MarkTripod-Duo
commented
4 months ago @novwhiskey07 There is currently no way to transform data directly using DLS. The primary function of DLS is to extract raw log information from the Duo Admin API and then send it to a destination for processing. One alternative solution that may be worth exploring is to configure DLS to send log data to an intermediary processing script to transform the data as needed before feeding into your SIEM.
Is there a way to exclude specific fields from being sent, I wasn't able to find anything in the config file that would allow for that. Currently we're seeing an issue where the logs are not parsing correctly because we're hitting the limit of 2048 characters per field.
This seems to be because of the groups portion is causing the data to go over max characters. Our users may be a part of up to 10 different groups so it's being cut off mid string.
If there was a way to exclude the users groups from sending, that would resolve the issue.
Current workaround is send the data as CEF instead of JSON but then the data that is sent is limited. Or remove some groups from the users, then the data fits within 2048 characters and is parsed by our SIEM.