Configure REST Collector to fetch SIEM events from Akamai
Akamai has the SIEM API which allows to capture security events generated on the Akamai platform.
We have been getting these events to Splunk via Splunk Add-on earlier
and decided to try Cribl REST collector.
After giving collect URL's & required credentials in collector's config, I can't see the events from Akamai and getting 400 error. not sure what's getting missed.
"type": "https://problems./-/pep-authn/request-error",
"title": "Bad request",
"status": 400,
"detail": "Authorization header missing",
Answers
-
That means the authorization has failed. They're expecting an Authorization header and you haven't sent one. Would need more info to troubleshoot.
0 -
FYI, looking through previous use case logs, I see Akamai ingestion required using their API gateway to push logs into Kinesis or S3, where Cribl can then pull from. Their API doesn't currently work with Cribl's REST Collector.
1 -
Thanks @Jon Rust for the details.
I have provided access_token, client_token & client_secret parameters in Authorization header (which is working fine with Splunk add-on).
Currently, we can't place Akamai logs on S3 or Knisis due to internal policies. is it not possible to fetch these events directly via REST API as Splunk does?0