Collect Akamai WAF logs

Supported in:

This document explains how to export and ingest Akamai WAF logs into Google Security Operations using Google Cloud Storage or AWS S3. The parser handles the logs, supporting both syslog and CEF formats. It extracts fields like IP addresses, URLs, HTTP methods, response codes, user agents, and security rule information, mapping them to the Unified Data Model (UDM) for consistent representation. The parser also handles specific Akamai fields like attackData and clientReputation, performing necessary data transformations and enriching the UDM output.

Before you begin

Make sure you have the following prerequisites:

  • Google SecOps instance
  • Privileged access to Google Cloud or AWS
  • Privileged access to Akamai

Exporting and ingest Akamai WAF logs from Cloud Storage

This section outlines the initial step in the process: setting up the necessary storage for your Akamai WAF logs.

Create a Google Cloud Storage Bucket

  1. Sign in to the Google Cloud console.

  2. Go to the Cloud Storage Buckets page.

    Go to Buckets

  3. Click Create.

  4. On the Create a bucket page, enter your bucket information. After each of the following steps, click Continue to proceed to the next step:

    1. In the Get started section, do the following:

      • Enter a unique name that meets the bucket name requirements (for example, akamai-waf-logs).
      • To enable hierarchical namespace, click the expander arrow to expand the Optimize for file oriented and data-intensive workloads section, and then select Enable Hierarchical namespace on this bucket.
      • To add a bucket label, click the expander arrow to expand the Labels section.
      • Click Add label, and specify a key and a value for your label.

    2. In the Choose where to store your data section, do the following:

      • Select a Location type.
      • Use the location type's drop-down menu to select a Location where object data within your bucket will be permanently stored.
      • To set up cross-bucket replication, expand the Set up cross-bucket replication section.

    3. In the Choose a storage class for your data section, either select a default storage class for the bucket, or select Autoclass for automatic storage class management of your bucket's data.

    4. In the Choose how to control access to objects section, select not to enforce public access prevention, and select an access control model for your bucket's objects.

    5. In the Choose how to protect object data section, do the following:

      • Select any of the options under Data protection that you want to set for your bucket.
      • To choose how your object data will be encrypted, click the expander arrow labeled Data encryption, and select a Data encryption method.

  5. Click Create.

Configure Permissions for Cloud Storage

  1. Go to the Create service account page.

    Go to Create service account

  2. Select a Google Cloud project.

  3. Enter a service account name to display in the Google Cloud console.

  4. Click Create and continue.

  5. Grant the roles/storage.admin on the bucket.

  6. Click Done to finish creating the service account.

Create and Download Google Cloud Service Account Key File

  1. Go to the Service accounts page.

    Go to Service accounts

  2. Select a Google Cloud project.

  3. Click the email address of the newly created service account.

  4. Click the Keys tab.

  5. Click the Add key menu, then select Create new key.

  6. Select JSON as the Key type and click Create.

    • Clicking Create downloads a service account key file. After you download the key file, you can't download it again.
    • The downloaded key has the following format, where PRIVATE_KEY is the private portion of the public-private key pair.

Configure Akamai WAF to send logs to Cloud Storage

  1. Sign in to the Akamai Control Center.
  2. Go to the Security section.
  3. Select Logs.
  4. Configure a new Log Delivery:
    • Log Source: Select your WAF configuration.
    • Destination: Select Google Cloud Storage.
    • Display name: Enter a unique name description.
    • Bucket: Specify the name of the Cloud Storage bucket you created (for example, gs://akamai-waf-logs).
    • Project ID: Enter the unique ID of your Google Cloud project.
    • Service Account Name: Enter the name of the service account you created earlier.
    • Private Key: Enter the private_key value from the JSON key you generated and downloaded earlier. (You should enter your private key in the in the PEM format with break (\n) symbols, for example -----BEGIN PRIVATE KEY-----\nprivate_key\n-----END PRIVATE KEY-----\n)
    • Log Format: Choose the log format you want (for example, JSON).
    • Push Frequency: Select the frequency you want for log delivery (for example, every 60 seconds).

  5. Click Validate & Save to validate the connection to the destination, and save the details you provided.

  6. Click Next to go to the Summary tab.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds
  • Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds using Google Cloud Storage

To configure a feed, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Akamai WAF Logs).
  5. Select Google Cloud Storage as the Source type.
  6. Select Akamai WAF as the Log type.
  7. Click Get Service Account as the Chronicle Service Account.
  8. Click Next.

  9. Specify values for the following input parameters:

    • Storage Bucket URI: Google Cloud storage bucket URL (for example, gs://akamai-waf-logs).
    • URI Is A: Select Directory which includes subdirectories.
    • Source deletion options: Select deletion option according to your preference.

  10. Click Next.

  11. Review your new feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

  • Storage Bucket URI: Google Cloud storage bucket URL (for example, gs://akamai-waf-logs).
  • URI Is A: Select Directory which includes subdirectories.

  • Source deletion options: Select deletion option according to your preference.

Advanced options

  • Feed Name: A prepopulated value that identifies the feed.
  • Source Type: Method used to collect logs into Google SecOps.
  • Asset Namespace: Namespace associated with the feed.
  • Ingestion Labels: Labels applied to all events from this feed.

Export and ingest Akamai WAF logs from AWS S3

This section explains the initial steps of setting up your Amazon S3 bucket to receive and store Akamai WAF logs.

Configure Amazon S3 bucket

  1. Create Amazon S3 bucket following this user guide: Creating a bucket.
  2. Save bucket Name and Region for future reference.
  3. Create a User following this user guide: Creating an IAM user.
  4. Select the created User.
  5. Select Security credentials tab.
  6. Click Create Access Key in section Access Keys.
  7. Select Third-party service as Use case.
  8. Click Next.
  9. Optional: Add description tag.
  10. Click Create access key.
  11. Click Download CSV file for save the Access Key and Secret Access Key for future reference.
  12. Click Done.
  13. Select Permissions tab.
  14. Click Add permissions in section Permissions policies.
  15. Select Add permissions.
  16. Select Attach policies directly.
  17. Search for AmazonS3FullAccess policy.
  18. Select the policy.
  19. Click Next.
  20. Click Add permissions.

Configure Akamai WAF to send logs to Amazon S3

  1. Sign in to the Akamai Control Center.
  2. Go to the Security section.
  3. Select Logs.

  4. Configure a new Log Delivery:

    • Log Source: Select your WAF configuration.
    • Destination: Choose Amazon S3.
    • S3 Bucket: Specify the name of the S3 bucket you created.
    • Region: Select the AWS region where your S3 bucket is located.
    • Access Key ID and Secret Access Key: Provide the credentials you generated.
    • Log Format: Choose the log format you want (for example, JSON).

    • Delivery Frequency: Select the frequency you want for log delivery (for example, every 5 minutes).

  5. Verify log delivery:

    • After configuring LDS, monitor the S3 bucket for incoming log files.

Set up feeds from SIEM Settings > Feeds using AWS S3

To configure a feed, follow these steps:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. On the next page, click Configure a single feed.
  4. In the Feed name field, enter a name for the feed (for example, Akamai WAF Logs).
  5. Select Amazon S3 as the Source type.
  6. Select Akamai WAF as the Log type.
  7. Click Next.

  8. Specify values for the following input parameters:

    • Region: the region where the Amazon S3 bucket is located.
    • S3 URI: the bucket URI. s3:/BUCKET_NAME Replace the following:
      • BUCKET_NAME: the name of the bucket.
    • URI is a: select URI TYPE according to log stream configuration: Single file | Directory | Directory which includes subdirectories.
    • Source deletion options: select deletion option according to your preference.
    • Access Key ID: the User access key with access to the s3 bucket.
    • Secret Access Key: the User secret key with access to the s3 bucket.

  9. Click Next.

  10. Review your new feed configuration in the Finalize screen, and then click Submit.

UDM mapping table

Log Field (Ascending) UDM Mapping Logic
attackData.clientIP principal.ip, principal.asset.ip IP address of the client initiating the request. Extracted from attackData.clientIP field in the akamai_siem logs.
attackData.configId metadata.product_log_id Security configuration ID. Extracted from attackData.configId field in the akamai_siem logs. Also added as a detection_field in security_result object.
attackData.policyId N/A Used in parser logic to populate security_result.summary with the value PolicyId:[value].
attackData.ruleActions security_result.action, security_result.action_details Actions taken based on the triggered rule. Extracted from attackData.ruleActions field in the akamai_siem logs. "deny" is mapped to BLOCK, other values ("alert", "monitor", "allow", "tarpit") are mapped to ALLOW. The original value is also stored in action_details.
attackData.ruleData security_result.detection_fields Data associated with the triggered rule. Extracted from attackData.ruleData field in the akamai_siem logs. Added to security_result.detection_fields with key "RuleData".
attackData.ruleMessages security_result.threat_name Messages associated with the triggered rule. Extracted from attackData.ruleMessages field in the akamai_siem logs.
attackData.ruleSelectors security_result.detection_fields Selectors associated with the triggered rule. Extracted from attackData.ruleSelectors field in the akamai_siem logs. Added to security_result.detection_fields with key "RuleSelector".
attackData.ruleTags security_result.category_details Tags associated with the triggered rule. Extracted from attackData.ruleTags field in the akamai_siem logs.
attackData.ruleVersions security_result.detection_fields Versions of the triggered rules. Extracted from attackData.ruleVersions field in the akamai_siem logs. Added to security_result.detection_fields with key "Rule Version".
clientReputation principal.labels Client reputation information. Extracted from clientReputation field in the akamai_siem logs. Added as a label to the principal with key "reputation".
cliIP, cli_ip, principal_ip principal.ip, principal.asset.ip Client IP address. Extracted from cliIP or cli_ip or principal_ip depending on the log format.
cp additional.fields CP Code. Extracted from cp field. Added to additional.fields with key "cp".
eventId metadata.product_log_id Event ID. Extracted from eventId field.
eventTime, log_date metadata.event_timestamp Event timestamp. Extracted from eventTime or parsed from log_date depending on the log format.
eventType.eventDefinition.eventDefinitionId target.resource.product_object_id Event definition ID. Extracted from eventType.eventDefinition.eventDefinitionId.
eventType.eventDefinition.eventDescription metadata.description Event description. Extracted from eventType.eventDefinition.eventDescription.
eventType.eventDefinition.eventName metadata.product_event_type Event name. Extracted from eventType.eventDefinition.eventName.
eventType.eventTypeId additional.fields Event type ID. Extracted from eventType.eventTypeId. Added to additional.fields with key "eventTypeId".
eventType.eventTypeName additional.fields Event type name. Extracted from eventType.eventTypeName. Added to additional.fields with key "eventTypeName".
format N/A Used by the parser to determine the log format.
geo.asn principal.location.name Autonomous System Number (ASN). Extracted from geo.asn or AkamaiSiemASN depending on the log format. The value is prefixed with "ASN ".
geo.city principal.location.city City. Extracted from geo.city or AkamaiSiemCity depending on the log format.
geo.country principal.location.country_or_region Country. Extracted from geo.country or AkamaiSiemContinent depending on the log format.
httpMessage.bytes network.sent_bytes Bytes sent in the HTTP message. Extracted from httpMessage.bytes.
httpMessage.host target.hostname, target.asset.hostname Hostname. Extracted from httpMessage.host or reqHost depending on the log format.
httpMessage.method network.http.method HTTP method. Extracted from httpMessage.method or network_http_method or reqMethod depending on the log format. Converted to uppercase.
httpMessage.path target.url Request path. Extracted from httpMessage.path or target_url or reqPath depending on the log format. If httpMessage.query is present, it's appended to the path with a "?" separator.
httpMessage.port target.port Port. Extracted from httpMessage.port or reqPort depending on the log format.
httpMessage.protocol N/A Used by the parser to determine the protocol.
httpMessage.query N/A Used in parser logic to append to httpMessage.path if present.
httpMessage.requestId network.session_id Request ID. Extracted from httpMessage.requestId or reqId depending on the log format.
httpMessage.requestHeaders, AkamaiSiemRequestHeaders additional.fields Request headers. Extracted from httpMessage.requestHeaders or AkamaiSiemRequestHeaders depending on the log format. Added to additional.fields with key "AkamaiSiemRequestHeaders".
httpMessage.responseHeaders, AkamaiSiemResponseHeaders additional.fields Response headers. Extracted from httpMessage.responseHeaders or AkamaiSiemResponseHeaders depending on the log format. Added to additional.fields with key "AkamaiSiemResponseHeaders".
httpMessage.status, AkamaiSiemResponseStatus, network_http_response_code, statusCode network.http.response_code HTTP response code. Extracted from httpMessage.status or AkamaiSiemResponseStatus or network_http_response_code or statusCode depending on the log format.
httpMessage.tls, AkamaiSiemTLSVersion, tlsVersion network.tls.version TLS version. Extracted from httpMessage.tls or AkamaiSiemTLSVersion or tlsVersion depending on the log format.
httpMessage.useragent, network_http_user_agent, UA, useragent network.http.user_agent User agent. Extracted from httpMessage.useragent or network_http_user_agent or UA or useragent depending on the log format.
log_description metadata.description Log description. Extracted from log_description.
log_rule security_result.rule_name Log rule. Extracted from log_rule.
message N/A The raw log message. Used by the parser for various extractions.
network_http_referral_url network.http.referral_url HTTP referral URL. Extracted from network_http_referral_url.
proto N/A Used in parser logic to populate security_result.summary if attackData.policyId is not present.
reqHost target.hostname, target.asset.hostname Request host. Extracted from reqHost.
reqId metadata.product_log_id, network.session_id Request ID. Extracted from reqId.
reqMethod network.http.method Request method. Extracted from reqMethod.
reqPath target.url Request path. Extracted from reqPath.
reqPort target.port Request port. Extracted from reqPort.
rspContentType target.file.mime_type Response content type. Extracted from rspContentType.
securityRules security_result.rule_name, security_result.about.resource.attribute.labels Security rules. Extracted from securityRules. The first part is mapped to rule_name, and the rest are added as labels with keys "non_deny_rules" and "deny_rule_format".
statusCode network.http.response_code Status code. Extracted from statusCode.
state principal.location.state, target.user.personal_address.state State. Extracted from state.
tlsVersion network.tls.version TLS version. Extracted from tlsVersion.
type metadata.product_event_type Event type. Extracted from type.
UA network.http.user_agent User agent. Extracted from UA.
version metadata.product_version, principal.asset.software.version Version. Extracted from version.
N/A metadata.event_timestamp The event timestamp is derived from the _ts field in akamai_lds logs, the httpMessage.start field in akamai_siem logs, or the log_date field in other formats.
N/A metadata.vendor_name Hardcoded to "Akamai".
N/A metadata.product_name Hardcoded to "Kona".
N/A metadata.log_type Hardcoded to "AKAMAI_WAF".
N/A network.application_protocol Set to "HTTP" for akamai_siem and akamai_lds logs, or "DNS" for other formats.
N/A security_result.severity Set to MEDIUM for "alert" action, CRITICAL for "deny" action, and HIGH for other actions.
N/A event.idm.read_only_udm.metadata.event_type Set to "NETWORK_HTTP" for most log formats, "GENERIC_EVENT" for events with eventId or eventData fields, or "STATUS_UPDATE" for events with cli_ip or p_ip but no reqHost.

Need more help? Get answers from Community members and Google SecOps professionals.