To collect logs from the Duo Security App, if you are not using the Sumo Logic FedRamp deployment, use the new Cloud to Cloud Integration for Duo Security App to create the source and use the same source category while installing the app.
This page demonstrates how to configure log collection for the Duo Security App.
The Duo Security App uses following logs. See Duo documentation for details of the log schema.
- Authentication Logs
- Administrator Logs
- Telephony Logs
- Create an HTTP Logs and Metrics Source.
- Create an integration key, secret key, and API hostname in Duo.
- Download the Lambda Function code, and upload it to AWS Lambda Console and create a Lambda function.
- Define Environment Variables for the Lambda Function.
- Add a time-based trigger for the Lambda function.
Step 1. Create Hosted Collector and HTTP Source
- Create a Hosted Collector.
- Create an HTTP Logs and Metrics Source on the Collector you created in the previous step.
When you have configured the HTTP Source, Sumo will display the URL of the HTTP endpoint. Make a note of the URL. You will use it when you configure the Lambda Function to send data to Sumo.
Step 2. Create an integration key, secret key, and API hostname in Duo
The Duo Admin API allows you to integrate your application with Duo Security’s platform at a low level. The API has methods for creating, retrieving, updating, and deleting the core objects in Duo’s system for seamless integrations.
To create an integration key, secret key, and API hostname in Duo, see the Duo Admin API documentation.
Step 3. Download Lambda Function code and Import it to AWS Lambda
Do one of the following:
Download the zip file from Sumo's archive.
Clone the GitHub repository, and zip the duo_client folder and lambda_function.py file together.
Login to AWS console, navigate to Lambda service and click Create Function.
Provide a Name, and select the Run Time as Python 3.6.
Choose an existing Role or create a new one to execute the Lambda function. Then click Create Function.
For the Function code section select Upload a Zip File from Code entry type. Upload the zip file you downloaded.
The Function code directory structure should look like this, make sure there isn't an extra folder between the root folder duo_test2 and the duo_client folder. The lambda_function.py file needs to be directly under the root folder.
Step 4. Define Environment Variables for Lambda Function
Define the following environment variables on the AWS Lambda Function page:
- COLL_ENDPOINT: Sumo Logic Hosted Collector End Point
- SCAN_INTERVAL_IN_SEC: Polling interval for Duo APIs. The recommended value is 600 seconds (10 minutes)
- I_KEY, S_KEY, HOST: Duo’s integration key, secret key, and API hostname. See Duo's documentation for details.
Step 5. Add Timer trigger for the Lambda Function
Create a rule to run your Lambda function on a schedule. To create a rule using the console:
- Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
- In the navigation pane, choose Events, Create rule.
- For Event Source, do the following:
- Choose Schedule.
- Choose Fixed rate of and specify the schedule interval for 10 minutes
- For Targets, choose Add target and then choose Lambda function.
- For Function, select the Lambda function that you created.
- Choose Configure details.
- For Rule definition, type a name and description for the rule.
- Choose Create rule.