https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287176#M34178 <P>The DUO Log Add-on for Splunk <A href="https://splunkbase.splunk.com/app/3194/">link text</A> is great but it doesn't provide any field extractions for syslog events. Is there a standard log format for these messages that we can use to build our own field extractions?</P> Thu, 22 Dec 2016 16:25:12 GMT dflodstrom 2016-12-22T16:25:12Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287176#M34178 <P>The DUO Log Add-on for Splunk <A href="https://splunkbase.splunk.com/app/3194/">link text</A> is great but it doesn't provide any field extractions for syslog events. Is there a standard log format for these messages that we can use to build our own field extractions?</P> Thu, 22 Dec 2016 16:25:12 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287176#M34178 dflodstrom 2016-12-22T16:25:12Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287177#M34179 <P>Looks like the app says it's supposed to be in JSON format. Is that not the case?</P> Thu, 22 Dec 2016 16:26:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287177#M34179 jonathan_cooper 2016-12-22T16:26:51Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287178#M34180 <P>Unfortunately not. The message format I'm receiving is basic one-line syslog with values separated by commas. I'm attacking this from two angles though; also working on getting the admins to configure this feed via the API like the app prefers. </P> Thu, 22 Dec 2016 16:38:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287178#M34180 dflodstrom 2016-12-22T16:38:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287179#M34181 <P>The DUO Log Add-on is primarily a modular input, so it likely won't work correctly if you are grabbing the DUO logs with a different method. The data is returned in JSON directly from their API; <A href="https://duo.com/docs/adminapi#logs">https://duo.com/docs/adminapi#logs</A><BR /> so the add-on takes advantage of that because most of the field extraction occurs automatically. The add-on also has some field mapping to make it CIM compliant, which probably won't work correctly if the fields are extracted differently.<BR /><BR /> It sounds like your Splunk admins may be using one of DUO's example scripts for pulling the logs.</P> Tue, 07 Feb 2017 18:01:42 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287179#M34181 bawood 2017-02-07T18:01:42Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287180#M34182 <P>Hi,</P> <P>"SkyFormation Extend © for Splunk ingest and enriches audit events from multiple business cloud applications (e.g. Duo security, Salesforce, Google App, Box, ServiceNow, Office 365, Okta, Azure and many more) and transform the events into visible and detection-ready (classified, unified enriched and more) in your Splunk or any other SIEM system. SkyFormation Extend© sends its security events to Splunk where they can be stored, analyzed and acted upon according to the organization’s regulations and security needs.".</P> <P>SkyFormation Extend is a middleware software you could install on-premise on any Linux machine of yours and it will take you 8 minutes to set it up and connect your cloud apps to your Splunk/SIEM.</P> <P>Please have a look at:<BR /> <A href="https://splunkbase.splunk.com/app/2932/">https://splunkbase.splunk.com/app/2932/</A></P> <P>Feel more then welcome to ask me any question at <A href="mailto:asaf@skyformation.com">asaf@skyformation.com</A></P> <P>Best<BR /> Asaf<BR /> SkyFormation, CEO<BR /> <A href="http://www.skyformation.com">www.skyformation.com</A></P> Mon, 24 Jul 2017 12:22:50 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287180#M34182 barkanasi 2017-07-24T12:22:50Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287181#M34183 <P>boo your advertisement</P> Wed, 23 Aug 2017 14:04:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287181#M34183 dflodstrom 2017-08-23T14:04:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287182#M34184 <P>Nah, I'm the admin. We're getting the logs via syslog. </P> Wed, 23 Aug 2017 14:05:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287182#M34184 dflodstrom 2017-08-23T14:05:07Z https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287183#M34185 <P>I'm not sure how you get the logs from DUO via syslog. I'm only aware of getting the data from them via their API, in which case it's returned in JSON. </P> Wed, 23 Aug 2017 14:31:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/DUO-Log-Add-on-for-Splunk-What-is-the-syslog-format-for-DUO/m-p/287183#M34185 bawood 2017-08-23T14:31:41Z