Splunk adapter

Follow this instruction to learn how to set up ‚ÄčAkamai MFA‚Äč log retrieval in Splunk.

Before you begin

  1. Generate your integration credentials in ‚ÄčAkamai MFA‚Äč:
    1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
    2. Click Add integration (+).
    3. In Integration Type, select Logging.
    4. In Name, enter a unique name for your Splunk integration.
    5. Click Save and Deploy.
      You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be easily copied and used in the following steps to configure the integration.

ūüďė

Your Signing Key should be kept completely secret like any other password or secret key credential.

  1. Visit https://splunkbase.splunk.com/app/5490/ to download the most recent version of the akamai_mfa.spl file, and save it to a secure location.
    Follow this procedure to integrate the security information and event management (SIEM) product Splunk with ‚ÄčAkamai MFA‚Äč. With the below installation, you can import ‚ÄčAkamai MFA‚Äč logs into Splunk.
    After this integration is complete, logs appear in Splunk.

How to

  1. Create an app in Splunk.

    1. Log in to Splunk.
    2. Select Apps > Manage Apps (gear) > Install App from file.
    3. In the Upload an app dialog, browse and locate the akamai_mfa.spl file.
    4. If you are upgrading or reinstalling the app, select Update app.
    5. Click Upload. If prompted, restart Splunk.
  2. Set the SPLUNK_HOME directory variable on your local machine.

    • On macOS or Linux, open a terminal window and execute the following command: export $SPLUNK_HOME=<Splunk_directory> where <Splunk_directory> is the directory where Splunk is installed. For example, /Applications/Splunk.

    • On Windows, open the Environment Variables dialog from the Advanced systems settings in the Control Panel. In the dialog, configure a variable for the SPLUNK_HOME directory. Define the variable with the directory where Splunk is installed.
      Ensure that you have write permissions to this directory.

  3. In a terminal or command prompt, go to the Splunk application directory:

    • On macOS or Linux, enter this command and press Enter. cd $SPLUNK_HOME/etc/apps/akamai_mfa/bin

    • On Windows, enter this command and press Enter. cd %SPLUNK_HOME%/etc/apps/akamai_mfa/bin

  4. Execute the python application script to set up ‚ÄčAkamai MFA‚Äč log collection. To run the below scripts, use Python version 3.6 or later.

    • On macOS or Linux, enter this command and press Enter. $SPLUNK_HOME/bin/splunk cmd python akamai_mfa_app_setup.py

    • On Windows, enter this command and press Enter. %SPLUNK_HOME%/bin/splunk cmd python akamai_mfa_app_setup.py

  5. When prompted, paste the Integration ID and Signing Key that you generated in ‚ÄčAkamai MFA‚Äč.

  6. When prompted for the Start Date Time, enter the date and time to configure when you want Splunk to start collecting ‚ÄčAkamai MFA‚Äč logs. Ensure that you enter the date and time in this format: yyyy-mm-dd hh:mm, where:

    • yyyy-mm-dd is the date represented in year (yyyy), month (mm), and day (dd).
    • hh:mm is time represented with a 24-hour clock in hours (hh) and minutes (mm).

    For example, a valid Start Date Time entry is 2018-01-01 13:00

  7. Enable the ‚ÄčAkamai MFA‚Äč python script that allows Splunk to collect logs from ‚ÄčAkamai MFA‚Äč:

    1. In the Splunk navigation menu, select Settings > Data inputs.
    2. Under Local inputs, click Scripts.
    3. Depending on the operating system for the Splunk platform, enable the appropriate python file.
      • For macOS or Linux, click Enable for the $SPLUNK_HOME/etc/apps/akamai_mfa/bin/etl.py script.
      • For Windows, click Enable for the $SPLUNK_HOME\etc\apps\akamai_mfa\bin\etl-windows.py script.
  8. Skip this step, unless you need to change the ‚ÄčAkamai MFA‚Äč Url, which defaults to https://mfa.akamai.com/.

    1. cd $SPLUNK_HOME/etc/apps/akamai_mfa/bin
    2. $SPLUNK_HOME/bin/splunk cmd python./akamai_mfa_config.py
      Akamai MFA Url: <enter new URL>
  9. Events appear in the Data Summary for the ‚ÄčAkamai MFA‚Äč app. See Authentication logs from the Splunk application to interpret the data.


Did this page help you?