We have updated our Terms of Service, Code of Conduct, and Addendum.

Configure REST Collector to fetch SIEM events from Akamai

Dinesh Raja
Dinesh Raja Posts: 5

Akamai has the SIEM API which allows to capture security events generated on the Akamai platform.
We have been getting these events to Splunk via Splunk Add-on earlier https://splunkbase.splunk.com/app/4310/ and decided to try Cribl REST collector.

After giving collect URL's & required credentials in collector's config, I can't see the events from Akamai and getting 400 error. not sure what's getting missed.

"type": "https://problems./-/pep-authn/request-error",
"title": "Bad request",
"status": 400,
"detail": "Authorization header missing",

Answers

  • Jon Rust
    Jon Rust Posts: 443 mod

    That means the authorization has failed. They're expecting an Authorization header and you haven't sent one. Would need more info to troubleshoot.

  • Jon Rust
    Jon Rust Posts: 443 mod

    FYI, looking through previous use case logs, I see Akamai ingestion required using their API gateway to push logs into Kinesis or S3, where Cribl can then pull from. Their API doesn't currently work with Cribl's REST Collector.

  • Dinesh Raja
    Dinesh Raja Posts: 5

    Thanks @Jon Rust for the details.
    I have provided access_token, client_token & client_secret parameters in Authorization header (which is working fine with Splunk add-on).
    Currently, we can't place Akamai logs on S3 or Knisis due to internal policies. is it not possible to fetch these events directly via REST API as Splunk does?