duologsync (DLS) is a utility written by Duo Security that supports fetching logs from Duo endpoints and ingesting them to different SIEMs.
duologsync requires credentials for an Admin API application with the "Grant read log" API permission. Create this application before installation and configuration.
To create the Admin API application:
config.yml file later.MSP customers gathering logs from linked accounts should create an Accounts API Duo application and use that application's information in the config.yml file.
python --version.duo_log_sync folder.pip3 install setuptools.duologsync by running python/python3 setup.py install. Configuration section below. You will need to create a config.yml file and fill out credentials for the adminapi in the duoclient section as well as other parameters if necessary.duologsync <complete/path/to/config.yml>.duologsync for changes to take effect.3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, and 3.13.duologsync is installed in the \scripts\ folder under the Python installation in most cases.config.yml. By default, logs will be stored under the /tmp folder with name duologsync.log.template_config.yml for an example and for extensive, in-depth config explanation.log_format field is a dls_settings setting and it is for how Duo logs should be formatted before being sent to a server/siem. Valid options are CEF, JSON. The default will be JSON.offset field is a api setting and it is for days in the past from which record retrieval should begin. Maximum logs that can be fetched is 180 days in past. The default is 180.timeout field is a api setting and it is for seconds to wait between API calls (for fetching Duo logs). If timeout is set to less than 120 seconds, it will be defaulted to 120.enabled field is a checkpointing setting and it is for whether checkpoint files should be created to save offset information about API calls which will be used to continue fetching of data if utility crashes or is restarted. Valid options are True or False.directory field is a checkpointing setting is to mention path where checkpoint files will be created. The default is /tmp.proxy_server is a proxy setting and it is a Host/IP for the Http Proxy.proxy_port is a proxy setting and it is a Port for the Http Proxy.id is a servers setting and it is a descriptive name for your server. It is a REQUIRED field.hostname is a servers setting and it is a address of TCP/UDP server to which Duo logs will be sent. It is a REQUIRED field.port is a servers setting and it is a Port of server to which logs will be sent. The valid port range is 1024-65535. It is a REQUIRED field.protocol is a servers setting and it is a transport protocol used to communicate with the server. The allowed options are TCP, TCPSSL, UDP. It is a REQUIRED field.cert_filepath is a servers setting and it is a location of the certificate file used for encrypting communication for TCPSSL. TCPSSL expects that there are .key and .cert files that store keys. For configuration, give path of .cert/.pem file that has keys. It is a REQUIRED field if protocol is TCPSSL.ikey is a account setting and it is a integration key of the Admin API integration. For MSP accoint, this should have integration key for Accounts API. It is a REQUIRED field.skey is a account setting and it is a private key of the Admin API integration. For MSP accoint, this should have private key for Accounts API. It is a REQUIRED field.hostname is a account setting and it is a api-hostname of the Admin API integration on which the server hosting this account's logs. For MSP accoint, this should have api-hostname for Accounts API. It is a REQUIRED field.endpoints field is a endpoint_server_mappings setting. It is for defining what endpoints the mapping is for as a list. The valid options are auth, telephony, trustmonitor, activity. It is a REQUIRED field.server field is a endpoint_server_mappings setting. It is where you define to what servers the logs of certain endpoints should go.This is done by creating a mapping (start with dash -).It is a REQUIRED field.is_msp field is to define whether this account is a Duo MSP account with child accounts. If True, then all the child accounts will be accessed and logs will be pulled for each child account. It is a NOT REQUIRED field. The default is Falseupgrade_config.py which will automatically update your old config for you.upgrade_config.py script, simply run the following command: python3 upgrade_config.py <old_config> <new_config> where <old_config> is the filepath or your old configuration file, and <new_config> is where you would like the new configuration file to be saved.upgrade_config.py script will not delete your old config file, it will be preserved.is_msp field under accounts section is required only when using DLS with the Accounts API. For this reason, the upgrade script won't create that field in new config by default.$ claude mcp add duo_log_sync \
-- python -m otcore.mcp_server <graph>