Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Forward syslog directly to splunk enterprise from an nginx-plus ingress controller

phu_nguyen
Loves-to-Learn
‎09-17-2024 02:27 AM

Hi, I am currently working on an nginx plus as ingress controller for my kubernetes and using sc4s to forward logs to splunk enterprise. However I notice that sc4s does not forward all of logs include the approtect WAF and DoS. Does the WAF and DoS require special setup to forward logs? I tried with syslog-ng https://github.com/nginxinc/kubernetes-ingress/blob/v3.6.2/examples/ingress-resources/app-protect-do... like this example but the logs is not showing on splunk enterprise.

Thanks.

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-19-2024 11:37 AM

Adding to @dural_yyz 's answer - your question seems to not be Splunk related but rather connected with your source system which might or might not be able to produce required logs. If you're not getting logs into Splunk, assuming that the intermediate sc4s is working in general because it sends other logs, there are two posibilities - either your sc4s is misconfigured and doesn't send the data properly (but to troubleshoot that you'd need to be absolutely sure that sc4s is getting relevant events from the source; did you verify it?) or your source is not sending the desired data (and this is something you need to resolve on the source side).

Reply

dural_yyz
Motivator
‎09-19-2024 08:46 AM

Since nginx is forwarding some logs you know the connection is functional.  So then when you mention not all logs like WAF and DoS do you mean none of those message types are ingested at Splunk or just some messages of those types are not ingested.

If all messages like WAF and DoS then perhaps a filter update is required, what happens to messages that do no have a matching filter is there a catch all index setup?

Any packet captures to demonstrate the WAF and DoS messages are forwarded from nginx to sc4s. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...