Splunk adapter
Follow this instruction to learn how to set up Akamai MFA log retrieval in Splunk.
Before you begin
- Generate your integration credentials in Akamai MFA:
- In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
- Click Add integration (+).
- In Integration Type, select Logging.
- In Name, enter a unique name for your Splunk integration.
- Click Save and Deploy.
You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be easily copied and used in the following steps to configure the integration.
Your Signing Key should be kept completely secret like any other password or secret key credential.
- Visit https://splunkbase.splunk.com/app/5490/ to download the most recent version (2.0.0) of the Akamai MFA Splunk plugin, and save it to a secure location.
Follow this procedure to integrate the security information and event management (SIEM) product Splunk with Akamai MFA. With the below installation, you can import Akamai MFA logs into Splunk.
After this integration is complete, logs appear in Splunk.
How to
-
Create an app in Splunk.
- Log in to Splunk.
- Select Apps > Manage Apps > Install App From File.
- In the Upload an app dialog, browse and locate the
akamai-mfa-app-for-splunk_200.tgz
file. - If you are upgrading or reinstalling the app, select Upgrade app.
- Click Upload. If prompted, restart Splunk.
-
Set the SPLUNK_HOME directory variable on your local machine.
-
On macOS or Linux, open a terminal window and execute the following command:
export SPLUNK_HOME=<Splunk_directory>
where <Splunk_directory> is the directory where Splunk is installed. For example,/Applications/Splunk
. -
On Windows, open the Environment Variables dialog from the Advanced systems settings in the Control Panel. In the dialog, configure a variable for the
SPLUNK_HOME
directory. Define the variable with the directory where Splunk is installed.
Ensure that you have write permissions to this directory.
-
-
In a terminal or command prompt, go to the Splunk application directory:
-
On macOS or Linux, enter this command and press Enter.
cd $SPLUNK_HOME/etc/apps/akamai_mfa/bin
-
On Windows, enter this command and press Enter.
cd %SPLUNK_HOME%\etc\apps\akamai_mfa\bin
-
-
Execute the python application script to set up Akamai MFA log collection. To run the below scripts, use Python version 3.6 or later.
-
On macOS or Linux, enter this command and press Enter.
$SPLUNK_HOME/bin/splunk cmd python config.py
-
On Windows, enter this command and press Enter.
%SPLUNK_HOME%\bin\splunk cmd python config.py
-
-
Type
set
and press Enter to configure your integration. -
When prompted, paste the Integration ID, Signing Key, and API Host (Akamai MFA Url) that you generated in Akamai MFA. Make sure you add the
https://
protocol prefix to the API Host. -
Type
get
and press Enter to verify your integration data. If the data you entered is correct, typeexit
and press Enter.
-
Enable the Akamai MFA Python scripts that allow Splunk to collect logs from Akamai MFA:
- In the Splunk navigation menu, select Settings > Data inputs.
- Under Local inputs, click Scripts.
- Enable the following Python scripts:
$SPLUNK_HOME/etc/apps/akamai_mfa/bin/auths.py
. This script lets you view Akamai MFA authentication events.$SPLUNK_HOME/etc/apps/akamai_mfa/bin/resource.py
. This script lets you audit admin actions.$SPLUNK_HOME/etc/apps/akamai_mfa/bin/session_history.py
. This script lets you view session history data.
-
Authentication events, session history data, and resource action logs appear in the Data Summary for the Akamai MFA app. See Logs from the Splunk application to interpret the data.
Updated 6 days ago