Unfortunately not. The message format I'm receiving is basic one-line syslog with values separated by commas. I'm attacking this from two angles though; also working on getting the admins to configure this feed via the API like the app prefers.
The DUO Log Add-on is primarily a modular input, so it likely won't work correctly if you are grabbing the DUO logs with a different method. The data is returned in JSON directly from their API; https://duo.com/docs/adminapi#logs
so the add-on takes advantage of that because most of the field extraction occurs automatically. The add-on also has some field mapping to make it CIM compliant, which probably won't work correctly if the fields are extracted differently.
It sounds like your Splunk admins may be using one of DUO's example scripts for pulling the logs.
I'm not sure how you get the logs from DUO via syslog. I'm only aware of getting the data from them via their API, in which case it's returned in JSON.
"SkyFormation Extend © for Splunk ingest and enriches audit events from multiple business cloud applications (e.g. Duo security, Salesforce, Google App, Box, ServiceNow, Office 365, Okta, Azure and many more) and transform the events into visible and detection-ready (classified, unified enriched and more) in your Splunk or any other SIEM system. SkyFormation Extend© sends its security events to Splunk where they can be stored, analyzed and acted upon according to the organization’s regulations and security needs.".
SkyFormation Extend is a middleware software you could install on-premise on any Linux machine of yours and it will take you 8 minutes to set it up and connect your cloud apps to your Splunk/SIEM.
Please have a look at:
Feel more then welcome to ask me any question at firstname.lastname@example.org