Hi,
I have installed the Akamai Siem App on a Heavy Forwarder and did some initial testing and besides not having proper authentication at the Akamai side, the app was working and sending data to my indexers.
After they changed something at our user level and asked us to retry I keep getting the following error messages and I can't find the root cause of them:
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Message : HTTP 401 -- call not properly authenticated, Exception : com.splunk.HttpException: HTTP 401 -- call not properly authenticated
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpException.create(HttpException.java:84)
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpService.send(HttpService.java:500)
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.Service.send(Service.java:1295)
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.getValuesFromKVStore(Main.java:802)
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.streamEvents(Main.java:455)
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:74)
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:48)
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.main(Main.java:116)
12-22-2020 12:30:28.303 +0100 INFO ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" infoMsg = streamEvents, end streamEvents
12-22-2020 12:30:28.303 +0100 ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" javax.xml.stream.XMLStreamException: No element was found to write: java.lang.ArrayIndexOutOfBoundsException: -1
I'm running openjdk version "1.8.0_265" which initially worked fine and I'm using the latest version of the Akamai Siem app which is 1.4.8. Splunk version is 7.3.4 and should be fine.
Anybody have some clues for this?
Regards
Hello @jjobar.
I know it's been a while since I posted this error, but I'm also facing the same issue.
But in my case the SIEM connector is installed directly in Splunk Indexer.
Did you manage to solve this problem?
Can anyone in the community help?
Splunk Enterprise Version:8.2.2
siem-splunk-connector: 1.4.9
java version "1.8.0_311"
Java(TM) SE Runtime Environment (build 1.8.0_311-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.311-b11, mixed mode)
splunkd.log:
10-26-2021 19:09:55.623 -0300 INFO ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" infoMsg = streamEvents, begin streamEvents
10-26-2021 19:09:55.842 -0300 INFO ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" infoMsg = streamEvents, inputName=TA-Akamai_SIEM://akamai_vibra
10-26-2021 19:09:55.842 -0300 INFO ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" infoMsg = streamEvents, inputName(String)=TA-Akamai_SIEM://akamai_vibra
10-26-2021 19:09:55.847 -0300 INFO ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" infoMsg=Processing Data...
10-26-2021 19:09:55.849 -0300 INFO ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" infoMsg=KV Service get...
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Message : Connection refused (Connection refused), Exception : java.lang.RuntimeException: Connection refused (Connection refused)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpService.send(HttpService.java:462)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.Service.send(Service.java:1295)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.getValuesFromKVStore(Main.java:802)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.streamEvents(Main.java:449)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:74)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:48)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.main(Main.java:116)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Caused by: java.net.ConnectException: Connection refused (Connection refused)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.PlainSocketImpl.socketConnect(Native Method)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.AbstractPlainSocketImpl.connect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.SocksSocketImpl.connect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at java.net.Socket.connect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.security.ssl.SSLSocketImpl.connect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.NetworkClient.doConnect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.http.HttpClient.openServer(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.http.HttpClient.openServer(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.protocol.https.HttpsClient.<init>(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.protocol.https.HttpsClient.New(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpService.send(HttpService.java:460)
10-26-2021 19:09:55.900 -0300 ERROR ExecProcessor [2021 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" ... 6 more
Thanks in advanced!
James \o/