Download SIEM event data (legacy customers only)
The content on this page deals with a legacy feature of the Akamai Identity Cloud. If you are currently an Identity Cloud customer and are using SIEM event delivery, that feature is still supported. However, if youโre new to the Identity Cloud, SIEM event delivery is no longer available.
You must use SFTP (SSH File Transfer Protocol) and a valid public key in order to retrieve data from your Amazon S3 bucket. Currently Amazon Web Services supports the following SFTP clients:
- OpenSSH (Macintosh and Linux)
- WinSCP (Microsoft Windows-only)
- Cyberduck (Windows, Macintosh, and Linux)
- FileZilla (Windows, Macintosh, and Linux)
Note that SFTP is the only way to access the S3 bucket.
We should also mention that Amazonโs SFTP Transfer service is not yet available in the China AWS region (although the service is expected soon).
If your organization needs to set up an allow list for data retrieval -- that is, if you need to limit data retrieval to a specific set of IP addresses -- โAkamaiโ has configured a pair of static IP addresses for each Identity Cloud region:
| Region | DNS Entry | IP Address 1 | IP Address 2 |
|---|---|---|---|
| North America (Virginia) | http://eventdelivery.multi.prod.va.janrain.com | 184.73.183.138 | 3.209.201.47 |
| Europe (Ireland) | http://eventdelivery.multi.prod.ie.janrain.com | 52.209.21.6 | 52.208.55.204 |
| North America (Canada) | http://eventdelivery.multi.prod.cc.janrain.com | 3.96.12.139 | 15.223.99.188 |
| Asia (Singapore) | http://eventdelivery.multi.prod.sg.janrain.com | 54.151.248.224 | 54.151.248.240 |
| South America (Sao Paulo) | http://eventdelivery.multi.prod.sp.janrain.com | 54.232.113.57 | 54.94.105.120 |
| Australia (Sydney) | http://eventdelivery.multi.prod.sy.janrain.com | 13.238.72.55 | 52.64.26.211 |
| Asia (Tokyo) | http://eventdelivery.multi.prod.tk.janrain.com | 54.248.31.82 | 54.199.66.89 |
For example, in the US your allow list for SIEM data retrieval would include these two IP addresses:
- 3.209.201.47
- 52.208.55.204
When SIEM Event Delivery is activated, youโll get back an API response similar to the following:
{
ย ย "message": "Your request has been accepted and is being
ย ย processed.",
ย ย "sftp":
ย ย ย ย {
ย ย ย ย ย "uri": "sftp://user_79y4mqf2rt3bxs378kw5479xdu@eventdelivery.multi.prod.va.janrain.com",
ย ย ย ย ย "user": "user_79y4mqf2rt3bxs378kw5479xd",
ย ย ย ย ย "host": "eventdelivery.multi.prod.va.janrain.com"
ย ย ย ย }
}
As noted elsewhere, each organization is given a single user account (the user field). All users who access the S3 bucket must log on using this same username (as well as an SSH key associated with the S3 bucket).
Meanwhile, the uri property specifies the URL for your S3 bucket. In the preceding example, that URL is sftp://user_79y4mqf2rt3bxs378kw5479xdu@eventdelivery.multi.prod.va.janrain.com.
The exact steps required to access your S3 bucket depend on which SFTP client you use. For example, if you use Cyberduck youโll need to follow a procedure similar to this:
-
Start Cyberduck and then click Open Connection:
-
In the dropdown dialog, set the protocol to SFTP (SSH File Transfer Protocol):
-
Type the value of the host property (e.g., eventdelivery.multi.prod.va.janrain.com) in the Server field and the port number for the S3 bucket in the Port field:
-
Enter the value of the user property (in this example, user_79y4mqf2rt3bxs378kw5479xd) in the Username field. Leave the Password field blank:
-
Click SSH Private Key and then select the private key you're using for S3 access. Keep in mind that the corresponding public key must already be associated with the S3 bucket:
-
When you are finished, click Connect:
After the connection is made, your SIEM event files will appear in the Cyberduck window.
To download a file, right click the file name and then click:
- Download (to download the file directly to your Downloads folder).
- Download As (which enables you to specify a different file name and/or download location).
- Download To (which lets you change the download location but not the file name).
To remove a file from the S3 bucket, right-click the file name and then click Delete. You must use SFTP (SSH File Transfer Protocol) and a valid public key in order to retrieve data from your Amazon S3 bucket. Currently Amazon Web Services supports the following SFTP clients:
- OpenSSH (Macintosh and Linux)
- WinSCP (Microsoft Windows-only)
- Cyberduck (Windows, Macintosh, and Linux)
- FileZilla (Windows, Macintosh, and Linux)
Note that SFTP is the only way to access the S3 bucket.
We should also mention that Amazonโs SFTP Transfer service is not yet available in the China AWS region (although the service is expected soon).
If your organization needs to set up an allow list for data retrieval -- that is, if you need to limit data retrieval to a specific set of IP addresses -- โAkamaiโ has configured a pair of static IP addresses for each Identity Cloud region:
| Region | DNS Entry | IP Address 1 | IP Address 2 |
|---|---|---|---|
| North America (Virginia) | http://eventdelivery.multi.prod.va.janrain.com | 184.73.183.138 | 3.209.201.47 |
| Europe (Ireland) | http://eventdelivery.multi.prod.ie.janrain.com | 52.209.21.6 | 52.208.55.204 |
| North America (Canada) | http://eventdelivery.multi.prod.cc.janrain.com | 3.96.12.139 | 15.223.99.188 |
| Asia (Singapore) | http://eventdelivery.multi.prod.sg.janrain.com | 54.151.248.224 | 54.151.248.240 |
| South America (Sao Paulo) | http://eventdelivery.multi.prod.sp.janrain.com | 54.232.113.57 | 54.94.105.120 |
| Australia (Sydney) | http://eventdelivery.multi.prod.sy.janrain.com | 13.238.72.55 | 52.64.26.211 |
| Asia (Tokyo) | http://eventdelivery.multi.prod.tk.janrain.com | 54.248.31.82 | 54.199.66.89 |
For example, in the US your allow list for SIEM data retrieval would include these two IP addresses:
- 3.209.201.47
- 52.208.55.204
When SIEM Event Delivery is activated, youโll get back an API response similar to the following:
{
ย ย "message": "Your request has been accepted and is being
ย ย processed.",
ย ย "sftp":
ย ย ย ย {
ย ย ย ย ย "uri": "sftp://user_79y4mqf2rt3bxs378kw5479xdu@eventdelivery.multi.prod.va.janrain.com",
ย ย ย ย ย "user": "user_79y4mqf2rt3bxs378kw5479xd",
ย ย ย ย ย "host": "eventdelivery.multi.prod.va.janrain.com"
ย ย ย ย }
}
As noted elsewhere, each organization is given a single user account (the user field). All users who access the S3 bucket must log on using this same username (as well as an SSH key associated with the S3 bucket).
Meanwhile, the uri property specifies the URL for your S3 bucket. In the preceding example, that URL is sftp://user_79y4mqf2rt3bxs378kw5479xdu@eventdelivery.multi.prod.va.janrain.com.
The exact steps required to access your S3 bucket depend on which SFTP client you use. For example, if you use Cyberduck youโll need to follow a procedure similar to this:
-
Start Cyberduck and then click Open Connection:
-
In the dropdown dialog, set the protocol to SFTP (SSH File Transfer Protocol):
-
Type the value of the host property (e.g., eventdelivery.multi.prod.va.janrain.com) in the Server field and the port number for the S3 bucket in the Port field:
-
Enter the value of the user property (in this example, user_79y4mqf2rt3bxs378kw5479xd) in the Username field. Leave the Password field blank:
-
Click SSH Private Key and then select the private key you're using for S3 access. Keep in mind that the corresponding public key must already be associated with the S3 bucket:
-
When you are finished, click Connect:
After the connection is made, your SIEM event files will appear in the Cyberduck window.
To download a file, right click the file name and then click:
- Download (to download the file directly to your Downloads folder).
- Download As (which enables you to specify a different file name and/or download location).
- Download To (which lets you change the download location but not the file name).
To remove a file from the S3 bucket, right-click the file name and then click Delete.
Updated almost 2 years ago