Documentation Center
AlienVault® USM Appliance™

Duo Security

When you configure Duo Security to send log data to USM Appliance, you can use the Duo Two-Factor Authentication plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Duo Security
Device Type Authentication and DHCP
Connection Type Syslog
Data Source Name duo-2fa
Data Source ID 1981

Integrating Duo Security

Duo Security does not have a connector or integration specific for USM Appliance. However, there is a duo-log-grabber on GitHub that "grabs the administrator and authentication logs from the Duo Security API and sends CEF-formatted syslog." You can use it to send logs to USM Appliance instead.

Before you configure the integration, you must have the IP Address of the USM Appliance Sensor. You also need to obtain account information for the Duo Auth API.

To send CEF-formatted syslog messages to USM Appliance

  1. Download the utility from https://github.com/libresec/duo-log-grabber.
  2. Install the utility.

    pip install -r requirements.txt

  3. Update the conf.ini file.

    1. Update the [api] section with your Duo Security API credentials.
    2. In the [syslog] section, replace <syslog_server> with the IP address of the USM Appliance Sensor.
  4. Run the utility or schedule it to run at an interval to import Duo Security logs into USM Appliance.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://community.duo.com/t/pulling-logs-via-api/1346