Sumo Logic App for Duo Security uses following logs. See Duo's documentation for details of the log schema.
- Authentication Logs
- Administrator Logs
- Telephony Logs
- Create an HTTP Logs and Metrics Source.
- Download the Lambda Function code, and upload it to AWS Lambda Console and create a Lambda function.
- Define Environment Variables for the Lambda Function.
- Add a time-based trigger for the Lambda function.
Step 1. Create Hosted Collector and HTTP Source
- Create a Hosted Collector.
- Create an HTTP Logs and Metrics Source on the Collector you created in the previous step.
When you have configured the HTTP Source, Sumo will display the URL of the HTTP endpoint. Make a note of the URL. You will use it when you configure the Lambda Function to send data to Sumo.
Step 2. Download Lambda Function code and Import it to AWS Lambda
Login to AWS console, navigate to Lambda service and click Create Function.
Provide a Name, and select the Run Time as Python 3.6.
Choose an existing Role or create a new one to execute the Lambda function. Then click Create Function.
For the Function code section select Upload a Zip File from Code entry type. Upload the zip file you downloaded.
The Function code directory structure should look like this, make sure there isn't an extra folder between the root folder duo_test2 and the duo_client folder. The lambda_function.py file needs to be directly under the root folder.
Step 3. Define Environment Variables for Lambda Function
Define the following environment variables on the AWS Lambda Function page:
- COLL_ENDPOINT : Sumo Logic Hosted Collector End Point
- SCAN_INTERVAL_IN_SEC : Polling interval for Duo APIs. The recommended value is 600 seconds (10 minutes)
- I_KEY, S_KEY, HOST : Duo’s integration key, secret key, and API hostname. See Duo's documentation for details.
Step 4. Add Timer trigger for Lambda Function you just created
Create a rule to run your Lambda function on a schedule. To create a rule using the console:
- Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.
- In the navigation pane, choose Events, Create rule.
- For Event Source, do the following:
- Choose Schedule.
- Choose Fixed rate of and specify the schedule interval for 10 minutes
- For Targets, choose Add target and then choose Lambda function.
- For Function, select the Lambda function that you created.
- Choose Configure details.
- For Rule definition, type a name and description for the rule.
- Choose Create rule.