Introduction
The tags beginning with auth.duo identify events generated by Duo Security.
The full tag must have 4 levels. The first two are fixed as auth.duo. The third level identifies the type of events sent, and the fourth level indicates the event subtype.
Technology | Brand | Type | Subtype |
---|
auth | duo | - administrator
- authentication
- telephony
- authentication-proxy
| |
Therefore, the valid tags and tables include:
- auth.duo.administrator.login
- auth.duo.administrator.events
- auth.duo.authentication.events
- auth.duo.telephony.events
- auth.duo.authentication-proxy.events
How is the data sent to Devo?
To send logs to these tables, you can use either Duo Log Sync or our Devo Duo collector to send the required events to your Devo domain. Learn more about this in Duo collector.
Log samples
The following are sample logs sent to each of the auth.duo tables. Also, find how the information will be parsed in your data table under each sample log.
auth.duo.administrator.login
2021-04-05 21:01:49.732 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.login: {"action": "admin_login", "description": "{\"ip_address\": \"11.22.33.44\", \"device\": \"888-683-9010\", \"factor\": \"sms\", \"primary_auth_method\": \"Password\"}", "isotimestamp": "2021-03-23T16:11:49+00:00", "object": null, "timestamp": 1616515909, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|
eventdate | 2021-04-05 21:01:49.732
| timestamp
|
|
hostname | 192.168.0.113
| str
|
|
host | api-1a2b3c4d.duosecurity.com
| str
|
|
isotimestamp | 2021-03-23T16:11:49+00:00
| str
|
|
timestamp | 1616515909
| timestamp
|
|
eventtype | administrator
| str
|
|
username | Roberto
| str
|
|
action | admin_login
| str
|
|
ip_address | 11.22.33.44
| ip
|
|
primary_auth_method | Password
| str
|
|
factor | sms
| str
|
|
device | 888-683-9010
| str
|
|
email | null
| str
|
|
error | null
| str
|
|
description | {"ip_address": "11.22.33.44", "device": "888-683-9010", "factor": "sms", "primary_auth_method": "Password"}
| str
|
|
rawMessage | {"action": "admin_login", "description": "{\"ip_address\": \"11.22.33.44\", \"device\": \"888-683-9010\", \"factor\": \"sms\", \"primary_auth_method\": \"Password\"}", "isotimestamp": "2021-03-23T16:11:49+00:00", "object": null, "timestamp": 1616515909, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}
| str
|
|
hostchain | 192.168.0.113=192.168.0.113/devorelay=11.22.33.44
| str
| ✓ |
tag | auth.duo.administrator.login
| str
| ✓ |
raw | 2021-04-05 21:01:49.732 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.login: {"action": "admin_login", "description": "{\"ip_address\": \"11.22.33.44\", \"device\": \"888-683-9010\", \"factor\": \"sms\", \"primary_auth_method\": \"Password\"}", "isotimestamp": "2021-03-23T16:11:49+00:00", "object": null, "timestamp": 1616515909, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}
| str
| ✓ |
auth.duo.administrator.events
2021-04-05 21:01:49.685 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.events: {"action": "integration_create", "description": "{\"greeting\": \"\", \"notes\": \"\", \"offline_auth_enabled\": 0, \"offline_max_days\": 0, \"offline_max_attempts\": 0, \"type\": \"Admin API\", \"name\": \"Admin API\", \"self_service_allowed\": false, \"username_normalization_policy\": \"None\", \"missing_web_referer_policy\": \"deny\", \"networks_for_api_access\": \"\", \"group_access\": \"\"}", "isotimestamp": "2021-03-22T23:00:38+00:00", "object": "Admin API", "timestamp": 1616454038, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|
eventdate | 2021-04-05 21:01:49.685
| timestamp
|
|
hostname | 192.168.0.113
| str
|
|
host | api-1a2b3c4d.duosecurity.com
| str
|
|
isotimestamp | 2021-03-22T23:00:38+00:00
| str
|
|
timestamp | 1616454038
| timestamp
|
|
eventtype | administrator
| str
|
|
username | Roberto
| str
|
|
action | integration_create
| str
|
|
object | Admin API
| str
|
|
description | {"greeting": "", "notes": "", "offline_auth_enabled": 0, "offline_max_days": 0, "offline_max_attempts": 0, "type": "Admin API", "name": "Admin API", "self_service_allowed": false, "username_normalization_policy": "None", "missing_web_referer_policy": "deny", "networks_for_api_access": "", "group_access": ""}
| str
|
|
rawMessage | {"action": "integration_create", "description": "{"greeting": "", "notes": "", "offline_auth_enabled": 0, "offline_max_days": 0, "offline_max_attempts": 0, "type": "Admin API", "name": "Admin API", "self_service_allowed": false, "username_normalization_policy": "None", "missing_web_referer_policy": "deny", "networks_for_api_access": "", "group_access": ""}", "isotimestamp": "2021-03-22T23:00:38+00:00", "object": "Admin API", "timestamp": 1616454038, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}
| str
|
|
hostchain | 192.168.0.113=192.168.0.113/devorelay=11.22.33.44
| str
| ✓ |
tag | auth.duo.administrator.events
| str
| ✓ |
raw | 2021-04-05 21:01:49.685 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.administrator.events: {"action": "integration_create", "description": "{\"greeting\": \"\", \"notes\": \"\", \"offline_auth_enabled\": 0, \"offline_max_days\": 0, \"offline_max_attempts\": 0, \"type\": \"Admin API\", \"name\": \"Admin API\", \"self_service_allowed\": false, \"username_normalization_policy\": \"None\", \"missing_web_referer_policy\": \"deny\", \"networks_for_api_access\": \"\", \"group_access\": \"\"}", "isotimestamp": "2021-03-22T23:00:38+00:00", "object": "Admin API", "timestamp": 1616454038, "username": "Roberto", "eventtype": "administrator", "host": "api-1a2b3c4d.duosecurity.com"}
| str
| ✓ |
auth.duo.authentication.events
2021-04-05 21:01:51.352 192.168.0.113=192.168.0.113/devorelay=11.22.33.544 auth.duo.authentication.events: {"access_device": {"browser": null, "browser_version": null, "flash_version": null, "hostname": "mylinuxhost", "ip": "192.168.0.112", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": null, "location": {"city": null, "country": null, "state": null}, "os": null, "os_version": null}, "alias": "", "application": {"key": "DI11Y5VSGF2HB0LM17CV", "name": "UNIX Application"}, "auth_device": {"ip": "11.22.33.44", "location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}, "email": "roberto@example.com", "event_type": "authentication", "factor": "duo_push", "isotimestamp": "2021-03-23T00:01:48.721183+00:00", "ood_software": null, "reason": "user_mistake", "result": "denied", "timestamp": 1616457708, "txid": "5a845249-1cb8-476f-a620-cfe31464d417", "user": {"groups": [], "key": "DU30ASO0S57OOCCI7XHB", "name": "roberto"}, "eventtype": "authentication", "host": "api-1a2b3c4d.duosecurity.com"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|
eventdate | 2021-04-05 21:01:51.352
| timestamp
|
|
hostname | 192.168.0.113
| str
|
|
host | api-1a2b3c4d.duosecurity.com
| str
|
|
isotimestamp | 2021-03-23T00:01:48.721183+00:00
| str
|
|
timestamp | 1616457708
| timestamp
|
|
eventtype | authentication
| str
|
|
event_type | authentication
| str
|
|
txid | 5a845249-1cb8-476f-a620-cfe31464d417
| str
|
|
factor | duo_push
| str
|
|
reason | user_mistake
| str
|
|
result | denied
| str
|
|
user_key | DU30ASO0S57OOCCI7XHB
| str
|
|
user_name | roberto
| str
|
|
email | roberto@example.com
| str
|
|
alias |
| str
|
|
user_groups_str |
| str
|
|
trusted_endpoint_status | null
| str
|
|
ood_software | null
| str
|
|
application_key | DI11Y5VSGF2HB0LM17CV
| str
|
|
application_name | UNIX application
| str
|
|
auth_device_ip | 11.22.33.44
| ip
|
|
auth_device_name | Work (888-683-9010)
| str
|
|
auth_device_location_country | United States
| str
|
|
auth_device_location_state | Massachusetts
| str
|
|
auth_device_location_city | Cambridge
| str
|
|
auth_device | {"location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}
| json
|
|
access_device_hostname2 | mylinuxhost
| str
|
|
access_device_ip | 192.168.0.112
| ip
|
|
access_device_location_country | null
| str
|
|
access_device_location_state | null
| str
|
|
access_device_location_city | null
| str
|
|
access_device_os | null
| str
|
|
access_device_os_version | null
| str
|
|
access_device_browser | null
| str
|
|
access_device_browser_version | null
| str
|
|
access_device_java_version | null
| str
|
|
access_device_flash_version | null
| str
|
|
access_device | {"is_encryption_enabled":"unknown","is_password_set":"unknown","flash_version":null,"is_firewall_enabled":"unknown","os":null,"java_version":null,"location":{"state":null,"city":null,"country":null},"os_version":null,"ip":"192.168.0.112","browser":null,"browser_version":null,"hostname":"mylinuxhost"}
| json
|
|
rawMessage | {"access_device": {"browser": null, "browser_version": null, "flash_version": null, "hostname": "mylinuxhost", "ip": "192.168.0.112", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": null, "location": {"city": null, "country": null, "state": null}, "os": null, "os_version": null}, "alias": "", "application": {"key": "DI11Y5VSGF2HB0LM17CV", "name": "UNIX Application"}, "auth_device": {"ip": "11.22.33.44", "location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}, "email": "roberto@example.com", "event_type": "authentication", "factor": "duo_push", "isotimestamp": "2021-03-23T00:01:48.721183+00:00", "ood_software": null, "reason": "user_mistake", "result": "denied", "timestamp": 1616457708, "txid": "5a845249-1cb8-476f-a620-cfe31464d417", "user": {"groups": [], "key": "DU30ASO0S57OOCCI7XHB", "name": "roberto"}, "eventtype": "authentication", "host": "api-1a2b3c4d.duosecurity.com"}
| str
|
|
hostchain | 192.168.0.113=192.168.0.113/devorelay=11.22.33.44
| str
| ✓ |
tag | auth.duo.authentication.events
| str
| ✓ |
raw | 2021-04-05 21:01:51.352 192.168.0.113=192.168.0.113/devorelay=11.22.33.544 auth.duo.authentication.events: {"access_device": {"browser": null, "browser_version": null, "flash_version": null, "hostname": "mylinuxhost", "ip": "192.168.0.112", "is_encryption_enabled": "unknown", "is_firewall_enabled": "unknown", "is_password_set": "unknown", "java_version": null, "location": {"city": null, "country": null, "state": null}, "os": null, "os_version": null}, "alias": "", "application": {"key": "DI11Y5VSGF2HB0LM17CV", "name": "UNIX Application"}, "auth_device": {"ip": "11.22.33.44", "location": {"city": "Cambridge", "country": "United States", "state": "Massachusetts"}, "name": "Work (888-683-9010)"}, "email": "roberto@example.com", "event_type": "authentication", "factor": "duo_push", "isotimestamp": "2021-03-23T00:01:48.721183+00:00", "ood_software": null, "reason": "user_mistake", "result": "denied", "timestamp": 1616457708, "txid": "5a845249-1cb8-476f-a620-cfe31464d417", "user": {"groups": [], "key": "DU30ASO0S57OOCCI7XHB", "name": "roberto"}, "eventtype": "authentication", "host": "api-1a2b3c4d.duosecurity.com"}
| str
| ✓ |
auth.duo.telephony.events
2021-04-05 21:01:49.559 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.telephony.events: {"context": "administrator login", "credits": 1, "isotimestamp": "2021-04-05T20:11:39+00:00", "phone": "+18886839010", "timestamp": 1617653499, "type": "sms", "eventtype": "telephony", "host": "api-1a2b3c4d.duosecurity.com"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|
eventdate | 2021-04-05 21:01:49.559
| timestamp
|
|
hostname | 192.168.0.113
| str
|
|
host | api-1a2b3c4d.duosecurity.com
| str
|
|
isotimestamp | 2021-04-05T20:11:39+00:00
| str
|
|
timestamp | 1617653499
| timestamp
|
|
eventtype | telephony
| str
|
|
context | administrator login
| str
|
|
type | sms
| str
|
|
phone | +18886839010
| str
|
|
credits | 1
| int
|
|
rawMessage | {"context": "administrator login", "credits": 1, "isotimestamp": "2021-04-05T20:11:39+00:00", "phone": "+18886839010", "timestamp": 1617653499, "type": "sms", "eventtype": "telephony", "host": "api-1a2b3c4d.duosecurity.com"}
| str
|
|
hostchain | 192.168.0.113=192.168.0.113/devorelay=11.22.33.44
| str
| ✓ |
tag | auth.duo.telephony.events
| str
| ✓ |
raw | 2021-04-05 21:01:49.559 192.168.0.113=192.168.0.113/devorelay=11.22.33.44 auth.duo.telephony.events: {"context": "administrator login", "credits": 1, "isotimestamp": "2021-04-05T20:11:39+00:00", "phone": "+18886839010", "timestamp": 1617653499, "type": "sms", "eventtype": "telephony", "host": "api-1a2b3c4d.duosecurity.com"}
| str
| ✓ |
auth.duo.authentication-proxy.events
2021-04-21 13:32:41 2019-emea-0427 auth.duo.authentication-proxy.events: {"timestamp": "2021-03-17T10:13:13.980350Z", "msg": "Primary credentials rejected - No reply message in packet", "username": "johnsmith", "auth_stage": "Primary authentication", "status": "Reject", "client_ip": null, "server_section": "radius_server_auto2", "server_section_ikey": "DIIOD1ZLTNJNUDN3CY58", "factor": null, "hostname": "ny1-yoda", "log_logger": {"unpersistable": true}, "log_level": {"name": "info", "__class_uuid__": "02e59486-f24d-46ad-8224-3acdf2a5732a"}, "log_namespace": "duoauthproxy.lib.log", "log_source": null, "log_format": null, "log_time": 1615975993.9803507}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|
eventdate | 2021-04-21 13:32:41
| timestamp
|
|
hostname | 2019-emea-0427
| str
|
|
timestamp | 2021-03-17 10:13:14
| timestamp
|
|
msg | Primary credentials rejected - No reply message in packet
| str
|
|
username | pwilkin
| str
|
|
auth_stage | Primary authentication
| str
|
|
status | Reject
| str
|
|
client_ip | None
| str
|
|
server_section | radius_server_auto2
| str
|
|
server_section_ikey | DIIOD1ZLTNJNUDN3CY58
| str
|
|
factor | None
| str
|
|
hostname2 | ny1-yoda
| str
|
|
log_logger__unpersistable | TRUE
| bool
|
|
log_level__name | info
| str
|
|
log_level____class_uuid__ | 02e59486-f24d-46ad-8224-3acdf2a5732a
| str
|
|
log_namespace | duoauthproxy.lib.log
| str
|
|
log_source | None
| str
|
|
log_format | None
| str
|
|
log_time | 1.62E+09
| float8
|
|
rawMessage | {"timestamp": "2021-03-17T10:13:13.980350Z", "msg": "Primary credentials rejected - No reply message in packet", "username": "johnsmith", "auth_stage": "Primary authentication", "status": "Reject", "client_ip": null, "server_section": "radius_server_auto2", "server_section_ikey": "DIIOD1ZLTNJNUDN3CY58", "factor": null, "hostname": "ny1-yoda", "log_logger": {"unpersistable": true}, "log_level": {"name": "info", "__class_uuid__": "02e59486-f24d-46ad-8224-3acdf2a5732a"}, "log_namespace": "duoauthproxy.lib.log", "log_source": null, "log_format": null, "log_time": 1615975993.9803507}
| str
|
|
hostchain | 2019-emea-0427=10.15.100.101
| str
| ✓ |
tag | auth.duo.authentication-proxy.events
| str
| ✓ |
raw | 2021-04-21 13:32:41 2019-emea-0427 auth.duo.authentication-proxy.events: {"timestamp": "2021-03-17T10:13:13.980350Z", "msg": "Primary credentials rejected - No reply message in packet", "username": "johnsmith", "auth_stage": "Primary authentication", "status": "Reject", "client_ip": null, "server_section": "radius_server_auto2", "server_section_ikey": "DIIOD1ZLTNJNUDN3CY58", "factor": null, "hostname": "ny1-yoda", "log_logger": {"unpersistable": true}, "log_level": {"name": "info", "__class_uuid__": "02e59486-f24d-46ad-8224-3acdf2a5732a"}, "log_namespace": "duoauthproxy.lib.log", "log_source": null, "log_format": null, "log_time": 1615975993.9803507}
| str
| ✓ |