Guide
TrainingSupportCommunity

Transport data to your SIEM with Unified Log Streamer

Suggest Edits

A security information and event management (SIEM) tool provides a centralized view for security teams to access and analyze threat information and logs from many sources. With Unified Log Streamer (ULS), you can feed ​Secure Internet Access Enterprise​ reporting data into SIEM solutions such as Splunk, Graylog, or Sumo Logic.

📘

In addition to using ULS to transport ​SIA​ data, you can also use it to stream data from Enterprise Application Access, ​Akamai​ Multi-Factor Authentication, and Guardicore. For more information, see ULS GitHub documentation.

As shown in this graphic, the ULS tool performs REST API calls to the ETP Reporting API and transports data to your SIEM environment.

This tool lets you:

  • Perform real-time streaming to your SIEM
  • Filter data before sending it to your SIEM
  • Specify the fields that you want directed to the SIEM
  • Configure an auto-resume feature in case there is a streaming interruption

With ULS, you can send the following ​SIA​ data to your SIEM product:

  • Threat events
  • Access control events
  • DNS activity
  • Proxy activity
  • Network traffic connections

To use ULS, no coding or experience with the ETP APIs are required.

You can run ULS with these methods:

  • command line (python)
  • docker
  • docker compose
  • kubernetes / k8s

ULS supports these output methods:

  • TCP. Delivers data to a listener on a TCP socket.
  • UDP. Delivers data to a listener on a UDP socket.
  • HTTP and HTTPS. Delivers data to an HTTP listener through a POST request.
  • RAW. Delivers data with a raw output. This data appears in standard output (stdout).
  • FILE. Delivers data to an output file that is rotated based on parameters you configure such as size or time.

📘

In ULS, the acronym ETP is used to represent the ​Secure Internet Access Enterprise​ product and product data.

Prepare to use ULS

Before you use ULS, make sure you:

  1. Determine the method that you want to use for transporting data to your SIEM product. You can use any of these methods:

    • Docker
    • Docker Compose
    • Kubernetes / k8s
    • Command Line (python)

  2. Determine the output method that you want to use for your SIEM solution. You can use TCP, UDP, HTTP and HTTPS, RAW, or FIle.

  3. Modify the .edgerc file. The .edgerc file contains credentials that are required for the APIs and are also required to feed reporting data to your SIEM solution. For more information, see Configure API credentials for ULS.

  4. Understand environment variables and command line parameters for ULS. For more information, see the ULS GitHub documentation.

  5. Make sure you have outbound access to the Internet to access the APIs, the ULS repository, and more.

To learn more about ULS and how to stream data to your SIEM, see the ​Akamai​ ULS GitHub repository

Updated over 1 year ago