All Apps and Add-ons

Splunk DUO connector which can support v2 auth logs

Path Finder

Per DUO support, Splunk DUO connector 1.1.6b and 1.1.6 do not support v2 auth logs; therefore, the connector won't be able to pull those 2FA device IP's in the logs. When will the updated Splunk DUO connector which can support v2 auth logs be available? Thanks.

0 Karma

New Member

Not officially supported, but confirmed working

While not officially supported, you can make this happen with 2 simple edits to in $SPLUNK_HOME/etc/apps/duo_splunkapp/bin/ (this path may be different in your environment). This works on the publicly available 1.1.6 app downloaded directly from Splunkbase. There is also a hidden Dashboard page available https://yoursplunkenvironment/en-US/app/duo_splunkapp/duo_auth_dash_2. Would love to hear if this works for anyone.

Line 11 should be changed.
From: logclasses.paginated_authentication_log import PaginatedAuthenticationLog
To: from logclasses.paginated_authentication_log_v2 import PaginatedAuthenticationLogv2

Line 360 should be changed.
From: PaginatedAuthenticationLog,
To: PaginatedAuthenticationLogv2,

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!