Elastic Cisco Duo Integration


I am trying to fetch Cisco Duo logs with the elastic agent integration. The Duo setup in my organization is a managed service by a vendor, so I have received the Integration Key, api hostname and secret key and configured the same on elastic agent as shown below:

However I am not seeing any logs coming in from Duo. Is there any way I can confirm from the elastic agent's logs that it is initiating the API calls to Duo? So that I can then check with vendor if permission have been given as required.

I enabled debug logging on this agent, but I cannot see any logs related to integrations. I also have Cloudflare integrating enabled on this same agent and those logs are coming in fine.

Hi @suraj.srinivasa - can you confirm the format of the hostname you've entered within the integration? I've often seen folks forgetting to include https:// at the start of the hostname and this causes issues.

Hi @jamie.hynds,

Yes, I had read this was required so I have already added https before my api hostname. I can also see now in the debug logs of the agent that API requests are being made every 5 minutes as configured. But I still cant see the logs coming in, is there any way to inspect the response of the API call being made to Duo by the agent?

Hi @suraj.srinivasa, thanks for checking the format of the hostname - always best to run out the simple things first :slight_smile:

The agent logs won't provide much insight into the integration itself. We'll need to see the Filebeat logs running on the local machine (where you have the agent installed). These should be available under /state/data/logs/default/filebeat-*

Thanks @jamie.hynds, these logs helped me pinpoint what exactly was the issue (Misconfigured integration key). Logs are being pulled as expected now.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.