If you are using Splunk, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk and view vulnerability and compliance related data from within Splunk.
Depending on your use case, you can integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the following ways:
By using an HTTP event collector in Splunk
Use the event collector option to forward alerts and audit log data
By using the StackRox Kubernetes Security Platform add-on
Use the add-on to pull vulnerability detection and compliance data into Splunk
The StackRox Kubernetes Security Platform add-on is only available if you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.51.0 or newer. |
You can use one or both of these integration options to integrate the Red Hat Advanced Cluster Security for Kubernetes with Splunk.
You can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk by using an HTTP event collector.
To integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the HTTP event collector, follow these steps:
Add a new HTTP event collector in Splunk and get the token value.
Use the token value to set up notifications in Red Hat Advanced Cluster Security for Kubernetes.
Identify policies for which you want to send notifications, and update the notification settings for those policies.
Add a new HTTP event collector for your Splunk instance, and get the token.
In your Splunk dashboard, navigate to Settings → Add Data.
Click Monitor.
On the Add Data page, click HTTP Event Collector.
Enter a Name for the event collector and then click Next >.
Accept the default Input Settings and click Review >.
Review the event collector properties and click Submit >.
Copy the Token Value for the event collector. You need this token value to configure integration with Splunk in Red Hat Advanced Cluster Security for Kubernetes.
Create a new Splunk integration in Red Hat Advanced Cluster Security for Kubernetes by using the token value.
On the RHACS portal, navigate to Platform Configuration → Integrations.
Scroll down to the Notifier Integrations section and select Splunk.
Click New Integration (add
icon).
Enter a name for Integration Name.
Enter your Splunk URL in the HTTP Event Collector URL field.
You must specify the port number if it is not 443
for HTTPS or 80
for HTTP.
You must also add the URL path /services/collector/event
at the end of the URL.
For example, https://<splunk-server-path>:8088/services/collector/event
.
Enter your token in the HTTP Event Collector Token field.
If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.57 or newer, you can specify custom Source Type for Alert events and Source Type for Audit events. |
Select Test (checkmark
icon) to send a test message to verify that the integration with Splunk is working.
Select Create (save
icon) to create the configuration.
Enable alert notifications for system policies.
On the RHACS portal, navigate to Platform Configuration → Policies.
Select the policy for which you want to send alerts.
Select Actions → Edit Policy.
In the Attach Notifiers section, select the check box for the Splunk notifier.
If you have not configured any integrations, the system displays a message that no notifiers are configured. |
Click Next until you reach Review Policy, then click Save.
|
You can use the StackRox Kubernetes Security Platform add-on to forward the vulnerability detection and compliance related data from the Red Hat Advanced Cluster Security for Kubernetes to Splunk.
Begin by generating an API token with read permission for all resources in Red Hat Advanced Cluster Security for Kubernetes and then use that token to install and configure the add-on.
You can install the StackRox Kubernetes Security Platform add-on from your Splunk instance.
You must have an API token with read
permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. You can assign the Analyst system role to grant this level of access. The Analyst role has read permissions for all resources.
Download the StackRox Kubernetes Security Platform add-on from Splunkbase.
Navigate to the Splunk home page on your Splunk instance.
Navigate to Apps → Manage Apps.
Select Install app from file.
In the Upload app pop-up box, select Choose File and select the StackRox Kubernetes Security Platform add-on file.
Click Upload.
Click Restart Splunk, and confirm to restart.
After Splunk restarts, select StackRox from the Apps menu.
Click Create New Input.
Either select StackRox Compliance to pull compliance data or StackRox Vulnerability Management to pull vulnerability data into Splunk.
Enter a Name for the input.
Select an Interval to pull data from Red Hat Advanced Cluster Security for Kubernetes. For example, every 14400 seconds.
Select the Splunk Index to which you want to send the data.
For Central Endpoint, enter the IP address or the name of your Central instance.
Enter the API token you have generated for the add-on.
Click Add.