Guide

Splunk adapter

Suggest Edits

Follow this instruction to learn how to set up ​Akamai MFA​ log retrieval in Splunk.

Before you begin

  1. Generate your integration credentials in ​Akamai MFA​:
    1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
    2. Click Add integration (+).
    3. In Integration Type, select Logging.
    4. In Name, enter a unique name for your Splunk integration.
    5. Click Save and Deploy.
      You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be easily copied and used in the following steps to configure the integration.

📘

Your Signing Key should be kept completely secret like any other password or secret key credential.

  1. Visit https://splunkbase.splunk.com/app/5490/ to download the most recent version (1.0.4) of the akamai_mfa.spl file, and save it to a secure location.
    Follow this procedure to integrate the security information and event management (SIEM) product Splunk with ​Akamai MFA​. With the below installation, you can import ​Akamai MFA​ logs into Splunk.
    After this integration is complete, logs appear in Splunk.

How to

  1. Create an app in Splunk.

    1. Log in to Splunk.
    2. Select Apps > Manage Apps (gear) > Install App from file.
    3. In the Upload an app dialog, browse and locate the akamai_mfa.spl file.
    4. If you are upgrading or reinstalling the app, select Update app.
    5. Click Upload. If prompted, restart Splunk.

  2. Set the SPLUNK_HOME directory variable on your local machine.

    • On macOS or Linux, open a terminal window and execute the following command: export $SPLUNK_HOME=<Splunk_directory> where <Splunk_directory> is the directory where Splunk is installed. For example, /Applications/Splunk.

    • On Windows, open the Environment Variables dialog from the Advanced systems settings in the Control Panel. In the dialog, configure a variable for the SPLUNK_HOME directory. Define the variable with the directory where Splunk is installed.
      Ensure that you have write permissions to this directory.

  3. In a terminal or command prompt, go to the Splunk application directory:

    • On macOS or Linux, enter this command and press Enter. cd $SPLUNK_HOME/etc/apps/akamai_mfa/bin

    • On Windows, enter this command and press Enter. cd %SPLUNK_HOME%\etc\apps\akamai_mfa\bin

  4. Execute the python application script to set up ​Akamai MFA​ log collection. To run the below scripts, use Python version 3.6 or later.

    • On macOS or Linux, enter this command and press Enter. $SPLUNK_HOME/bin/splunk cmd python akamai_mfa_app_setup.py

    • On Windows, enter this command and press Enter. %SPLUNK_HOME%\bin\splunk cmd python akamai_mfa_app_setup.py

  5. When prompted, paste the Integration ID and Signing Key that you generated in ​Akamai MFA​.

  6. When prompted for the Start Date Time, enter the date and time to configure when you want Splunk to start collecting ​Akamai MFA​ logs. Ensure that you enter the date and time in this format: yyyy-mm-dd hh:mm, where:

    • yyyy-mm-dd is the date represented in year (yyyy), month (mm), and day (dd).
    • hh:mm is time represented with a 24-hour clock in hours (hh) and minutes (mm).

    For example, a valid Start Date Time entry is 2018-01-01 13:00

  7. Enable the ​Akamai MFA​ python script that allows Splunk to collect logs from ​Akamai MFA​:

    1. In the Splunk navigation menu, select Settings > Data inputs.
    2. Under Local inputs, click Scripts.
    3. Depending on the operating system for the Splunk platform, enable the appropriate python file.
      • For macOS or Linux, click Enable for the $SPLUNK_HOME/etc/apps/akamai_mfa/bin/etl.py script.
      • For Windows, click Enable for the %SPLUNK_HOME%\etc\apps\akamai_mfa\bin\etl-windows.py script.

  8. Run the following commands to set the ​Akamai MFA​ URL to https://​mfa.akamai.com​:

🚧

Ensure that the URL doesn't have a trailing slash (/) at the end.

  • On macOS or Linux:
    1. cd $SPLUNK_HOME/etc/apps/akamai_mfa/bin
    2. $SPLUNK_HOME/bin/splunk cmd python./akamai_mfa_config.py
      Akamai MFA Url: https://<<MFA_DOMAIN>>
  • On Windows:
    1. cd %SPLUNK_HOME%\etc\apps\akamai_mfa\bin
    2. %SPLUNK_HOME%\bin\splunk cmd python.\akamai_mfa_config.py
      Akamai MFA Url: https://<<MFA_DOMAIN>>
  1. Events appear in the Data Summary for the ​Akamai MFA​ app. See Authentication logs from the Splunk application to interpret the data.

Updated over 2 years ago