Red Hat Summit14장. Integrating with Splunk
If you are using Splunk, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk and view the violations, vulnerability detection, and compliance related data from within Splunk.
Currently, Splunk integration is not supported on IBM Power(ppc64le) and IBM Z(s390x).
Depending on your use case, you can integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the following ways:
By using an HTTP event collector in Splunk:
- Use the event collector option to forward alerts and audit log data.
By using the Red Hat Advanced Cluster Security for Kubernetes add-on:
- Use the add-on to pull the violations, vulnerability detection, and compliance data into Splunk.
You can use one or both of these integration options to integrate the Red Hat Advanced Cluster Security for Kubernetes with Splunk.
14.1. Using the HTTP event collector
You can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk by using an HTTP event collector.
To integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the HTTP event collector, follow these steps:
- Add a new HTTP event collector in Splunk and get the token value.
- Use the token value to set up notifications in Red Hat Advanced Cluster Security for Kubernetes.
- Identify policies for which you want to send notifications, and update the notification settings for those policies.
14.1.1. Adding an HTTP event collector in Splunk
Add a new HTTP event collector for your Splunk instance, and get the token.
Procedure
-
In your Splunk dashboard, go to Settings
Add Data. - Click Monitor.
- On the Add Data page, click HTTP Event Collector.
- Enter a Name for the event collector and then click Next >.
- Accept the default Input Settings and click Review >.
- Review the event collector properties and click Submit >.
- Copy the Token Value for the event collector. You need this token value to configure integration with Splunk in Red Hat Advanced Cluster Security for Kubernetes.
14.1.1.1. Enabling HTTP event collector
You must enable HTTP event collector tokens before you can receive events.
Procedure
-
In your Splunk dashboard, go to Settings
Data inputs. - Click HTTP Event Collector.
- Click Global Settings.
- In the dialog that opens, click Enabled and then click Save.
14.1.2. Configuring Splunk integration in Red Hat Advanced Cluster Security for Kubernetes
Create a new Splunk integration in Red Hat Advanced Cluster Security for Kubernetes by using the token value.
Procedure
-
In the RHACS portal, go to Platform Configuration
Integrations. - Scroll down to the Notifier Integrations section and select Splunk.
-
Click New Integration (
addicon). - Enter a name for Integration Name.
-
Enter your Splunk URL in the HTTP Event Collector URL field. You must specify the port number if it is not
443for HTTPS or80for HTTP. You must also add the URL path/services/collector/eventat the end of the URL. For example,https://<splunk-server-path>:8088/services/collector/event. Enter your token in the HTTP Event Collector Token field.
참고If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.57 or newer, you can specify custom Source Type for Alert events and Source Type for Audit events.
- Select Test to send a test message to verify that the integration with Splunk is working.
- Select Create to generate the configuration.
14.1.3. Configuring policy notifications
Enable alert notifications for system policies.
Procedure
-
In the RHACS portal, go to Platform Configuration
Policy Management. - Select one or more policies for which you want to send alerts.
- Under Bulk actions, select Enable notification.
In the Enable notification window, select the Splunk notifier.
참고If you have not configured any other integrations, the system displays a message that no notifiers are configured.
- Click Enable.
- Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
- Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.
Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios:
- A policy violation occurs for the first time in a deployment.
- A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}