- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- DUO Log Add-on for Splunk: What is the syslog form...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DUO Log Add-on for Splunk: What is the syslog format for DUO events?
The DUO Log Add-on for Splunk link text is great but it doesn't provide any field extractions for syslog events. Is there a standard log format for these messages that we can use to build our own field extractions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
"SkyFormation Extend © for Splunk ingest and enriches audit events from multiple business cloud applications (e.g. Duo security, Salesforce, Google App, Box, ServiceNow, Office 365, Okta, Azure and many more) and transform the events into visible and detection-ready (classified, unified enriched and more) in your Splunk or any other SIEM system. SkyFormation Extend© sends its security events to Splunk where they can be stored, analyzed and acted upon according to the organization’s regulations and security needs.".
SkyFormation Extend is a middleware software you could install on-premise on any Linux machine of yours and it will take you 8 minutes to set it up and connect your cloud apps to your Splunk/SIEM.
Please have a look at:
https://splunkbase.splunk.com/app/2932/
Feel more then welcome to ask me any question at asaf@skyformation.com
Best
Asaf
SkyFormation, CEO
www.skyformation.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
boo your advertisement
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The DUO Log Add-on is primarily a modular input, so it likely won't work correctly if you are grabbing the DUO logs with a different method. The data is returned in JSON directly from their API; https://duo.com/docs/adminapi#logs
so the add-on takes advantage of that because most of the field extraction occurs automatically. The add-on also has some field mapping to make it CIM compliant, which probably won't work correctly if the fields are extracted differently.
It sounds like your Splunk admins may be using one of DUO's example scripts for pulling the logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nah, I'm the admin. We're getting the logs via syslog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure how you get the logs from DUO via syslog. I'm only aware of getting the data from them via their API, in which case it's returned in JSON.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like the app says it's supposed to be in JSON format. Is that not the case?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately not. The message format I'm receiving is basic one-line syslog with values separated by commas. I'm attacking this from two angles though; also working on getting the admins to configure this feed via the API like the app prefers.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
