Guide

Real-time Connector Metrics using Splunk SIEM provider

EAA supports the Splunk SIEM provider to monitor, analyze, investigate any health issue, security incidents, and perform data visualization for your EAA Connectors. You can send CPU, Memory, and Network metrics of the EAA Connectors for creating Dashboards for visualization.

📘

Note

This feature is in limited-availability (LA) and can be enabled in your contract by contacting Akamai support.

This guide explains how to configure Splunk and Akamai, and to send metrics to Splunk’s HTTP Event Collector (HEC).

Configure HTTP Splunk Event Collector (HEC) in Splunk

To set up the HTTP Event Collector (HEC) in Splunk, you must globally enable the listener and then create an authentication token for the EAA data source.

Enable HEC globally

  1. Log into the Splunk Web UI.
  2. Navigate to Settings > Data Inputs.
  3. Click on HTTP Event Collector.
  4. Click the Global Settings button at the top right.
  5. Set All Tokens to Enabled.
  6. You can leave the HTTP Port Number, as the default value of 8088.
  7. Keep Enable SSL enabled.
  8. Click Save.

Create a new HEC Token

Create a unique token for authenticating your EAA data source using this procedure:

  1. On the HTTP Event Collector page, click New Token. Provide the following details:
  2. Select Source: Provide a Name for the token and click Next.
  3. Input Settings: Define the Source type and the Index where you want the data to be stored.
  4. Review: Confirm your settings and click Submit.
  5. Copy the Token: Copy the generated Token Value, as you will need it to configure within EAA when you enable the Splunk SIEM.
  6. Make sure the token is Enabled.

Create a Metrics Index in Splunk

The Index is like a repository inside Splunk where EAA data is sent. The Index Data Type should be of Metrics type.

  1. Navigate to Settings > Indexes.
  2. Click New Index at the top right.
  3. Enter the Index Name, to be eaa_metrics. Do not use any other value for the index name.
  4. For Index Data Type, select Metrics.
  5. (Optional) Set Timestamp Resolution to Milliseconds if you require sub-second precision, though this may decrease search performance.
  6. (Optional) Configure retention settings (e.g., Max raw data size or Searchable time).
  7. Click Save.

Make sure that the index is enabled and accessible by the HEC token you created earlier.

Configure Akamai to send connector metrics to Splunk

In EAA, select Splunk SIEM, provide the encryption token and SIEM server information.

  1. Log in to the Enterprise Center.
  2. In the Enterprise Center navigation menu, select Application Access > General Settings > Settings > Company Settings.
  3. Go to the System monitoring SIEMs section.
  4. Enable Send metrics, to send the connector metrics like CPU, memory and network to your SIEM provider to monitor, investigate issues, and perform data visualization. If you disable Send metrics for more than 24 hours, the data is lost for the disabled period.
  5. For Active SIEM, select Splunk SIEM.
  6. Paste the HEC Token that you copied from Splunk into the Encryption Token, provide the Splunk Server information your organization:

splunk_SIEM_settings

  1. Click Test and Save, to test the connectivity. If EAA can communicate to Splunk SIEM correctly, changes are saved.

View metrics in Splunk

To verify that the EAA connector metrics are received in Splunk, go to the Search and Reporting app on Splunk and search for “index = eaa_metrics” as shown below:

eaa_metrics_in_splunk

The EAA connector metrics are visible in Splunk as events.

References

Splunk Documentation:

Setup HEC in Splunk

Create index in Splunk

Updated 39 minutes ago