Duo integration - no data for the v2 API

[lmcnett-ops]

Version

2.4.150

Installation Method

Network installation on Ubuntu (unsupported)

Description

other (please provide detail below)

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

other (please provide detail below)

CPU

12

RAM

32g

Storage for /

500gb

Storage for /nsm

1tb

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I'm running SecurityOnion in standalone on a spare machine, just to test if this is going to fit our environment, and one of the main requirements we have is to ingest and store Duo data long-term, like we did before we dropped Splunk, so I started there.

I've not done anything other than set up ubuntu from scratch, run the network installer (regular install and oracle Linux installs failed), Sudo soup a couple times and try the Elasticsearch Duo integration. I'm not monitoring any traffic.

I get data for the APIv1 calls, but APIv2 fields, while created, are blank. I've done some poking around with the help of documentation and LLMs and haven't been able to point my finger at the culprit. Grepping /opt/so/logs and /opt/Elastic/Agent*/logs for "duo" didn't really lead me anywhere useful, and I'm not finding anything helpful in the Elastic -> Discover... but obviously I'm a newbie, so I may have missed something completely elementary.

Could I get some troubleshooting pointers? Or is there a known issue?

btw, I'd last used SecurityOnion back in 2016 at an old job and am amazed at how far it has come, what a project!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[lmcnett-ops]

Disregard, it is just taking a ....really..... long time, and none of my searches were for far enough into history to show me it's working.