with each page; the collector will be called multiple times to page through the entire log.
- The recommended limit suggests requesting logs no more than once per minute.
Authentication:
- Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new authentications in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.
- The recommended limit suggests requesting logs no more than once per minute.
Telephony:
- Returns a paged list of authentication log events ranging from the last 180 days up to as recently as two minutes before the API request. There is an intentional two minute delay in availability of new telephony events in the API response. Duo operates a large scale distributed system, and this two minute buffer period ensures that calls will return consistent results. Querying for results more recent than two minutes will return as empty.
- The recommended limit suggests requesting logs no more than once per minute.

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required for basic data pulling are below.

This minimum configuration refers exclusively to those specific parameters of this integration. Additional parameters related to the generic behavior of the collector are required. Check the setting sections for details.

Setting	Details
`integration_key_value`	The integration key is required to authenticate the requests. The integration key acts as the HTTP username
`secret_key_value`	The secret key is required to authenticate the requests. The secret key acts as the HTTP password
`hostname_value`	The hostname is required to authenticate the requests. This is the URL for the different requests

Accepted authentication methods

Authentication method	Details
`user/pass`	You will need your `integration_key_value` and `secret_key_value` to connect to the `hostname_value`.

Vendor setup

You need the owner role to perform these steps. Learn more here.

Treat your secret key like a password

The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!

Connectivity requirements

This application communicates with Duo's service on SSL TCP port 443. Firewall configurations that restrict outbound access to Duo's service with rules using destination IP addresses or IP address ranges aren't recommended, since these may change over time to maintain our service's high availability. If your organization requires IP-based rules, please review Duo Knowledge Base article 1337. Effective June 30, 2023, Duo no longer supports TLS 1.0 or 1.1 connections or insecure TLS/SSL cipher suites. See Duo Knowledge Base article 7546 for additional guidance.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Collector services detail

This section is intended to explain how to proceed with specific actions for services.

For all the services

Devo categorization and destination

Please check the section Data Source Description to learn about the target tables for each service.

Restart the persistence

This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:

Edit the configuration file.
Change the value of the start_datetime_utc_value to a different one.
Save the changes.
Restart the collector.

The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.

Troubleshooting

This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.

Configuration errors

Error type	Error ID	Error message	Cause	Solution
InitVariablesError	0	Invalid content detected in the metadata config	The internal config did not pass the format validation. Contact Devo Support.	Check the documentation and update the configuration accordingly
InitVariablesError	1	Invalid content detected in the user config	The user config did not pass the format validation	Check the documentation and update the configuration accordingly
InitVariablesError	3	Invalid content detected in the requests_limits config	The user config did not pass the format validation.	Check error traces for details and visit our documentation.
DuoSetupException	103	Missing required credentials	Missing or empty credentials in the configuration	Include the proper credentials in the configuration
DuoException	100	Service not supported	An unexpected service definition was found	Configure the available services: `administrator`, `authentication` or `telephony`.
DuoException	101	Tag not found for `authentication` or `telephony`	An override tag value is found and it is empty or not valid	Configure the proper base_tag override for the `authentication` or `telephony` services.
DuoException	102	Base tag not found for `administrator`	An override base_tag value is found and it is empty or not valid	Configure the proper base_tag override for the `administrator` service.

Collector operations

Verify collector operations

This is for the standalone mode only. You can check the information in the following sections to verify the correct collector operation.

Initialization

The initialization module validates the given configuration and runs the setup, the input (pulling logic), and output (delivering logic) services. A successful run has the following output messages for the initializer module:

2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-test-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "C:\git\collectors2\devo-collector-<name>\config\config.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False

Event delivery and Devo ingestion

The event delivery module is in charge of receiving the events from the internal queues where all the events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:

2023-01-10T15:23:00.788    INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789    INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790    INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842    INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)",

Sender services

The Integrations Factory Collector SDK has 3 different sender services depending on the event type to deliver (internal, standard, and lookup). This collector uses the following Sender Services:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

Sender manager internal queue size: 0

Displays the items available in the internal sender queue.

This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders.

Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds)

Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:

44 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2022-06-28 10:39:22.511671+00:00.
21 events were sent to Devo between the last UTC checkpoint and now.
Those 21 events required 0.007 seconds to be delivered.

By default, these traces will be shown every 10 minutes.

Sender statistics

Each service displays its performance statistics that allow checking how many events have been delivered to Devo by type:

Logging trace

Description

Number of available senders: 1

Displays the number of concurrent senders available for the given Sender Service.

Sender manager internal queue size: 0

Displays the items available in the internal sender queue.

Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds

Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:

57 events were sent to Devo since the collector started.
The last checkpoint timestamp was 2023-01-10 16:09:16.116750+00:00.
0 events were sent to Devo between the last UTC checkpoint and now.
Those 0 events required 0.00 seconds to be delivered.

Check memory usage

To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.

The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory

  INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
  INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB)

Change log

Release	Released on	Release type	Details	Recommendations
`v2.0.0`	15 Jul 2024	IMPROVEMENTS	Updated DC SDK to `v1.12.2` Updated Docker image base to version `v1.3.0` in Dockerfile	`Recommended version`