Per DUO support, Splunk DUO connector 1.1.6b and 1.1.6 do not support v2 auth logs; therefore, the connector won't be able to pull those 2FA device IP's in the logs. When will the updated Splunk DUO connector which can support v2 auth logs be available? Thanks.
While not officially supported, you can make this happen with 2 simple edits to duo_input.py in $SPLUNK_HOME/etc/apps/duo_splunkapp/bin/ (this path may be different in your environment). This works on the publicly available 1.1.6 app downloaded directly from Splunkbase. There is also a hidden Dashboard page available https://yoursplunkenvironment/en-US/app/duo_splunkapp/duo_auth_dash_2. Would love to hear if this works for anyone.
Line 11 should be changed. From: logclasses.paginated_authentication_log import PaginatedAuthenticationLog To: from logclasses.paginated_authentication_log_v2 import PaginatedAuthenticationLogv2
Line 360 should be changed. From: PaginatedAuthenticationLog, To: PaginatedAuthenticationLogv2,