Documentation Center
AlienVault® USM Anywhere™

Duo Security

When you configure Duo Security to send log data to USM Anywhere, you can use the Duo Two-Factor Authentication CEF plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Duo Security
Device Type Authentication and DHCP
Connection Type Syslog

Integrating Duo Security

Duo Security does not have a connector or integration specific for USM Anywhere. However, there is a duo-log-grabber on GitHub that "grabs the administrator and authentication logs from the Duo Security API and sends CEF-formatted syslog." You can use it to send logs to USM Anywhere instead.

Before you configure the integration, you must have the IP Address of the USM Anywhere Sensor. You also need to obtain account information for the Duo Auth API.

To send CEF-formatted syslog messages to USM Anywhere

  1. Download the utility from
  2. Install the utility.

    pip install -r requirements.txt

  3. Update the conf.ini file.

    1. Update the [api] section with your Duo Security API credentials.
    2. In the [syslog] section, replace <syslog_server> with the IP address of the USM Anywhere Sensor.
  4. Run the utility or schedule it to run at an interval to import Duo Security logs into USM Anywhere.

Plugin Enablement

The Duo Two-Factor Authentication CEF plugin will automatically process all messages when the raw message contains \|Duo Security\|Two-factor\|.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • authentication_mode
  • customfield_0
  • customfield_2
  • customfield_6
  • customfield_7
  • customheader_0
  • customheader_2
  • customheader_6
  • customheader_7
  • destination_hostname
  • destination_username
  • email_sender
  • event_description_url
  • event_name
  • event_outcome
  • event_receipt_time
  • event_severity
  • operating_system
  • plugin_device
  • plugin_device_type
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_address
  • source_username


For troubleshooting, refer to the vendor documentation: