All Apps and Add-ons

How to fix ERROR Akamai SIEM Integration with Splunk?

James_ACN
Loves-to-Learn Everything

Hi All,

I'm trying to integrate Akami logs with Splunk through siem-integrator, but I'm having problems.
I've already installed Java (JRE), JDK too, but it still has errors as shown in splunkd.log.

I'm using the addon:

https://splunkbase.splunk.com/app/4310/

Has anyone in the community already been through this, or do they have an idea of what it could be?

Splunk Enterprise Version:8.2.2

Akamai-siem-splunk-connector: 1.4.9
java version "1.8.0_311"
Java(TM) SE Runtime Environment (build 1.8.0_311-b11)
Java HotSpot(TM) 64-Bit Server VM (build 25.311-b11, mixed mode)

 

splunkd.log

10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Message : Connection refused (Connection refused), Exception : java.lang.RuntimeException: Connection refused (Connection refused)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.HttpService.send(HttpService.java:462)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.Service.send(Service.java:1295)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.getValuesFromKVStore(Main.java:802)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.streamEvents(Main.java:449)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:74)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.splunk.modularinput.Script.run(Script.java:48)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" at com.akamai.siem.Main.main(Main.java:116)
10-27-2021 17:30:34.711 -0300 ERROR ExecProcessor [24326 ExecProcessor] - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" Caused by: java.net.ConnectException: Connection refused (Connection refused)

 

 

Thank you very much.

James \°/

Labels (2)
0 Karma

javo_dlg
Observer

Hello James, 

What I did was to install the application and then create a Data Inputs with the credentials Akamai provides, like token, secret and the client URL, then the generated inputs file, was added to the add-on under the local directory and added the index and sourcetype parameters.

Cheers,

+Javo

0 Karma

deepdiver
Loves-to-Learn Everything

Hi javo_dig,

Not having any luck with this Akamai SIEM Integration app. It spits out;

ERROR ExecProcessor - message from "/opt/splunk/etc/apps/TA-Akamai_SIEM/linux_x86_64/bin/TA-Akamai_SIEM.sh" javax.xml.stream.XMLStreamException: No element was found to write: java.lang.ArrayIndexOutOfBoundsException: -1

How did you manage to make this app work? I have it on a Deployer for the SHC btw. the only don't find any inputs, only the Data Inputs I find is the Akamai SIEM API which I configured properly to the Akamai Control dashboard. Can you provide detailed steps please?

 

Mike

aka deepdiver

0 Karma

javo_dlg
Observer

I have installed the application on a Heavy Forwarder, configured the initial credentials thru the data input process, and whenever need to update the credentials i do it on the command line, haven't had any java errors like that.

Probably try to install the app on the HF besides the SHC?

 

0 Karma

James_ACN
Loves-to-Learn Everything

Hi All!

I still haven't been able to solve this problem.

Does anyone have any outline suggestions?

 

Thanks!

 

James \°/

0 Karma

tofa
Explorer

Hi James,

From the logs, it looks like a networking issue (either from firewall blocking the connection or some other network conditions causing it).

Did you check that you have connectivity to Akamai from your Splunk box?

Cheers!

0 Karma

James_ACN
Loves-to-Learn Everything

Hi @tofa 

Yes I checked these possibilities, whether the local Linux firewall and the network firewall or AWS Firewall and telnet tests returns connected and there are no firewalls blocking.

 

Thanks

 

James \°/

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...