Cisco DUO Authentication Logs Broken on 2.4.130 #14389

petehalatsis · 2025-03-14T22:12:20Z

petehalatsis
Mar 14, 2025

Version

2.4.130

Installation Method

Security Onion ISO image

Description

upgrading

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

16

Storage for /

370gb

Storage for /nsm

40tb

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I updated to SecurityOnion 2.4.130 yesterday and my Cisco DUO integration is giving me errors. They added a "Collect Cisco Duo logs via API v2" to the integration. I set this up with the same creds as I gave the v1 integration. All logs seem to be working except the one I most care about, authentications. From the elastic agent log, I was able to pull the following error:

{\"input_id\":\"cel-cisco_duo-xxxxx\",\"raw_index\":\"logs-cisco_duo.auth-default\",\"stream_id\":\"cel-cisco_duo.auth-xxxxx\"}' (status=403): {\"type\":\"security_exception\",\"reason\":\"action [indices:data/write/bulk[s]] is unauthorized for API key id [xxxxxx] of user [elastic/fleet-server] on indices [logs-cisco_duo.auth-default], this action is granted by the index privileges [create_doc,create,delete,index,write,all]\"}, dropping

I checked the security privileges of the API key and it looks to be set correctly.

      {
        "names": [
          "logs-cisco_duo.auth-default"
        ],
        "privileges": [
          "auto_configure",
          "create_doc"
        ],
        "allow_restricted_indices": false
      },

I would appreciate any direction on fixing this error.

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Answered by reyesj2

Mar 16, 2025

Have you tried removing and then re-adding the integration to your agent policy?
You can also completely uninstall the integration and reinstall in-case something is off with the integration.

Uninstall is under 'settings' when you navigate to the integration page. It may not let you uninstall until you remove it from your active agent policy

View full answer

reyesj2 · 2025-03-16T03:53:32Z

reyesj2
Mar 16, 2025
Maintainer

Have you tried removing and then re-adding the integration to your agent policy?
You can also completely uninstall the integration and reinstall in-case something is off with the integration.

Uninstall is under 'settings' when you navigate to the integration page. It may not let you uninstall until you remove it from your active agent policy

1 reply

petehalatsis Mar 17, 2025
Author

Turn it off and back on?
That worked! I did remove and re-add the agent policy but I missed the option to uninstall completely.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cisco DUO Authentication Logs Broken on 2.4.130 #14389

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Cisco DUO Authentication Logs Broken on 2.4.130 #14389

Uh oh!

petehalatsis Mar 14, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 1 comment · 1 reply

Uh oh!

reyesj2 Mar 16, 2025 Maintainer

Uh oh!

petehalatsis Mar 17, 2025 Author

petehalatsis
Mar 14, 2025

Replies: 1 comment 1 reply

reyesj2
Mar 16, 2025
Maintainer

petehalatsis Mar 17, 2025
Author