Akamai SIEM Integration App- How do we fix this er...

deepdiver · ‎09-14-2022

Hi all,

Install the Akamai SIEM Integration app on the Deployer for the SHC successfully. Installed JRE 1.8 successfully. Configured the Data Inputs "Akamai SIEM API" for Akamai Control dashboard successfully. However, the Akamai Logging Dashboard show the following error;

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" javax.xml.stream.XMLStreamException: No element was found to write: java.lang.ArrayIndexOutOfBoundsException: -1

Anyone have any clues? Is this a pathing issue?

Mike/deepdiver

nkoppert_s · ‎09-22-2022

I was seeing a similar issue to the Java out of bounds message yesterday, although it was accompanied by
ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Message : HTTP 503 -- KV Store initialization failed. Please contact your system administrator

If you see a similar error check $SPLUNK_HOME/var/log/splunk/mongod.log for indications of certificate errors:

NETWORK [main] The provided SSL certificate is expired or not yet valid.

If you see the above error mentioned confirm that your server.pem certificate is still valid.

Hope this is helpful or at least neutral for you! Good luck!

deepdiver · ‎09-22-2022

Thanks for the reply nkoppert_s

I forgot about mongod - no cert errors which is what I thought initially because the Akamai Logging Dasboard was spitting out cert errors. I fixed those and now we think we have a proxy exception issue. Currently trying to identify the IP that is opening and closing the connections!

2022-09-16T10:02:28.190Z I NETWORK [conn21] end connection X.X.X.115:50532 (12 connections now open)
2022-09-16T13:02:26.280Z I NETWORK [listener] connection accepted from X.X.X.119:63791 #22 (13 connections now open)
2022-09-16T13:02:26.843Z I NETWORK [conn22] end connection X.X.X.119:63791 (12 connections now open)
2022-09-16T13:03:21.013Z I NETWORK [listener] connection accepted from X.X.X.119:49161 #23 (13 connections now open)
2022-09-16T13:03:24.934Z I NETWORK [conn23] Error receiving request from client: ProtocolError: Client sent an HTTP request over a native MongoDB connection. Ending connection from X.X.X.119:49161 (connection id: 23)
2022-09-16T13:03:24.934Z I NETWORK [conn23] end connection X.X.X:49161 (12 connections now open)
2022-09-16T13:03:44.104Z I NETWORK [listener] connection accepted from X.X.X.119:50534 #24 (13 connections now open)
2022-09-16T13:03:44.457Z I NETWORK [conn24] Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from X.X.X.119:50534 (connection id: 24)
2022-09-16T13:03:44.457Z I NETWORK [conn24] end connection X.X.X.119:50534 (12 connections now open)
2022-09-18T01:17:00.757Z I JOURNAL [journal writer] old journal file /opt/splunk/var/lib/splunk/kvstore/mongo/journal/j._0 will be reused as /opt/splunk/var/lib/splunk/kvstore/mongo/journal/prealloc.0
2022-09-19T17:43:37.541Z I JOURNAL [journal writer] old journal file /opt/splunk/var/lib/splunk/kvstore/mongo/journal/j._1 will be reused as /opt/splunk/var/lib/splunk/kvstore/mongo/journal/prealloc.0
2022-09-21T10:01:24.642Z I JOURNAL [journal writer] old journal file /opt/splunk/var/lib/splunk/kvstore/mongo/journal/j._2 will be reused as /opt/splunk/var/lib/splunk/kvstore/mongo/journal/prealloc.0

deepdiver · ‎09-14-2022

Also getting the following ERROR;

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)

Any help appreciated!

Mike

Akamai SIEM Integration App- How do we fix this error?

troubleshooting

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life