Set up a security log stream to get Security Information and Event Management (SIEM) events.

The new Security logs (SIEM) log type available in DataStream supports creating streams for up to 30 security configurations, with each security configuration monitored in up to 3 separate streams. These streams deliver logs to third-party destinations for storage, analytics, and trend reporting.

To launch your stream, you need to choose the log type, enter basic stream details such as the name and security configurations you want to monitor, and configure the destination to stream log files.

Before you begin

To log SIEM events in DataStream, enable data collection for SIEM integration in each security configuration you want to include in your stream. All security configurations must be activated on the production network.

If DataStream is not enabled on your contract, contact your Akamai account team to get started with logging SIEM events using streams.

How to

1. Log in to Control Center using a User ID and Password with DataStream access.

2. Click ☰ and go to > COMMON SERVICES > DataStream to open the DataStream dashboard.

3. Click Create stream, and choose the Security logs (SIEM) log type from the drop-down list.

   The stream creation wizard opens on the Configuration tab.

4. Enter the basic details for your stream:

   • In Display Name, enter a human-readable name for the stream.
   • In Group, select the relevant account control group.
   • In Contract ID, check if the contract number associated with the group is correct.

5. In Include properties, select up to 30 security configurations you want to monitor in this stream. You can add one configuration to up to 3 streams. Unavailable configurations (already in 3 streams or with SIEM integration data disabled) are grayed out on the list.

   If you need to enable SIEM integration data for any configuration, click View in Web Security.

6. Click Next to continue to the Data Sets tab. For SIEM, DataStream logs all security event data sets by default.

   You can hover over each data set field to see the description in the tooltip or go to SIEM API data format in the SIEM user guide for the full list of data set fields with descriptions and examples.

7. Optional: Click Sample log line to see an example of the log file with all the data set fields. For details, see Security data format.

8. Click Next to continue to the Delivery tab and configure the destination where DataStream uploads your log files.

9. Choose a Destination to stream security event logs, configure the details, set the Delivery options, and Sampling rate.

   See Stream logs to a destination for steps for every destination and details for other settings.

10. Click Next to continue to the Summary tab. Review the details of your stream, and optionally click on each Security configuration if you want to view it.

11. For the Activate stream upon saving box, either:

    • Check the box to deploy the stream and activate it on the production network after saving. It starts streaming data in about 60 minutes from activating.

      or

    • Leave the box unchecked to save the stream configuration and activate it later. Streams start uploading data in about 60 minutes from activating.

12. Optional: Select Receive an email once activation is complete and provide a list of e-mail addresses to get notifications about all actions involving the stream, such as stream activation or deactivation, editing an active or inactive stream, or saving a stream version.

13. Click Save stream to save the stream for later, or save and activate it on the production network. The stream activates if you checked Activate stream upon saving in Step 12.

Activating a stream to stream data takes about 60 minutes. For actions to activate the stream later and details on checking the activation status, see Activate or deactivate a stream.