Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forward syslog directly to splunk enterprise from an nginx-plus ingress controller

phu_nguyen
Loves-to-Learn
‎09-17-2024 02:27 AM

Hi, I am currently working on an nginx plus as ingress controller for my kubernetes and using sc4s to forward logs to splunk enterprise. However I notice that sc4s does not forward all of logs include the approtect WAF and DoS. Does the WAF and DoS require special setup to forward logs? I tried with syslog-ng https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.2/examples/ingress-resources/app-protect-do... like this example but the logs is not showing on splunk enterprise.

Thanks.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2024 11:37 AM

Adding to @dural_yyz 's answer - your question seems to not be Splunk related but rather connected with your source system which might or might not be able to produce required logs. If you're not getting logs into Splunk, assuming that the intermediate sc4s is working in general because it sends other logs, there are two posibilities - either your sc4s is misconfigured and doesn't send the data properly (but to troubleshoot that you'd need to be absolutely sure that sc4s is getting relevant events from the source; did you verify it?) or your source is not sending the desired data (and this is something you need to resolve on the source side).

Reply

dural_yyz
Motivator
‎09-19-2024 08:46 AM

Since nginx is forwarding some logs you know the connection is functional.  So then when you mention not all logs like WAF and DoS do you mean none of those message types are ingested at Splunk or just some messages of those types are not ingested.

If all messages like WAF and DoS then perhaps a filter update is required, what happens to messages that do no have a matching filter is there a catch all index setup?

Any packet captures to demonstrate the WAF and DoS messages are forwarded from nginx to sc4s. 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top