Integrate Splunk

How to set up EAA log retrieval in Splunk.

Before you begin

  1. Generate an API key
  2. Visit https://splunkbase.splunk.com/app/3986/ to download the most recent version of the akamai_eaa.spl file and save it to a secure location.

Complete the following procedure to integrate the security information and event management (SIEM) product Splunk with EAA. This procedure allows you to import EAA logs into Splunk.

After this integration is complete, logs appear in Splunk.

How to

  1. Create an app in Splunk.
    1. Log in to Splunk.
    2. Select Apps > Manage Apps (gear) > Install App from file.
    3. In the Upload an app dialog, browse and locate the akamai_eaa.spl file.
    4. If you are upgrading or reinstalling the app, select Update app.
    5. Click Upload. If prompted, restart Splunk.
  2. Set the SPLUNK_HOME directory variable on your local machine.
    • On Mac OS X or Linux, open a terminal window and execute the following command:
      export $SPLUNK_HOME=<Splunk_directory>

      where <Splunk_directory> is the directory where Splunk is installed. For example, /Applications/Splunk.

    • On Windows, open the Environment Variables dialog from the Advanced systems settings in the Control Panel. In the dialog, configure a variable for the SPLUNK_HOME directory. Define the variable with the directory where Splunk is installed.

    Ensure that you have write permissions to this directory.

  3. Create a Splunk username and password.
    1. In the main navigation menu in Splunk, select Settings > Access Controls.
    2. In the Actions column for Users, click Add new.
    3. Enter a user name in the Username field.
    4. In the Assign to role area of the page, double-click the admin role in the list of available roles.
      The admin role appears in the Selected roles column.
    5. Enter a password in the Password field.
    6. Enter the password again to confirm.
    7. Click Save.
  4. In a terminal or command prompt, go to the Splunk application directory:
    • On Mac OS X or Linux, enter this command and press Enter.
      cd $SPLUNK_HOME/etc/apps/akamai_eaa/bin
    • On Windows, enter this command and press Enter.
      cd %SPLUNK_HOME%/etc/apps/akamai_eaa/bin
  5. Execute the python application script to set up EAA log collection:
    • On Mac OS X or Linux, enter this command and press Enter.
      $SPLUNK_HOME/bin/splunk cmd python akamai_eaa_app_setup.py
    • On Windows, enter this command and press Enter.
      %SPLUNK_HOME%/bin/splunk cmd python akamai_eaa_app_setup.py
  6. When prompted, paste the API key and secret that you generated in EAA.
  7. When prompted, enter the Splunk username and password that you created.
  8. When prompted for the Start Date Time, enter the date and time to configure when you want Splunk to start collecting EAA logs. Ensure that you enter the date and time in this format:yyyy-mm-dd hh:mm
    where:
    • yyyy-mm-dd is the date represented in year (yyyy), month (mm), and day (dd).
    • hh:mm is time represented with a 24-hour clock in hours (hh) and minutes (mm).
    For example, a valid Start Date Time entry is 2018-01-01 13:00
  9. Enable the EAA python script that allows Splunk to collect logs from EAA:
    1. In the Splunk navigation menu, select Settings > Data inputs.
    2. Under Local inputs, click Scripts.
    3. Depending on the operating system for the Splunk platform, enable the appropriate python file.
      • For Mac OS X or Linux, click Enable for the $SPLUNK_HOME/etc/apps/akamai_eaa/bin/etl.py script.
      • For Windows, click Enable for the $SPLUNK_HOME\etc\apps\akamai_eaa\bin\etl-windows.py script.
    Events appear in the Data Summary for the Akamai EAA app.