Create a stream to log Security Information and Event Management (SIEM) events generated on the Akamai platform for your security configurations and deliver logs to one of the supported third-party destinations for storage, analytics, and trend reporting.

You can log security events using the DataStream application or API along the existing SIEM API. DataStream's push model offers additional features, such as delivery retry in case of data upload failure, uploading logs to third-party destinations with custom headers and dynamic variables in filenames, mTLS authentication, and log data localization for data stored and processed within the European Union (EU). See the list of Supported features in DataStream.

📘

Supported solutions

Security Information and Event Management (SIEM) logs support tracking security events for App & API Protector, Kona Site Defender, Client Reputation, Web Application Protector, Bot Manager, and Account Protector.

Get started

If DataStream is not enabled on your contract, contact your Akamai account team to get started with logging SIEM events using streams.

To log SIEM events in DataStream, enable data collection for SIEM integration in your security configurations you want to include in each stream.

API workflow

1. Run List groups to determine the group that you want to create a stream for.

2. Run List security configurations to get the security configurations’ id and name you can use as the appSecId and appSecName when creating a stream.

3. Run List data set fields to get the list of parameters and metrics you can collect in your security stream.

   Security logs contain a fixed set of data set fields mirroring the SIEM API’s original schema. For details, see Security data format.

4. Run Create a security log stream to configure and activate a stream configuration or save it for later:

   • Set activate to true to activate the stream on request and start streaming logs within 60 minutes or false to save the configuration as inactive. Only active streams send logs to your destination.

5. If required, run Activate a stream at a later time to start streaming logs within 60 minutes from activation.

6. If you want to make changes to the stream involving the list of security configurations, Edit a security log stream.