All Apps and Add-ons
Highlighted

DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Builder

The DUO Log Add-on for Splunk link text is great but it doesn't provide any field extractions for syslog events. Is there a standard log format for these messages that we can use to build our own field extractions?

0 Karma
Highlighted

Re: DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Communicator

Looks like the app says it's supposed to be in JSON format. Is that not the case?

0 Karma
Highlighted

Re: DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Builder

Unfortunately not. The message format I'm receiving is basic one-line syslog with values separated by commas. I'm attacking this from two angles though; also working on getting the admins to configure this feed via the API like the app prefers.

0 Karma
Highlighted

Re: DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Path Finder

The DUO Log Add-on is primarily a modular input, so it likely won't work correctly if you are grabbing the DUO logs with a different method. The data is returned in JSON directly from their API; https://duo.com/docs/adminapi#logs
so the add-on takes advantage of that because most of the field extraction occurs automatically. The add-on also has some field mapping to make it CIM compliant, which probably won't work correctly if the fields are extracted differently.

It sounds like your Splunk admins may be using one of DUO's example scripts for pulling the logs.

0 Karma
Highlighted

Re: DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Builder

Nah, I'm the admin. We're getting the logs via syslog.

0 Karma
Highlighted

Re: DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Path Finder

I'm not sure how you get the logs from DUO via syslog. I'm only aware of getting the data from them via their API, in which case it's returned in JSON.

0 Karma
Highlighted

Re: DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Explorer

Hi,

"SkyFormation Extend © for Splunk ingest and enriches audit events from multiple business cloud applications (e.g. Duo security, Salesforce, Google App, Box, ServiceNow, Office 365, Okta, Azure and many more) and transform the events into visible and detection-ready (classified, unified enriched and more) in your Splunk or any other SIEM system. SkyFormation Extend© sends its security events to Splunk where they can be stored, analyzed and acted upon according to the organization’s regulations and security needs.".

SkyFormation Extend is a middleware software you could install on-premise on any Linux machine of yours and it will take you 8 minutes to set it up and connect your cloud apps to your Splunk/SIEM.

Please have a look at:
https://splunkbase.splunk.com/app/2932/

Feel more then welcome to ask me any question at asaf@skyformation.com

Best
Asaf
SkyFormation, CEO
www.skyformation.com

0 Karma
Highlighted

Re: DUO Log Add-on for Splunk: What is the syslog format for DUO events?

Builder

boo your advertisement

0 Karma