Duo Splunk Connector
Overview
Details
Once configured, the connector automatically pulls in the following Duo logs for the last 30 days:
Authentication Logs
Administrator Logs
Telephony Logs
Endpoint Logs
The connector comes populated with default dashboards for the above logs. Administrators can create new dashboards or manipulate the existing dashboards.
View our documentation at: http://duo.com/docs/splunkapp
Release Notes
Version 1.1.7
Version 1.1.7 - July 9, 2020
---
- App now supports Splunk version 8.0.
- App now supports the optional python3 runtime which is included w/ Splunk version 8.0. Python2 and python3 are both supported now.
- Inputs.conf has been updated to set the python runtime to python3 for Splunk versions 8.0 or newer (python.version = python3). This change has no effect on Splunk 7 users. Splunk 7 users will still be using the same python2 runtime even with this update to the inputs.conf.
- Customers should not upgrade to this version if on v1.1.5 or earlier
Version 1.1.6
- Fixed error message that would appear for Duo Federal MFA + Duo Federal Access edition customers during initial connector configuration.
Note on upgrading from version 1.1.2 and below:
If you are using Index Clustering and upgrading from version 1.1.2 or below, please follow the below steps or you may experience issues.
In previous versions of the Duo Splunk Connector we included "repoFactor=auto" by default in our indexes.conf file. We are removing this in version 1.1.3 and you'll need to make a small change before upgrading.
1. Go to $SPLUNK_HOME/etc/apps/duo_splunkapp/local
2. Create a new file called "indexes.conf"
3. Put the following two lines in the file:
[duo]
repFactor=auto
4. Save the file.
5. Restart Splunk.
You can now upgrade your Duo Splunk Connector to version 1.1.6
Version 1.1.5
- Fixed bug related to error log messages sometimes breaking the Splunk JsonLineBreaker.
- Added more verbose logging messages to aid in troubleshooting.
- Improved performance when validating Duo Admin API credentials during the initial setup.
- Added support for Splunk 7.3.
Note on upgrading from version 1.1.2 and below:
If you are using Index Clustering and upgrading from version 1.1.2 or below, please follow the below steps or you may experience issues.
In previous versions of the Duo Splunk Connector we included "repoFactor=auto" by default in our indexes.conf file. We are removing this in version 1.1.3 and you'll need to make a small change before upgrading.
1. Go to $SPLUNK_HOME/etc/apps/duo_splunkapp/local
2. Create a new file called "indexes.conf"
3. Put the following two lines in the file:
[duo]
repFactor=auto
4. Save the file.
5. Restart Splunk.
You can now upgrade your Duo Splunk Connector to version 1.1.5
Version 1.1.4
- Added more helpful logging.
- App will now gracefully handle API rate limits.
- Improved Endpoint retrieval process.
- Minor changes to the dashboard queries to assist in a future preview.
Note on upgrading from version 1.1.2 and below:
If you are using Index Clustering and upgrading from version 1.1.2 or below, please follow the below steps or you may experience issues.
In previous versions of the Duo Splunk Connector we included "repoFactor=auto" by default in our indexes.conf file. We are removing this in version 1.1.3 and you'll need to make a small change before upgrading.
1. Go to $SPLUNK_HOME/etc/apps/duo_splunkapp/local
2. Create a new file called "indexes.conf"
3. Put the following two lines in the file:
[duo]
repFactor=auto
4. Save the file.
5. Restart Splunk.
You can now upgrade your Duo Splunk Connector to version 1.1.4
Version 1.1.3
**Customers using Index Clustering should follow the steps below before upgrading or they may experience issues**
In previous versions of the Duo Splunk Connector we included "repoFactor=auto" by default in our indexes.conf file. We are removing this in version 1.1.3 and you'll need to make a small change before upgrading.
1. Go to $SPLUNK_HOME/etc/apps/duo_splunkapp/local
2. Create a new file called "indexes.conf"
3. Put the following two lines in the file:
[duo]
repFactor=auto
4. Save the file.
5. Restart Splunk.
You can now upgrade your Duo Splunk Connector to version 1.1.3
Version 1.1.3 Updates:
- Small changes to prepare Duo Splunk Connector for Splunk Certification
- Removed repoFactor=auto from the default indexes.conf file.
Version 1.1.2
- Bug fixes
Version 1.1.1
- Encrypting Duo SKEY with Splunk's encryption system
- Updated README with support information
Version 1.1.0
- Added Macro support allowing admins to specify a custom index for dashboards
- Changed map on authentication page to use city instead of longitude and latitude
- Bug fixes
Version 1.0.1
1.0.1 - Initial Release: The Duo Splunk Connector will allow you to pull in Duo logs to Splunk.