Prerequisites:
DUO Security (https://duo.com/) admin account that has read access
to DUO Admin API.
You'll need the DUO API host, an Integration Key and Secret Key.
Deployment options:
For a single instance Splunk system, install by the usual installation method.
For distributed Splunk systems, the recommended place to install would be
on a heavy forwarder, but could also be setup on a search head as long as
the search head is configured to forward data to you indexing tier.
Configuration steps:
Once installed, a local input type titled "DUO Security 2fa logs" should be
listed under Data inputs.
-Select the "DUO Security 2fa logs" input.
-Click the "New" button at the top.
-Enter unique descriptive name for the input
-Enter relavant API host and credential information
-Set the number of days of historical data you'd like to pull the first time
After the first run of the input, this setting won't have any affect
as the checkpointing process maintains the time of the last indexed event.
-Set the interval in seconds at which datai is pulled, if it is set too low
Duo will return a 429 "too many requests" error so you may want to monitor
you're splunkd.log for this error message.
NOTE: From experience, you are likely to get the 429 response on a regular basis
if you use an interval of 300 seconds or less. YMMV.
-Select which DUO logs you want to enable
-Click "Next"
-If the API hostname and credentials verify correctly, the input setup
should complete successfully.
Optional configurations:
-Clicking "More settings" radio button, allows you to select a different
index than the default
Source repo is here: https://github.com/bawood/TA-DUOSecurity2FA
pull requests/suggestions are welcome.
Future roadmap:
-Splunk certification
-proxy support
removed old splunktalib which contained cruft that is blocking Splunk Cloud deployments
Updated Splunk Python SDK library and added Icons for app certification to enable install in Splunk Cloud.
-CIM compliance has been added
-Improve configuration validation and exception handling when calling DUO API.
-Added ability to pull DUO account summary info
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.