Akamai Syslog Configuration

  • Updated

    Akamai​'s basic function is to deliver your site or application using the ​Akamai​ Edge Network, a CDN. Our edge servers stand in place of the cloud or physical server you use to run your site and house your site's content.

    Prerequisites

    • Install the CEF connector.

    Set up SIEM integration

    Turn on SIEM integration

    1. Visit ​Akamai Control Center​ and log in.
    2. In ​Control Center​, under WEB & DATA CENTER SECURITY, click Security Configuration.
    3. Open the security configuration (and the appropriate version of that configuration) for which you want to collect SIEM data.
    4. Click Advanced Settings and expand Data collection for SIEM Integrations.
    5. Click On to enable SIEM.
    6. Choose the security policies for which you want to export data. Select:
      • All Security policies if you want to send SIEM data for events that violate any or all security policies within the security configuration.
      • Specific security policies if you want data regarding one or more specific security policies. Select the appropriate policies from the dropdown list.
    7. To include events generated by Bot Manager, set Include Bot Manger Events to Yes. To exclude Bot Manager events, choose No.
    8. To include events generated by Account Protector, set Include user-risk-only events to Yes. To exclude those events, choose No.
    9. Skip the SIEM Event Version field for now.
    10. Copy the value in the Web Security Configuration ID field. You’ll need this later in the configuration process.
    11. Push your security configuration changes to the production network. On the Security Configuration page, click Activate. Under Network, click Production, and then click Activate.

    If you want to enable SIEM integration for additional security configurations, repeat the preceding process for each configuration before continuing to Step 2.

    Set up a user to manage SIEM

    Add or assign a user to manage your SIEM APIs.

    1. In ​Control Center​, under ACCOUNT ADMIN, click Identity & access.
    2. On the Users and API Clients tab, find the user you want to assign the role to or click the Create user button.
    3. To assign the SIEM role to an existing user, open the user's account and click the Edit roles tab. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Submit.
      • To assign the SIEM role to a new user, click Create user. Enter basic information for the user and scroll down to the Assign Roles section. Find the appropriate group, click the Roles dropdown, and select the Manage SIEM role. Click Save.

    Note that only the Manage SIEM role has the proper permissions: don't assign this user any other role.

    • If you want to assign the Manage SIEM role for another group, select the group and repeat the preceding process. Note that, if you have multiple groups and users in your account, you must assign a user the Manage SIEM role for each group that contains a security configuration included in your SIEM results. This must be the same person you associate with the API credentials in Step 3.

    Provision SIEM API and get access tokens

    To move data from the ​Akamai​ Security Events Collector to your system, the SIEM connector uses the ​Akamai​ SIEM API, a REST API service that requires authentication and authorization.

    After you’ve enabled SIEM integration and assigned a user to the Manage SIEM role, you’re ready to provision credentials for the SIEM API. To do so, visit Create authentication credentials.

    Follow the steps to provision the SIEM API for the user you assigned to manage SIEM. Copy and save the tokens you generate. You’ll need them to complete the final step.

    Install and configure your SIEM connector

    System requirements

    The ​Akamai​ CEF Connector requires Oracle JRE 1.8+. The latest JRE can be downloaded from the Oracle Java site (Java Platform, Standard Edition) or installed from a software distribution package on Linux. To verify that JRE is installed and available, use the command java -version.

    Hardware requirements

    This application is designed to run on a Linux server with at least:

    • 2 CPU cores
    • 6GB RAM
    • 2GB Free Disk Space
    • A Linux Kernel greater than 2.6

    Proxy server

    To access the SIEM API from behind a proxy server, ensure that your proxy:

    • Allowlists the domains *.cloudsecurity.akamaiapis.net and *.luna.akamaiapis.net.
    • Doesn't interfere with HTTP request headers for those domains. If, due to a strict enterprise security policy, your proxy changes these headers, make sure that, at a minimum, you allow and don't change the Host and Authorization headers.

    Install

    To install The CEF connector, complete the following steps:

    1. Go to Connectors and tools to get the latest CEF Connector distribution package.
    2. Transfer the package using either the Linux command wget http://[server]/CEFConnector-1.0.zip (replace [server] with your server name) or using SFTP (SSH File Transfer Protocol).
    3. Unzip the distribution package anywhere on the file system. You can install Unzip from a software distribution package on Linux (for example, by using the command yum install unzip ).
    4. To install the service, create a symbolic link to the bin/AkamaiCEFConnector.sh shell script in /etc/init.d. You can execute the shell script with the following commands: start | stop | status | resetdb.

    The resetdb command deletes cefconnector.db which contains the last successful offset data pull. Removing that file causes the connector to process offset=NULL as long as the timebased setting is false. If timebased is true, a new offset is saved after the first successful pull. 

    Configuring Event pull

    Set up and manage your connector through the source pull configuration settings located in the config/CEFConnector.properties file.

    • connector.refresh.period
      • Default Value: 60
      • Description: Defines the pull rate from the ​Akamai​ source in seconds.
      • Allowed Values: Positive integer value greater than 0.
      • Example: 60 (1 minute)
      • Required: Yes
    • akamai.data.requesturlhost
    • akamai.data.configs
      • Description: Security configurations the API pulls events from. Add multiple security configuration IDs by separating the IDs with a semicolon (;).
      • Example: 12345;67890
      • Required: Yes
    • akamai.data.timebased
      • Description: Set to false to pull security events continuously by offset token (this should be the usual, everyday setting) and set to true in order to pull security events that fall within a specific time frame. If timebased is set to true , the timebased.from parameter (see the next configuration entry) is required.
      • Allowed Values: true or false
      • Example: false
      • Required: Yes
    • akamai.data.timebased.from
      • Description: If the timebased parameter is true, this a required field. Enter the time (in epoch format) to start pulling past security events. This can be any time within the 12 hours preceding the present moment. If regular offset event collection occurred within the time window, you might see duplicate data in your SIEM software.
      • Allowed Values: Positive integer in epoch format. Value must be less than the timebased.to value.
      • Example: 1491588763
      • Required: Yes, if the timebased parameter is true , No, if the timebased parameter is false .
    • akamai.data.timebased.to
      • Default Value: No value
      • Description: If the timebased parameter is true, you can optionally enter the end timestamp (in epoch format) to a specific period for pulling past security events. If no value or an invalid format is provided, the default value is used.
      • Allowed Values: Positive integer in epoch format. Value must be greater than or equal to the value in timebased.from.
      • Example: 1491588763
      • Required: No
    • akamai.data.limit
      • Default Value: 200000
      • Description: Maximum number of security events that can be pulled with a single API call. Use this field to prevent overload and to protect your SIEM system from being flooded with event data. If no value is provided or if an invalid value is provided, the default limit defined by the SIEM API is used
      • Allowed Values: Positive integer values. Invalid values default to 200000.
      • Example: 100
      • Required: No
        Note: This sample connector supports transfer of up to 200,000 events per minute.
    • akamai.data.accesstoken
      • Description: Access token copied when provisioning the SIEM API in ​Control Center​.
      • Allowed Values: This value cannot be blank or commented out.
      • Example: akab-fc7lrkvv57lgxjpx-mizhsadsasdasym
      • Required: Yes
    • akamai.data.clienttoken
      • Description: Client token copied when provisioning the SIEM API in ​Control Center​.
      • Allowed Values: This value cannot be blank or commented out.
      • Example: akab-fc7lrkvv57lgxjpx-mizhsadsasdasym
      • Required: Yes
    • akamai.data.clientsecret
      • Description: Client secret copied when provisioning the SIEM API in ​Control Center​.
      • Allowed Values: This value cannot be blank or commented out.
      • Example: LWcGK6h2121GdfdDSD8m+4wllsdfdsG8wgFS+dfDfZQ=
      • Required: Yes
    • akamai.data.baseurl
      • Description: URL copied when you provisioned the SIEM OPEN API in ​Control Center​.
      • Allowed Values: This value cannot be blank or commented out.
      • Example: akab-dsfdsdypmwkj7a-eqkdfgfdsswsfaoclec.cloudsecurity.akamaiapis.net
      • Required: Yes
    • akamai.cefformatheader
      • Description: CEF Header Values, with individual values separated by using the | character. (If the | character is part of a static string, then it must be escaped with a \ ). Values can be static or generated from the following functions: requestURL(), eventClassId(), name(), severity(), appliedAction(),ipv6src().
      • Allowed Values: This value can't be blank or commented out.
      • Example: CEF:0|Akamai|akamai_siem|1.0|eventClassId()|name()|severity()
      • Required: Yes
    • akamai.cefformatextension
      • Description: CEF Extension Values, with individual values separated by a blank space. Values can be static; generated from available functions (eventClassId() , name(), severity() , appliedAction() , ipv6src()); or pulled from the JSON API. The JSON API is defined by ${} and each JSON object is separated by a period. Static values are defined by quotation marks. Function-generated values are defined by () and must be one of the available functions defined in the documentation.
      • Allowed Values: This value can't be blank or commented out.
        Example:
        act=appliedAction()
        app=${httpMessage.protocol}c6a2=ipv6src()c6a2
        Label="Source IPv6 Address"
        cs1=${attackData.rules} cs1Label="Rules"
        cs2=${attackData.ruleMessages} cs2Label="Rule Messages"
        cs3=${attackData.ruleData} cs3Label="Rule Data"
        cs4=${attackData.ruleSelectors} cs4Label="Rule Selectors"
      • Required: No
    • akamai.base64fields
      • Description: Defines any base64 encoded JSON API objects.
      • Example: ${attackData.ruleVersions};${attackData.rules};${attackData.ruleActions}
      • Required: No
    • akamai.urlencoded
      • Description: Defines any URL-encoded JSON API objects.
      • Example: ${attackData.ruleVersions};${attackData.rules};${attackData.ruleActions}
      • Required: No
    • akamai.multivaluedelim
      • Default Value: , (comma)
      • Description: Delimiter that separates multi-valued CEF fields.
      • Allowed Values: Blank spaces can be specified as a delimiter by using either " " or "".
      • Example:, (comma), \u0020 (white space), \n (newline), \t (tab
      • Required: No
    • connector.consumer.count
      • Default Value: 3
      • Description: Maximum number of consumer threads.
      • Example: 10
      • Required: No
    • connector.proxy.host
    • connector.proxy.port
      • Description: Set your proxy host and port.
      • Allowed Values: This value should be left blank if you don't have a local proxy.
      • Required: No

    Logging

    Set log configurations in the config/log4j2.xml file:

    • log-path: Path location of the log files. Use either a relative or a specific path (for example: logs).
    • log-name: File name for your logs (for example: filename).
    • SizeBasedTriggeringPolicy: Log size rollover limit (for example: 1MB).
    • DefaultRolloverStrategy: Maximum number of log files stored for each log (info, warn, and error). For example: 20.
    • CEFHost: Forwarder IP Address (for example: 127.0.0.1).
    • CEFPort: 11532 (Remote CEF Syslog Server Port) (for example: 514).
    • CEFProtocol: Remote CEF Syslog Server Protocol (for example: UDP/TCP).

    Checking logs in Chronicle

    Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.

    Picture11.png

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.