The code in this project is heavily based on the example provided by the duo_client module.
Some of the additions are:
- Improved performance in cases where a large amount of logs were being fetched
- Fixed some code that forced it to be ran on Windows. The code now works on Windows, Mac, and Linux.
- Added support for command-line arguments and help documentation.
- Detects when Duo starts throttling requests, and exits cleanly.
- In the Administrator logs, under certain conditions a JSON object is logged in the field named description. Since JSON by default doesn't have consistent ordering of keys, this makes it hard to apply a regex to. This script will sort the keys of the JSON object so that the parsing rules will behave consistently.
- The example only logged to STDOUT. This version implements a TimedRotatingFile logger that will log the messages to individual log files, of which are rotated nightly and kept for 7 days. This helps ensure that no logs are lost due to truncation, etc, while also ensuring it doesn't eventually fill up the disk.
This script is intended to be run from any operating system that can run Python. Use cron on Linux, or a scheduled task on Windows.
On my local Macbook Pro, it takes just over 3 seconds to download the limit (1,000 entries x 3 logs = 3,000 logs), including the startup time for Python. Because it performs well, I think that enabling a system service mode for this script would likely be overkill.
Setup the Duo side of things by following the "First Steps" section at https://duo.com/docs/splunkapp. Make note of these:
- "Integration Key" (ikey)
- "Secret Key" (skey)
- "API Hostname" (host)
Download the latest Python3 at https://www.python.org/downloads/windows/
During installation, enable Python for all users, and check the box to update the environment variables.
Then, download the code from this project at https://github.com/justintime/logrhythm-duo/archive/master.zip Extract the zip file.
To install with the default path of C:\LogRhythm\logrhythm-duo
, simply run the included resources\setup.ps1
script as Administrator. Also note, if you're running the LogRhythm SysMon Agent as a dedicated user instead of SYSTEM, please add the user
to the top of setup.ps1 as indicated in the comments.
Since we don't need elevated permissions to run this, let's create a dedicated user.
# Create our user:
sudo useradd -d /home/logrhythm -s /bin/bash -m logrhythm
# Create our directory and make logrhythm the owner of it:
sudo mkdir /opt/logrhythm-duo && sudo chown logrhythm:logrhythm /opt/logrhythm-duo && sudo chmod 700 /opt/logrhythm-duo
# Become the new user and clone this repo:
sudo su - logrhythm -c 'git clone https://github.com/justintime/logrhythm-duo.git /opt/logrhythm-duo'
# Edit duo.conf and put in your API keys and host:
sudo nano /opt/logrhythm-duo/duo.conf
Configure duo.conf by setting the ikey, skey, and host values, as shown to you in your Duo control panel under the Admin app.
To install the dependencies of this script, run the following command from the directory of the script:
pip3 install --requirement requirements.txt
# Create the cronjob:
sudo cp /opt/logrhythm-duo/resources/logrhythm-duo /etc/cron.d
If you ran the setup script, you should have a scheduled task already running!
Much of the credit here goes to Nicholas Ritter at LogRhythm for coming up with the MPE Rules.
- Deployment Manager -> Tools menu -> Knowledge -> Log Source Type Manager
- Click the + button
- Fill out the following fields:
Field | Value |
---|---|
Name | Flat File - Duo Security 2FA |
Abbreviation | Duo2FA |
Log Format | Text File |
Brief Description | Duo Security 2FA logs utilizing the Duo Python Client API |
Additional Details | Up to you :) |
- Deployment Manager -> Tools menu -> Knowledge -> MPE Rule Builder
- Open up MPERules.txt in a viewer.
- For each rule in MPERules.txt, create a new rule by:
- Clicking the + button.
- Select "Flat File - Duo Security 2FA" by expanding "Custom Log Source Types" in the "Log Message Source Type Associations" pane in the top right.
- Fill in the Rule Name, Common Event, Rule Status, Brief Description, and Base-rule Regular Expression from MPERules.txt.
- For rules that have sub-rules, right-click the grid under the Sub-Rules tab, and click new.
- Fill in the Rule Name, Common Event, Rule Status, Brief Description, and Mapping Tags from MPERules.txt.
- Click the OK button, and repeat for all sub-rules.
- Click the disk icon to save the rule.
- While still in the MPE Rule Editor, click the folder icon to open a rule library.
- Type "duo" in the filter box under "Select Log Message Source Type", and click on "Flat File - Duo Security 2FA".
- Edit menu -> Edit Base-rule Sorting
- Ensure that the rules are in the EXACT order as listed in MPERules.txt.
- Click the OK button.
- Close the Rule Builder window.
- Deployment Manager -> Log Processing Policies tab
- Click the + button to create a new policy.
- Select "Custom" from the Record Type Filter, and then select "Flat File - Duo Security 2FA" from the "Log Source Type" pane.
- Press the OK button.
- Enter "LogRhythm Default" for the Name.
- Enter "Duo Security 2FA logs utilizing the Duo Python Client API" for the Brief Description.
- Right-click inside the Rules grid and click "Check All Displayed"
- Right-click inside the grid and select "Properties"
- Click the "Enabled" box, then click the OK button.
- Click the OK button to dismiss the MPE Policy Editor window.
- Deployment Manager -> System Monitors tab, double click the machine running the logrhythm-duo script.
- Right click the grid, and select "New".
- For the "Log Source Type", select your new "Flat File - Duo Security 2FA" source.
- Select "LogRhythm Default" from the Log MPE Policy.
- Select the "Flat File Settings" tab.
- Put the full path to the log files in the File Path box. If you used the examples for Linux, you'd
use
/opt/logrhythm-duo/logs/*.log*
- In the "Date Parsing Format" field, select 'Linux Audit Log (Unix time)'
- Click the "OK" button.
Run the script verbosely from the command line:
python logrhythm-duo.py -v
You should get some messages about how many logs the script downloaded. If you did, you're good to go and can configure the script to run from Task Scheduler or Cron