Duo Log Sync: Sending Your Duo Logs to Your SIEM
The Problem
Data is key for an organization to make any decision. But for data to be effective, it needs to be in a central location, which has presented a challenge.
Duo Log Sync helps customers overcome the challenge of data centralization by allowing them to easily send their logs from Duo to the SIEM of their choosing.
Before we began development on this tool, we wanted to make sure we understood the customers’ pain points rather than just their problem. As such, we reached out to as many customers as we could from our community and from our Customer Success teams. We conducted 44 interviews with companies ranging from SMBs to large enterprises.
In our conversations with customers we found that there was no simple way for customers to send logs from Duo to a SIEM. In fact, we discovered that some level of technical experience was required to achieve even a rudimentary ability to do this.
When digging in further and listening to what the customers’ ideal solution would look like, four key themes emerged:
Simplicity: A solution had to be easy to install, setup, and then forget about
Granularity: Customers need the ability to configure Duo Log Sync to accomplish their aims
Compatibility: A solution had to be easy to use with the ever-expanding field of SIEMs
Flexibility: A solution must allow customers to make customizations if they need to tinker
To solve our customers’ pain points and also address these four key themes we designed the Duo Log Sync tool from the ground up.
The Technical Implementation
The lead engineer for this project, Rohan Bendre, made sure the application was as simple as possible so end users could make changes locally if needed and use it for their specific use cases.
In order to achieve simplicity, the architecture of our tool was a pub-sub model. This means:
Producers are responsible for fetching logs from different endpoints and each endpoint has its own producer
Producers write data to different queues
Every log will have its own queue from which to consume data. This will allow Duo Log Sync to manipulate different logs in a different manner. e.g. sending different logs to different SIEMs over different transport protocols
Sending in different formats like JSON and syslog (CEF)
There were many technical considerations taken into account from our customer calls, and every call about Duo Log Sync touched on four key feature requirements:
It should be easy to install, setup and configure
Customers should have the ability to enable specific endpoints
The solution must be able to recover from application or network failures
And it must support multiple protocols (TCP, TCP over SSL, UDP)
To achieve the required features, we made sure to write our code as simply as possible so modifications would be easy to make. We also wanted to allow Duo Log Sync to be installed through PIP so customers could easily download and run it. Our configuration file has easy to follow parameters and we used asyncio to make asynchronous calls to endpoints.
Lastly, we wanted to make sure that our Duo Community could customize, improve, and tinker with Duo Log Sync, which is why we have made it open source. We cannot wait to see what the Duo Community does with the Duo Log Sync.
We know Duo Log Sync will continue to evolve with Duo’s offerings and we will make sure we continue to develop Duo Log Sync to address any pain points our customers experience.
Try Duo For Free
With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.