When you configure Duo Security to send log data to USM Appliance, you can use the Duo Two-Factor Authentication plugin to translate the raw log data into normalized events for analysis.
|Device Type||Authentication and DHCP|
|Data Source Name||duo-2fa|
|Data Source ID||1981|
Integrating Duo Security
Duo Security does not have a connector or integration specific for USM Appliance. However, there is a duo-log-grabber on GitHub that "grabs the administrator and authentication logs from the Duo Security API and sends CEF-formatted syslog." You can use it to send logs to USM Appliance instead.
Before you configure the integration, you must have the IP Address of the USM Appliance Sensor. You also need to obtain account information for the Duo Auth API.
To send CEF-formatted syslog messages to USM Appliance
- Download the utility from https://github.com/libresec/duo-log-grabber.
Install the utility.
pip install -r requirements.txt
Update the conf.ini file.
- Update the [api] section with your Duo Security API credentials.
- In the [syslog] section, replace <syslog_server> with the IP address of the USM Appliance Sensor.
- Run the utility or schedule it to run at an interval to import Duo Security logs into USM Appliance.
For plugin enablement information, see Enable Plugins.
For troubleshooting, refer to the vendor documentation: