GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → akamai → cli-eaa

akamai / cli-eaa

Licence: Apache-2.0 license
CLI for Enterprise Application Access (EAA)

Programming Languages

python
139335 projects - #7 most used programming language
shell
77523 projects

Labels

logsakamaisiemakamai-clicli-eaaenterprise-cli

Projects that are alternatives of or similar to cli-eaa

cli-property-manager
Use this Property Manager CLI to automate Akamai property changes and deployments across many environments.
Stars: ✭ 22 (+15.79%)
Mutual labels:  akamai, akamai-cli
cli-sandbox
Akamai CLI for Sandbox
Stars: ✭ 14 (-26.32%)
Mutual labels:  akamai, akamai-cli
OpenSIEM-Logstash-Parsing
SIEM Logstash parsing for more than hundred technologies
Stars: ✭ 140 (+636.84%)
Mutual labels:  logs, siem
SWELF
Simple Windows Event Log Forwarder (SWELF). Its easy to use/simply works Log Forwarder and EVTX Parser. Almost in full release here at https://github.com/ceramicskate0/SWELF/releases/latest.
Stars: ✭ 23 (+21.05%)
Mutual labels:  logs, siem
auditbeat-in-action
Demo for Elastic's Auditbeat and SIEM
Stars: ✭ 24 (+26.32%)
Mutual labels:  siem
addon-log-viewer
Log Viewer - Home Assistant Community Add-ons
Stars: ✭ 37 (+94.74%)
Mutual labels:  logs
l
Cross-platform html/io [L]ogger with simple API.
Stars: ✭ 26 (+36.84%)
Mutual labels:  logs
LogRhythm.Tools
LogRhythm PowerShell Toolkit
Stars: ✭ 37 (+94.74%)
Mutual labels:  siem
android-sdk
AppSpector is a debugging service for mobile apps
Stars: ✭ 39 (+105.26%)
Mutual labels:  logs
pg sampletolog
Postgres extension to sample statements or transactions to logs
Stars: ✭ 17 (-10.53%)
Mutual labels:  logs
detect-cloudflare-plus
True Sight Firefox extension.
Stars: ✭ 34 (+78.95%)
Mutual labels:  akamai
dns-collector
Aggregator, analyzer, transporter and logging for your DNS logs
Stars: ✭ 58 (+205.26%)
Mutual labels:  logs
log-generator
Log generator using SLF4J / Java 7 concurrency
Stars: ✭ 11 (-42.11%)
Mutual labels:  logs
DynaX
动态的工具集合 For .Net Core
Stars: ✭ 16 (-15.79%)
Mutual labels:  logs
ratlog.js
🐀 Ratlog JavaScript library - Application Logging for Rats, Humans and Machines
Stars: ✭ 24 (+26.32%)
Mutual labels:  logs
pm2-io-apm
PM2.io APM for Node.JS
Stars: ✭ 131 (+589.47%)
Mutual labels:  logs
SysmonConfigPusher
Pushes Sysmon Configs
Stars: ✭ 59 (+210.53%)
Mutual labels:  siem
Azure-Sentinel-4-SecOps
Microsoft Sentinel SOC Operations
Stars: ✭ 140 (+636.84%)
Mutual labels:  siem
rkubelog
Send k8s Logs to Papertrail and Loggly Without DaemonSets (for Nodeless Clusters)
Stars: ✭ 15 (-21.05%)
Mutual labels:  logs
logserver
web log viewer that combines logs from several sources
Stars: ✭ 20 (+5.26%)
Mutual labels:  logs
View All Similar Projects ➔

Akamai CLI: Enterprise Application Access

Table of contents

Screenshot

Introduction

Enterprise Application Access (EAA) comes with a full suite of APIs. Yet you need to write scripts or use Postman to be able to interact with the service.

With Akamai CLI you can run very common operations directly from the command line, no coding required.

This can be helpful if you plan to consume EAA logs into your favorite SIEM, or automate some operation in your workflow with Bash, Powershell or solution like Ansible.

Key features

  • Event logs
    • View access logs (identification, application activity)
    • View admin logs (admin portal access, config change, deployment, deletion)
    • Send the logs to a file
    • Blocking mode (similar to tail -f)
    • Alternatively, you can specify a date range with --start and --end
  • Application
    • Save, restore/update, deploy
    • Batch operation
    • Attach/detach connectors
  • Directory
    • Create group and group overlay
    • Synchronize with your LDAP or Active Directory
  • Identity Providers (IdP)
    • List configured IdP, status
  • Certificate management
    • List configured certificates
    • Rotate certificate with optional deployment of dependent applications and IdP
  • Connectors
    • List all connectors including the reachability status and health
    • Show all applications used by a connector and breakdown of active connection
    • Swap a connector (limited to applications only)

Installation / upgrade

See install.md

Examples

EAA event logs

EAA comes with two types of logs, the user access logs and the administrators audit logs. For detailed description about each field, please refer to the product documentation on https://techdocs.akamai.com.

You can pull EAA events either:

  • in near realtime using the argument -f or --tail
  • or retrieve a period of time passing EPOCH timestamp in --start and --end
  • tune the acceptable delay vs. completeness with --delay, we recommend 10 minutes delay for full completeness

If you set -f and date range, the -f option will be ignored.

Pull user access logs, block till new logs are received. You can stop by pressing Control+C (Control+Break) or sending a signal SIG_INT or SIG_TERM to the process

$ akamai eaa log access --tail

You may want a one time chunk of log for a period of time, let's say the last 6 hours:

$ START=$(bc <<< "$(date +%s) - 6 * 60 * 60")
$ akamai eaa log access -s $START

On Windows platforms, you may use PowerShell

PS /home/cli-eaa> $START = (Get-Date -UFormat %s) - 6 * 60 * 60
PS /home/cli-eaa> akamai eaa log access -s $START

Send the user access events to a file (utf-8 encoding is being used):

$ akamai eaa log access --tail -o /tmp/eaa_access.log

Pull admin audit events, block till new logs are received

$ akamai eaa log admin --tail

Applications

$ akamai eaa search datascience
app://mD_Pw1XASpyVJc2JwgICTg,Data Science,akdemo-datascience,akdemo-datascience.go.akamai-access.com,4
Found 1 app(s), total 124 app(s)

You can save locally the application

$ akamai eaa app app://mD_Pw1XASpyVJc2JwgICTg > ~/eaa_app_datascience_v3.json

And restore

$ cat ~/eaa_app_datascience_v3.json | akamai eaa app app://mD_Pw1XASpyVJc2JwgICTg update

Or quickly walk through the JSON tree with jq.

$ akamai eaa -b app app://mD_Pw1XASpyVJc2JwgICTg | jq .advanced_settings.websocket_enabled
"true"

Delete an application

akamai eaa app app://mD_Pw1XASpyVJc2JwgICTg delete

Deploy an application, you can optionally add a comment to keep track of the change:

akamai eaa app app://mD_Pw1XASpyVJc2JwgICTg deploy --comment "[TICKET1234] Update service account credentials"

One question we often get: What are the applications using connector xyz?
Buckle up, we use jq and grep.
Note: we use -b to avoid the extra info the CLI spills out, like the footer.

$ akamai eaa -b search | akamai eaa app - | jq -j '.name, ": ", (.agents[]|.name, " "), "\n"'|grep xyz

View groups associated with a particular application

$ akamai eaa app app://FWbUCfpvRKaSOX1rl0u55Q viewgroups

You can pipe command as well, example to deploy all the application matching "bastion"

$ akamai eaa -b search bastion | akamai eaa app - deploy

Attach/detach connectors to a particular application:

$ akamai eaa app app://app-uuid-1 attach con://connector-uuid-1 con://connector-uuid-2
$ akamai eaa app app://app-uuid-1 detach con://connector-uuid-1 con://connector-uuid-2

Directory operations

List the configured directories

$ akamai eaa dir
dir://FuiibQiDQzmC34oBx7INfQ,Cloud Directory,7
dir://2Kz2YqmgSpqT_IJq9BLkWg,ad.akamaidemo.net,108
dir://EX5-YjMyTrKgeWKHrqhUEA,Okta LDAP,10
dir://Ygl1BpAFREiHrA8HR7dFhA,Azure AD,1

Trigger directory synchronization

$ akamai eaa dir dir://2Kz2YqmgSpqT_IJq9BLkWg sync
Synchronize directory 2Kz2YqmgSpqT_IJq9BLkWg
Directory 2Kz2YqmgSpqT_IJq9BLkWg synchronization requested.

Connectors

Here with the shortcut c and the column command available in most POSIX environment. When piping, the extra information written on stderr so they appear seperately. Below short command akamai eaa c short form for akamai eaa connector list:

$ akamai eaa c | column -t -s,
Total 9 connector(s)
#Connector-id                 name                reachable  status  version     privateip      publicip        debug
con://cht3_GEjQWyMW9LEk7KQfg  demo-v2-con-1-amer  1          1       4.4.0-2765  10.1.4.206     12.123.123.123  Y
con://Wy0Y6FrwQ66yQzLBAInC4w  demo-v2-con-2-amer  1          1       4.4.0-2765  10.1.4.172     12.123.123.123  Y
con://dK0f1UvhR7i8-RByABDXaQ  demo-v2-con-4-emea  1          1       4.4.0-2765  192.168.1.90   12.123.12.12    N
con://Ihmf51dASo-R1P37hzaP3Q  demo-v2-con-3-emea  1          1       4.4.0-2765  192.168.1.235  12.123.12.12    N
con://XiCmu80xQcSWnaeQcvH8Vg  demo-v2-con-5-apj   1          1       4.4.0-2765  192.168.1.228  12.123.123.12   Y
con://pkGjL5OgSjyHoymMguvp9Q  demo-v2-con-6-apj   1          1       4.4.0-2765  192.168.1.144  12.123.123.12   Y
con://NAWSlptPSXOjq-bk2-EQPw  demo-v2-con-10-rus  1          1       4.4.0-2765  10.3.0.101     12.123.123.12   Y
con://e_0nShZBQ7esNAC3ZEkhSQ  demo-v2-con-3-amer  1          1       4.4.0-2765  10.1.4.83      12.123.123.123  Y
con://OEe9o-n2S_aMeZpLxgwG0A  tmelab-sfo          1          1       4.4.0-2765  192.168.2.101  12.123.123.12   Y

If you need to integrate connector health into your monitoring system, use the --perf option. Command akamai eaa c list --perf You will get 7 extra columns:

  • CPU usage (%)
  • Memory usage (%)
  • Network Traffic (Mbps)
  • Total of dialout connections
  • Idle dialout connections
  • Active dialout connections

To correlate with application served by each connectors, use the --showapps, a list of the application FQDNs as an array in the JSON response.

Swapping connectors

If you are doing a maintenance on an hypervizor, you may need to swap out 2 connectors. The current implement look for all the apps, add the new connector, remove the old one. The application is marked as ready to update.

Caveats (let us know if you need it):

  • This doesn't perform swap for directory
  • There is no option to automatically redeploy the impacted application after the swap

Example:

$ akamai eaa connector con://e_0nShZBQ7esNAC3ZEkhSQ swap con://cht3_GEjQWyMW9LEk7KQfg
#Operation,connector-id,connector-name,app-id,app-name
+,con://cht3_GEjQWyMW9LEk7KQfg,demo-v2-con-1-amer,app://nSFDNGYARHeZGNlweIX7Wg,Speedtest (v2.1)
-,con://e_0nShZBQ7esNAC3ZEkhSQ,demo-v2-con-3-amer,app://nSFDNGYARHeZGNlweIX7Wg,Speedtest (v2.1)
Connector swapped in 1 application(s).
Updated application(s) is/are marked as ready to deploy

Certificate management

Display certificates

The following command cert will display all the certificate you have configured in EAA. It will also display the CN and SAN attribute and display all the thoses in the hosts field. If multiple, we use + as a separator.

Here an example with a wildcard certificate:

$ akamai eaa cert | head -n1
#Certificate-ID,cn,type,expiration,days left,hosts
crt://KXi553saQSCeNI1_WH6xuA,*.akamaidemo.net,Custom,2031-06-05T22:56:34,3307,*.akamaidemo.net+akamaidemo.net

Rotation

One of the most common task with certificate it to rotate before the current certificate expires.

cli-eaa helps with this task with the akamai eaa certificate command.

You simply pass the certificate and key file as parameter, the optional passphrase and the command will replace the existing certificate. By default, the rotation won't redeploy the impacted application / IdP. If you want the cli to trigger the deployment of all impacted applications and IdP, add the --deployafter.

Example using --deployafter:

$ akamai eaa certificate crt://certificate-UUID rotate --key ~/certs/mycert.key --cert ~/certs/mycert.cert --deployafter
Rotating certificate certificate-UUID...
Certificate CN: *.akamaidemo.net (*.akamaidemo.net Lets Encrypt)
Certificate certificate-UUID updated, 3 application/IdP(s) have been marked ready for deployment.
Deploying application Multi-origin Active-Active Demo (US-East) (app://appid-1)...
Deploying application Multi-origin Active-Active Demo (US-West) (app://appid-2)...
Deploying IdP Bogus IdP to test EME-365 (idp://idpid-1)...
Deployment(s) in progress, it typically take 3 to 5 minutes
Use 'akamai eaa cert crt://certificate-UUID status' to monitor the progress.

Checking the status of the deployment:

$ akamai eaa cert crt://certificate-UUID status
#App/IdP ID,name,status
app://appid-1,Multi-origin Active-Active Demo (US-East),Pending
app://appid-2,Multi-origin Active-Active Demo (US-West),Pending
idp://idpid-1,Bogus IdP to test EME-365,Pending

Device Posture Inventory

Pipe the result of the inventory into jq to display only device ID, name and user_id

$ akamai eaa dp inventory | jq '.[] | {device_id, device_name, user_id}'

Known Limitations

  • While updating an application from a JSON, only a subset of the data will be updated in the back-end, not the entire application configuration

Troubleshooting and Support

Self-troubleshooting

If the command is not working properly, you can increase the level of verbosity using:

  • -v or --verbose to trace the main steps
  • -d or --debug to get full visibility, include API HTTP headers

The messages are printed on stderr so you can safely redirect stdout to a file or use the --output option.

Support

cli-eaa is provided as-is and it is not supported by Akamai Support. To report any issue, feature request or bug, please open a new issue into the GitHub Issues page

We are strongly encouraging developer to create a pull request.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].