duologsync
(DLS) is a utility written by Duo Security that supports fetching logs from Duo endpoints and ingesting them to different SIEMs.
duologsync
requires credentials for an Admin API application with the "Grant read log" API permission. Create this application before installation and configuration.
To create the Admin API application:
config.yml
file later.MSP customers gathering logs from linked accounts should create an Accounts API Duo application and use that application's information in the config.yml
file.
python --version
.duo_log_sync
folder.pip3 install setuptools
.duologsync
by running python/python3 setup.py install
. Configuration
section below. You will need to create a config.yml
file and fill out credentials for the adminapi in the duoclient section as well as other parameters if necessary.duologsync <complete/path/to/config.yml>
.duologsync
for changes to take effect.3.6
, 3.7
, and 3.8
.duologsync
is installed in the \scripts\
folder under the Python installation in most cases.config.yml
. By default, logs will be stored under the /tmp
folder with name duologsync.log
.template_config.yml
for an example and for extensive, in-depth config explanation.log_format
field is a dls_settings
setting and it is for how Duo logs should be formatted before being sent to a server/siem. Valid options are CEF, JSON. The default will be JSON.offset
field is a api
setting and it is for days in the past from which record retrieval should begin. Maximum logs that can be fetched is 180 days
in past. The default is 180.timeout
field is a api
setting and it is for seconds
to wait between API calls (for fetching Duo logs). If timeout is set to less than 120 seconds, it will be defaulted to 120.enabled
field is a checkpointing
setting and it is for whether checkpoint files should be created to save offset information about API calls which will be used to continue fetching of data if utility crashes or is restarted. Valid options are True or False.directory
field is a checkpointing
setting is to mention path where checkpoint files will be created. The default is /tmp
.proxy_server
is a proxy
setting and it is a Host/IP for the Http Proxy.proxy_port
is a proxy
setting and it is a Port for the Http Proxy.id
is a servers
setting and it is a descriptive name for your server. It is a REQUIRED
field.hostname
is a servers
setting and it is a address of TCP/UDP server to which Duo logs will be sent. It is a REQUIRED
field.port
is a servers
setting and it is a Port of server to which logs will be sent. The valid port range is 1024-65535. It is a REQUIRED
field.protocol
is a servers
setting and it is a transport protocol used to communicate with the server. The allowed options are TCP
, TCPSSL
, UDP
. It is a REQUIRED
field.cert_filepath
is a servers
setting and it is a location of the certificate file used for encrypting communication for TCPSSL. TCPSSL expects that there are .key and .cert files that store keys. For configuration, give path of .cert/.pem file that has keys. It is a REQUIRED
field if protocol is TCPSSL.ikey
is a account
setting and it is a integration key of the Admin API
integration. For MSP accoint, this should have integration key for Accounts API
. It is a REQUIRED
field.skey
is a account
setting and it is a private key of the Admin API
integration. For MSP accoint, this should have private key for Accounts API
. It is a REQUIRED
field.hostname
is a account
setting and it is a api-hostname of the Admin API
integration on which the server hosting this account's logs. For MSP accoint, this should have api-hostname for Accounts API
. It is a REQUIRED
field.endpoints
field is a endpoint_server_mappings
setting. It is for defining what endpoints the mapping is for as a list. The valid options are adminaction
, auth
, telephony
, trustmonitor
, activity
. It is a REQUIRED
field.server
field is a endpoint_server_mappings
setting. It is where you define to what servers the logs of certain endpoints should go.This is done by creating a mapping (start with dash -).It is a REQUIRED
field.is_msp
field is to define whether this account is a Duo MSP account with child accounts. If True, then all the child accounts will be accessed and logs will be pulled for each child account. It is a NOT REQUIRED
field. The default is False
upgrade_config.py
which will automatically update your old config for you.upgrade_config.py
script, simply run the following command: python3 upgrade_config.py <old_config> <new_config>
where <old_config>
is the filepath or your old configuration file, and <new_config>
is where you would like the new configuration file to be saved.upgrade_config.py
script will not delete your old config file, it will be preserved.is_msp
field under accounts section is required only when using DLS with the Accounts API. For this reason, the upgrade script won't create that field in new config by default.