Akamai SIEM Integration for Splunk and CEF Syslog

Use your favorite Security Information and Event Management (SIEM) solution to analyze security events generated from the Akamai platform. Capture, retain, and deliver security information and events to your SIEM app in real-time. If you use Kona Site Defender, Client Reputation, Web Application Protector, or Bot Manager you can analyze security events generated on the Akamai platform alongside security events from other sources. 

Use on-premise and cloud-based SIEM tools like Splunk, QRadar, ArcSight, and more. You can control and protect the data feed with:

Event filtering

You can filter the security events to collect in your SIEM by security configuration and security policy, which helps you focus on real threats

Data retention

The Collector stores security events data for 12 hours, so you can go back in time to capture missed events, if necessary.

SIEM overload protection

In your SIEM connector, you can define the maximum number of security events fetched in each request to avoid overloading the SIEM application.

Fetch interval

You can define how often the SIEM connectors make a call to SIEM API to fetch security events data


How it Works

Every time a security policy triggers, the system generates a security event. The Akamai Security Events Collector captures these security events across edge servers and exposes a RESTful SIEM API for fetching security events.

You install the SIEM connector behind your corporate firewall. The connector makes periodic calls to SIEM API to securely collect JSON events data in near real time from the Akamai Security Events Collector via its API. The connector then converts these events into proper format and sends the data to your SIEM software.

Set up SIEM integration

You set up SIEM integration in four basic steps:

Step 1: Turn on SIEM integration

  1. Visit and log in.
  2. In the control center menu, under WEB & DATA CENTER SECURITY, select Security Configuration.
  3. Open the security configuration for which you want SIEM data.
  4. Click the Advanced Settings tab and expand the SIEM Integration section.
  5. In Allow data collection for SIEM, click Yes.
  6. Choose the security policies for which you want to export data. Enable SIEM integration for:
    • ALL Security policies if you want to send SIEM data for events that violate any/all security policies within the security configuration.
    • Customize for specific security policies if you want data regarding one or more specific security policies. In the drop down list, choose the policies you want.
  7. If you use Bot Manager in the selected security policy, set Include Bot Manger Events to Yes. When you do so, events detected only by Bot Manager are included. To exclude those events for any reason, choose No.
    Note: When you choose no, you still see events that triggered both web application firewall and bot detections.
  8. Skip the SIEM Event Version field for now.
  9. Copy the number in the Security Config ID field. You’ll need it in a minute.
  10. Push security configuration changes to the production network.
    On the upper right of the Security Configuration page, click the Activate button. Under Network, choose Production, and click Activate.

If you want to enable SIEM integration for another Security Configuration, open that configuration and repeat the steps you just followed. Once you’ve done so for all configurations, continue on to the next step.

Step 2: Set up a user to manage SIEM

Add or assign a user to manage your SIEM APIs.

  1. In the control center menu, under ACCOUNT ADMIN, select Identity & access.
  2. On the Users and API Clients tab, find the user you want or click the Create user button.
  3. To assign the SIEM role to an existing user, open the user and click the Edit roles tab. Find the group you want, click its Roles dropdown, and select the Manage SIEM role. Click Submit.
  4. To assign the SIEM role to a new user, Click the Create user button. Complete basic info and scroll down to the Assign Roles section. Find the group you want, click its Roles dropdown, and select the Manage SIEM role. Click Save.
    Note: Only the Manage SIEM role has the proper permissions. Do not assign any other role. For example, an IDM Non-Admin Manage API Clients permission won't suffice.

  5. If you want events for another group too, select the group and repeat Steps 3-8.
    (Note: If you have multiple Groups and Users within your account, you must assign a user the Manage SIEM role for each group that contains a security configuration you want to include in SIEM results. Usually, this is the same person, and must be the same person you associate with the API credentials in Step 3: Provision SIEM API and get access tokens.)

Step 3: Provision SIEM API and get access tokens

To move data from Akamai Security Events Collector to your system, the SIEM connector uses Akamai’s SIEM API, a REST API service that requires authentication and authorization.

Once you’ve turned on SIEM integration and set up a user for it, you’re ready to provision credentials for the SIEM API. To do so, visit Get Started with APIs.

Then follow the steps to provision the SIEM API for the user you assigned to manage SIEM. Copy and save the tokens you generate. You’ll need them to complete your next step.

Step 4: Install and configure your SIEM connector

You install your SIEM connector behind your firewall. The connector uses Akamai’s SIEM API to retrieve security events in JSON format from the Akamai Security Events Collector. The connector converts the JSON to the data format your SIEM software consumes and sends security events on to your SIEM software. The connector lets you:

Connector setup, depends upon what SIEM solution you use. Read on to learn about sample connectors and tools you can use to get started quickly.


Connectors and tools

Download the sample connector you want and follow the integration instructions. You can use the test client to help troubleshoot any issues.

ToolVersionDetailsDownloadIntegration InstructionsSample Code
Splunk sample connector1.4.8

Tested OS Version:
CentOS 7
Windows Server 2012 R2
Mac OS X El Capitan Version 10.11.6

Splunk version:
6.5.3+ (including 8)

Download from splunkbase 

Note: On Splunkbase, subscribe to this connector to get notified of future updates.

DocumentationOn GitHub
CEF Syslog sample connector1.7.0

Tested OS Version:Mac OS X El Capitan Version 10.11.6
Ubuntu 14.04.5 LTS - 64-bit

HP ArcSight Logger version:

DownloadDocumentationOn GitHub
SIEM Test Client Executable test client to run diagnostics for debugging purposes.DownloadSee package readme file 

Code your own connector

If your SIEM solution isn't supported by a sample connector, you can develop your own custom connector using the SIEM API. The API returns a list of JSON objects representing each security event. See the SIEM API documentation for details.


Need additional assistance? Visit the SIEM Connectors Community page to get answers from Akamai engineers and other SIEM administrators.

  • Define the interval to call SIEM OPEN API and pull in security events.
  • Define the number of security events to pull in during each call.
  • Handle network failures during data pull by re-trying to fetch security events. If you lose your connection, you can also retrieve event history from the last 12 hours.

Join the Akamai Developer Program

The Akamai Developer Program features tailored content to connect you to the latest tools, exclusive beta releases, upcoming events, and so much more that helps you get the most out of Akamai.

join the program