Hi all, I am trying to pull Akamai logs to Splunk. Hence installed this app in HF - https://splunkbase.splunk.com/app/4310 and in data inputs given all the required fields (that provided my akamai) and when trying to save it the following error came - Encountered the following error while trying to save: HTTP 404 -- Action forbidden. What is the meaning of this error? is it issue from Akamai end or Splunk end? We have recently enabled our HF and this error is showing? Is this issue related to this error?
Please help me to get rid of this issue and the error?
It'shard to say precisely since the addon is not very talkative in terms of logs but my understanding would be that Splunk is trying to validate the config - see https://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModInputsValidate to see how it works.
The 404 error comes from the addon itself. Unfortunately, it's not very descriptive. And it's confusing since 404 means that resource wasn't found. Access permissions problems should be signalled with 403.
You could try to check if the addon has some configurable logging (typically you'd look for log4j.properties file in case of java-based software).
Are you using proxy to reach the internet?
Yes using proxy for that in our company and whitelisted these domains as well in our AWS VPC..
Whitelisting is one thing but I'd verify with your proxy admins that the requests are properly passed through. Just to be on the safe side.
I checked by going to my AWS linux instance (where our Splunk instances reside) for this particular add-on folder we have drwx------- permissions in both DS and HF. Do I need to change these permissions to configure data input in HF? or these permissions are sufficient? @PickleRick
Since the app is being pulled from DS by the same process which will be using it (or spawning additional processes under the same user), the permissions on the HF should be good. On the DS of course the splunkd process must be able to access the whole directory to make an archive of its contents. 0700 should be ok as long as all files and directories are owned by the user the spunkd process is running as.
Can I try giving chmod 755 to that app? Will that work? Or can I remove the app and install it and push it again?
Won't hurt. But I would fist tried checking ownership, not permissions.
So how to check ownership? I have admin rights in Splunk UI and root user in AWS linux splunk instance...
For example with
ls -laR /opt/splunk/etc/deployment-apps/whatever_TA
drwx------- Splunk Splunk TA_Akamai_SIEM ... This is what is there for this app in DS and HF
The -R parameter is so that you list contents recursivly. If all directories and files are owned by Splunk:Splunk and have 700 (or 600 for files) permissions, that should be OK.
My splunkd.log please check
The error shows TA-Akamai_SIEM modular input is failing with HTTP 404 -- Action forbidden.
This likely means the API endpoint is incorrect or access is denied due to invalid credentials or permissions.
Check HF network access to Akamai:
curl -i https://<akamai-api-endpoint>
Replace <akamai-api-endpoint> with the exact API URL you're using. You should NOT get a 404 or 403 if the endpoint and credentials are correct.
Contact Akamai support to confirm that:
The API credentials (tokens) are still active and have permission to fetch SIEM logs.
Hi @Karthikeya
Please check your splunk.log in $SPLUNK_HOME/var/log/splunk/splunkd.log for any other errors around the ModularInputs component - Do you have other errors relating to this TA-Akamai_SIEM?
Alternatively try the following search
index=_internal component=ModularInputs log_level=Error
Do you see anything like "script running failed (PID 51184 exited with code 127)" ?
Have you setup Java? This is required for the app to work, not having the correct java setup can cause the endpoint to initialise and thus you will get error messages.
For more info on installation check out https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector#install-the-splunk-connector
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
Java already installed on splunk instance.
This is the splunkd file.
how to check splunkd errors in UI?
You could start with something like this and narrow down as required:
index=_internal host=<YourServerName> log_level=Error
Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards
Will
In our environment, we have kept modular input in DS under deployment apps and pushed it to HF using serverclass. Is this the issue? Do modular inputs directly needs to be installed on HF rather than pushing from DS?