Cisco Duo Integration not working

Hello,

I'm looking to ingest Cisco Duo logs, I signed up for a trial of Duo to test this out, but when adding the information to the Fleet integration, no logs are coming through to Elastic. I've followed the instructions in the policy and attached my Duo Admin API with the correct permissions enabled as well as a screenshot of the Fleet policy.

My test is using Core Authentication Service: D231.3 and Admin Panel: D231.2, which is a bit newer than the versions used in the sample Fleet policy. Has anything changed with the Duo API integration that would prevent logs coming through?

image1225×1542 79 KB

image1211×622 37.5 KB

Having the same problem aswell!

Can u share any filebeat logs from the agent? I would put the agent in debug mode and retry the integration and see what shows up.

Yeah here's a snip from the debug log

Error creating runner from config: fail to unpack the set configuration

{"log.level":"debug","@timestamp":"2021-12-23T08:38:40.139-0700","log.logger":"processors","log.origin":{"file.name":"processors/processor.go","file.line":120},"message":"Generated new processors: add_fields={\"data_stream\":{\"dataset\":\"cisco_duo.auth\",\"namespace\":\"default\",\"type\":\"logs\"}}, add_fields={\"event\":{\"dataset\":\"cisco_duo.auth\"}}, add_fields={\"elastic_agent\":{\"id\":\"xxxx\",\"snapshot\":false,\"version\":\"7.15.2\"}}, add_fields={\"agent\":{\"id\":\"xxxx\"}}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2021-12-23T08:38:40.139-0700","log.logger":"centralmgmt","log.origin":{"file.name":"cfgfile/list.go","file.line":99},"message":"Error creating runner from config: fail to unpack the set configuration: template: :1: function \"sprintf\" not defined accessing 'request.transforms.5.set.value' accessing 'request'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2021-12-23T08:38:40.139-0700","log.logger":"processors","log.origin":{"file.name":"processors/processor.go","file.line":120},"message":"Generated new processors: add_fields={\"data_stream\":{\"dataset\":\"cisco_duo.offline_enrollment\",\"namespace\":\"default\",\"type\":\"logs\"}}, add_fields={\"event\":{\"dataset\":\"cisco_duo.offline_enrollment\"}}, add_fields={\"elastic_agent\":{\"id\":\"xxxx\",\"snapshot\":false,\"version\":\"7.15.2\"}}, add_fields={\"agent\":{\"id\":\"xxxx\"}}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2021-12-23T08:38:40.139-0700","log.logger":"centralmgmt","log.origin":{"file.name":"cfgfile/list.go","file.line":99},"message":"Error creating runner from config: fail to unpack the set configuration: template: :1: function \"sprintf\" not defined accessing 'request.transforms.2.set.value' accessing 'request'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2021-12-23T08:38:40.145-0700","log.logger":"processors","log.origin":{"file.name":"processors/processor.go","file.line":120},"message":"Generated new processors: add_fields={\"data_stream\":{\"dataset\":\"cisco_duo.summary\",\"namespace\":\"default\",\"type\":\"logs\"}}, add_fields={\"event\":{\"dataset\":\"cisco_duo.summary\"}}, add_fields={\"elastic_agent\":{\"id\":\"xxxx\",\"snapshot\":false,\"version\":\"7.15.2\"}}, add_fields={\"agent\":{\"id\":\"xxxx\"}}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2021-12-23T08:38:40.145-0700","log.logger":"centralmgmt","log.origin":{"file.name":"cfgfile/list.go","file.line":99},"message":"Error creating runner from config: fail to unpack the set configuration: template: :1: function \"sprintf\" not defined accessing 'request.transforms.1.set.value' accessing 'request'","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2021-12-23T08:38:40.145-0700","log.logger":"processors","log.origin":{"file.name":"processors/processor.go","file.line":120},"message":"Generated new processors: add_fields={\"data_stream\":{\"dataset\":\"cisco_duo.admin\",\"namespace\":\"default\",\"type\":\"logs\"}}, add_fields={\"event\":{\"dataset\":\"cisco_duo.admin\"}}, add_fields={\"elastic_agent\":{\"id\":\"xxxx\",\"snapshot\":false,\"version\":\"7.15.2\"}}, add_fields={\"agent\":{\"id\":\"xxxx\"}}","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2021-12-23T08:38:40.145-0700","log.logger":"centralmgmt","log.origin":{"file.name":"cfgfile/list.go","file.line":99},"message":"Error creating runner from config: fail to unpack the set configuration: template: :1: function \"sprintf\" not defined accessing 'request.transforms.2.set.value' accessing 'request'","service.name":"filebeat","ecs.version":"1.6.0"}

What version of Elasticsearch, kibana and agent are u using?

Using v7.16.2 of ES and Kibana.

The agent is on 7.15.2.

That is your problem. The Cisco Duo integration requires 7.16.0+. You're in a loophole situation because kibana and Elasticsearch are at that version which is what it checks.

Thanks! That worked.

It would be nice to specify the minimum agent version in the description or a pre-reqs section, and/or not allow the integration to be enabled with a version of agent it is not compatible with.

Its kinda expected that the version of the agent matches Elasticsearch/kibana which is why fleet server checks the version of kibana. Perhaps they could add additional checks when applying the policy to the agent as well.

+1 Updating to 7.16.2 Agent & Elastic stack seems to be working now

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.