Upon installing the Akamai SIEM I am not seeing the data input option for "Akamai Security Incident Event Manager API", please advise? Java is installed and running Splunk 9.3.3
Hi @cmutt78_2
https://yoursplunkinstance/en-US/manager/search/data/inputs/TA-Akamai_SIEM ?
You should see an empty table with a green "Add" button at the top right, something like this:
The other thing you could try is running:
/opt/splunk/bin/splunk cmd splunkd print-modinput-config TA-Akamai_SIEM TA-Akamai_SIEM
This will trigger the same process as when the input is loaded by Splunk - check for any errors output here, you should end up with something that looks a bit like this:
<?xml version="1.0" encoding="UTF-8"?>
<input>
<server_host>macdev</server_host>
<server_uri>https://127.0.0.1:8089</server_uri>
<session_key>sVNwheYXxxx0QNqfj_xePWwhxVbraZc6pS4FNyHQzVe2KRgv7s6tjKrZg660zYhotfG0_W62rm0UA01XkVqBX4dNUls5pA7dWyjXMRUltbsjtsA</session_key>
<checkpoint_dir>/opt/splunk/var/lib/splunk/modinputs/TA-Akamai_SIEM</checkpoint_dir>
<configuration/>
</input>
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Could you please check the splunkd.log file? It may contain information explaining why the data input from the add-on isn't appearing.
Please try clicking on Settings -> then click on Data Inputs and then look for Akamai Security Incident Event Manager API. Once you locate it, click on it and follow the instructions mentioned on this page:
https://techdocs.akamai.com/siem-integration/docs/siem-splunk-connector#install-the-splunk-connector
Not there and no additional pages to navigate
After installing Akamai Splunk Connector, Did you try to restart splunk instance?
yep, I am thinking it is an app issue
Were you able to see the data input after restarting the Splunk services, or is it still missing?
My Akamai Data input:-
Where did you install the Akamai add-on, on the Heavy Forwarder (HF)? If it's on the HF, does it have a valid license? Some features require a license, which aren't available with the Free license.
For a heavy forwarder (HF), you should set up one of the following options:
1) Make the HF a slave of a license master. This will give the HF all of the enterprise capabilities - and the HF will consume no license, as long as it does not index data.
2) Install the forwarder license. This will give the HF many enterprise capabilities, but not all. The HF will be able to parse and forward data. However, it will not be permitted to index and it will not be able to act as a deployment server (as an example). This is the option I would usually choose.