community.duo.com Open in urlscan Pro
2602:fd3f:3:ff02::2f  Public Scan

Form analysis
1 forms found in the DOM

POST /login

<form id="hidden-login-form" method="post" action="/login" style="display: none;" __bizdiag="695534669" __biza="WJ__">
  <input name="username" type="text" id="signin_username">
  <input name="password" type="password" id="signin_password">
  <input name="redirect" type="hidden">
  <input type="submit" id="signin-button" value="Log In">
</form>

Text Content

Duo Security Community


DUO RADIUS PROXY LOGS TO EXTERNAL SERVER

Managing Users forum Administrators & Admin Panel Access
log

Nimrod August 21, 2022, 9:49am #1

Dear Duo Community members,
I am using duo radius proxy, and its really simple and great and very reliable,
yet I have a problem, I want to ship its logs to an external server to save the
auth-logs for longer period of time and to process them through my siem. is
there a built-in way to ship the logs? I skimmed all the documentation and
didn’t found a way to accomplish that. furthermore, I tried with NXLOG with no
success (if anyone can help with a piece of configuration it will be awesome!)
if anyone has an idea, I’ll be more than thankful, and many thanks in advance.




DuoPablo August 24, 2022, 2:37pm #2

Hi @Nimrod ,

Yes, you can have Auth Proxy logs shipped to a SIEM via the following:
https://help.duo.com/s/article/3959

The above creates a secondary log file that is suitable for SIEM consumption via
Splunk Universal Forwarder or similar function. It is a JSON formatted file that
logs primary and secondary authentication events that occur on the respective
Auth Proxy.

I would also suggest that you consume Authentication Logs, Telephony Logs,
Administrator Logs, and Trust Monitor Logs (if applicable) using our Duo Log
Sync utility: https://help.duo.com/s/article/1269

Hope this helps!




Nimrod August 28, 2022, 9:01am #3

DuoPablo:

> would also suggest that you consume Authentication Logs, Telephony Logs,
> Administrator Logs,

Hi, Thanks for answering,
I came across these articles, yet, there is no way to send the logs, you need
the SIEM to read from the machine’s log file.
I need that the duo proxy will send its logs forward, not to a file, but to
UDP/TCP and to another IP address (aka collector) (for example - syslog
udp/514). I couldn’t find a way to do so.

thanks in advance.




DuoPablo August 28, 2022, 11:12pm #4

At this time, the Auth Proxy does not have a way to natively ship its logs
(events captured in either authproxy.log or authevents.log) directly to a SIEM.
Please submit this as a Feature Request via your Duo Account Executive, Customer
Success Manager (if applicable), or our Support Team.

What type of events from the Auth Proxy are you most concerned about? I noticed
you had mentioned “auth-logs” but please note that Duo’s Authentication Logs can
be shipped to a SIEM via API, as mentioned earlier (Auth Proxy is not required).




Nimrod September 1, 2022, 5:49am #5

Hi, Thanks for the answer,
I would like to catch the “User locked” events and alert the users.




DuoPablo September 1, 2022, 3:14pm #6

When a user becomes locked out of Duo, you may choose to configure & receive an
email alert. Please see https://help.duo.com/s/article/7219 for more
information.

When a user becomes locked out, the event is not recorded in the Authentication
Log. However, if a user tries to authenticate after they have become locked out,
the "reason": "locked_out" will be recorded in the Authentication Log. If you
have these logs shipped to your SIEM, you may also choose to alert on events
that show "reason": "user_marked_fraud" since that means a user denied a Push
that they themselves did not initiate (potential Push Phishing).

Duo Security


DUO ADMIN API

The Duo Admin API provides programmatic access to administrative functionality
of Duo Security’s two-factor authentication platform. Learn more.





 * Home
 * Categories
 * FAQ/Guidelines
 * Terms of Service
 * Privacy Policy

Powered by Discourse, best viewed with JavaScript enabled

Skip to main content

 * Knowledge Base
 * Docs
 * Release Notes
 * Support
 * Privacy

Sign UpLog In
 * 
 * 


WHAT IS THE DUO COMMUNITY?

We’re a community of security professionals who are here to help you get started
with or get better at administering and using Duo.




DUO RADIUS PROXY LOGS TO EXTERNAL SERVER

Managing Users forumAdministrators & Admin Panel Access
log

You have selected 0 posts.

select all

cancel selecting

Aug 21
1 / 6
Aug 21

Sep 1

Nimrod

Aug 21


Dear Duo Community members,
I am using duo radius proxy, and its really simple and great and very reliable,
yet I have a problem, I want to ship its logs to an external server to save the
auth-logs for longer period of time and to process them through my siem. is
there a built-in way to ship the logs? I skimmed all the documentation and
didn’t found a way to accomplish that. furthermore, I tried with NXLOG with no
success (if anyone can help with a piece of configuration it will be awesome!)
if anyone has an idea, I’ll be more than thankful, and many thanks in advance.





 * CREATED
   
   Aug 21

 * LAST REPLY
   
   Sep 1
 * 5
   
   REPLIES

 * 339
   
   VIEWS

 * 2
   
   USERS

 * 1
   
   LINK

 * 3
   
   3


DuoPablo

Aug 24


Hi @Nimrod ,

Yes, you can have Auth Proxy logs shipped to a SIEM via the following:
https://help.duo.com/s/article/3959 2

The above creates a secondary log file that is suitable for SIEM consumption via
Splunk Universal Forwarder or similar function. It is a JSON formatted file that
logs primary and secondary authentication events that occur on the respective
Auth Proxy.

I would also suggest that you consume Authentication Logs, Telephony Logs,
Administrator Logs, and Trust Monitor Logs (if applicable) using our Duo Log
Sync utility: https://help.duo.com/s/article/1269

Hope this helps!





Nimrod

Aug 28


DuoPablo:

> would also suggest that you consume Authentication Logs, Telephony Logs,
> Administrator Logs,

Hi, Thanks for answering,
I came across these articles, yet, there is no way to send the logs, you need
the SIEM to read from the machine’s log file.
I need that the duo proxy will send its logs forward, not to a file, but to
UDP/TCP and to another IP address (aka collector) (for example - syslog
udp/514). I couldn’t find a way to do so.

thanks in advance.





DuoPablo

Aug 28


At this time, the Auth Proxy does not have a way to natively ship its logs
(events captured in either authproxy.log or authevents.log) directly to a SIEM.
Please submit this as a Feature Request via your Duo Account Executive, Customer
Success Manager (if applicable), or our Support Team.

What type of events from the Auth Proxy are you most concerned about? I noticed
you had mentioned “auth-logs” but please note that Duo’s Authentication Logs can
be shipped to a SIEM via API, as mentioned earlier (Auth Proxy is not required).





Nimrod

Sep 1


Hi, Thanks for the answer,
I would like to catch the “User locked” events and alert the users.





DuoPablo

Sep 1


When a user becomes locked out of Duo, you may choose to configure & receive an
email alert. Please see https://help.duo.com/s/article/7219 for more
information.

When a user becomes locked out, the event is not recorded in the Authentication
Log. However, if a user tries to authenticate after they have become locked out,
the "reason": "locked_out" will be recorded in the Authentication Log. If you
have these logs shipped to your SIEM, you may also choose to alert on events
that show "reason": "user_marked_fraud" since that means a user denied a Push
that they themselves did not initiate (potential Push Phishing).

Duo Security


DUO ADMIN API

The Duo Admin API provides programmatic access to administrative functionality
of Duo Security’s two-factor authentication platform. Learn more.










Reply



SUGGESTED TOPICS

Topic Replies Views Activity Invalid credentails error while logging using SSO
Administrators & Admin Panel Access
2 592 Jan 20 Restrict Admin Console Login to Specific IP Addresses
Administrators & Admin Panel Access
2 945 Jan '21 Federated Services Duo and MFA question
Administrators & Admin Panel Access
0 636 Nov '21 Show history of frequent users of a particular application
Administrators & Admin Panel Access
2 766 Apr '21 New, Disabled, and Remvoved User Reports
Administrators & Admin Panel Access
3 347 Mar 23


WANT TO READ MORE? BROWSE OTHER TOPICS IN ADMINISTRATORS & ADMIN PANEL ACCESS OR
VIEW LATEST TOPICS.

Share






Invalid date Invalid date