There are a variety of options for moving logs from Duo into a SIEM (security information and event management) application.
Duo Log Sync is a utility written by Duo Security to enable fetching logs from Duo’s Auth API and Admin API endpoints over TCP/TCP Encrypted. It outputs to JSON format for ingestion into a SIEM.
Duo Log Sync also features:
The ability to pick up from the last event or log and continue sending it even if there is a dropped connection, helps you stay on top of events.
The ability to configure which endpoints you want to query.
The ability to send in different formats like JSON and Syslog (CEF)
It is compatible with version 1 and version 2 of Duo’s API endpoints, as well as Python versions 3.6, 3.7, and 3.8.
If you have used the third-party tool Log Grabber in the past, we recommend switching to Duo Log Sync, which is supported by Duo and will receive ongoing improvements, including providing access to the latest Duo API endpoints.
This is a cloud-based device which is added to the UI using API call, and we fetch logs from DUO for that we need the Integration key and Secret Key in order to link Seceon to the DUO application.
Note that only administrators with the Owner role can create or modify an Admin API application in the Duo Admin Panel.
Configuration steps in DUO and Seceon UI
Steps to fetch the integration key and secret key from the DUO Application
Sign up for a Duo account.
Log in to the Duo Admin Panel and navigate to Applications.
Click Protect an Application and locate the entry for Admin API in the applications list. Click Protect to the far right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to complete your setup. See Protecting Applications for more details on protecting applications in Duo and additional application options.
Treat your secret key like a password
The security of your Duo application is tied to the security of your secret key (skey). Secure it as you would any sensitive credential. Don't share it with unauthorized individuals or email it to anyone under any circumstances!
4. Determine what permissions you want to grant to this Admin API application. Refer to the API endpoint descriptions throughout this document for information about required permissions for operations.
5. Optionally specify which IP addresses or ranges are allowed to use this Admin API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Admin API application may be accessed from any network.
The Admin API performs the IP check occurs after verifying the authentication signature in a request. Suppose you restrict the allowed networks for API access and see logged events for blocked Admin API requests from unrecognized IP addresses. In that case, this may indicate a compromise of your Admin API application's secret key.
Configuration On the Seceon GUI
Go to Provisioning > Add-on Devices > Add-on Configuration
2. Click on Add
VERIFICATION OF CONFIGURATION
Verification can be done either from UI or from the CCE server.
STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS.
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.
Using CCE SERVER
Login into CCE Server with seceon user and execute the following command.
Online CCE Services :
SERVICE VERSION IP STATUS FORWARDED PORTS cce-addon-devices | 8.1.2 | | Up 52 seconds |
Then go inside the addon container by running the command: