Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
  1. Documentation
    2. history
×

Integrating with Splunk

If you are using Splunk, you can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk and view vulnerability and compliance related data from within Splunk.

Depending on your use case, you can integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the following ways:

You can use one or both of these integration options to integrate the Red Hat Advanced Cluster Security for Kubernetes with Splunk.

Using the HTTP event collector

You can forward alerts from Red Hat Advanced Cluster Security for Kubernetes to Splunk by using an HTTP event collector.

To integrate Red Hat Advanced Cluster Security for Kubernetes with Splunk by using the HTTP event collector, follow these steps:

  1. Add a new HTTP event collector in Splunk and get the token value.

  2. Use the token value to set up notifications in Red Hat Advanced Cluster Security for Kubernetes.

  3. Identify policies for which you want to send notifications, and update the notification settings for those policies.

Adding an HTTP event collector in Splunk

Add a new HTTP event collector for your Splunk instance, and get the token.

Procedure

  1. In your Splunk dashboard, navigate to SettingsAdd Data.

  2. Click Monitor.

  3. On the Add Data page, click HTTP Event Collector.

  4. Enter a Name for the event collector and then click Next >.

  5. Accept the default Input Settings and click Review >.

  6. Review the event collector properties and click Submit >.

  7. Copy the Token Value for the event collector. You need this token value to configure integration with Splunk in Red Hat Advanced Cluster Security for Kubernetes.

Enabling HTTP event collector

You must enable HTTP event collector tokens before you can receive events.

Procedure

  1. In your Splunk dashboard, navigate to SettingsData inputs.

  2. Click HTTP Event Collector.

  3. Click Global Settings.

  4. In the dialog that opens, click Enabled and then click Save.

Configuring Splunk integration in Red Hat Advanced Cluster Security for Kubernetes

Create a new Splunk integration in Red Hat Advanced Cluster Security for Kubernetes by using the token value.

Procedure

  1. On the RHACS portal, navigate to Platform ConfigurationIntegrations.

  2. Scroll down to the Notifier Integrations section and select Splunk.

  3. Click New Integration (add icon).

  4. Enter a name for Integration Name.

  5. Enter your Splunk URL in the HTTP Event Collector URL field. You must specify the port number if it is not 443 for HTTPS or 80 for HTTP. You must also add the URL path /services/collector/event at the end of the URL. For example, https://<splunk-server-path>:8088/services/collector/event.

  6. Enter your token in the HTTP Event Collector Token field.

    If you are using Red Hat Advanced Cluster Security for Kubernetes version 3.0.57 or newer, you can specify custom Source Type for Alert events and Source Type for Audit events.

  7. Select Test (checkmark icon) to send a test message to verify that the integration with Splunk is working.

  8. Select Create (save icon) to create the configuration.

Configuring policy notifications

Enable alert notifications for system policies.

Procedure

  1. On the RHACS portal, navigate to Platform ConfigurationPolicies.

  2. Select one or more policies for which you want to send alerts.

  3. Under Bulk actions, select Enable notification.

  4. In the Enable notification window, select the Splunk notifier.

    If you have not configured any other integrations, the system displays a message that no notifiers are configured.

  5. Click Enable.

  • Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.

  • Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.

  • Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios:

    • A policy violation occurs for the first time in a deployment.

    • A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.

Using the StackRox Kubernetes Security Platform add-on

You can use the StackRox Kubernetes Security Platform add-on to forward the vulnerability detection and compliance related data from the Red Hat Advanced Cluster Security for Kubernetes to Splunk.

Begin by generating an API token with read permission for all resources in Red Hat Advanced Cluster Security for Kubernetes and then use that token to install and configure the add-on.

Installing and configuring the Splunk add-on

You can install the StackRox Kubernetes Security Platform add-on from your Splunk instance.

Prerequisites

  • You must have an API token with read permission for all resources of Red Hat Advanced Cluster Security for Kubernetes. You can assign the Analyst system role to grant this level of access. The Analyst role has read permissions for all resources.

Procedure

  1. Download the StackRox Kubernetes Security Platform add-on from Splunkbase.

  2. Navigate to the Splunk home page on your Splunk instance.

  3. Navigate to AppsManage Apps.

  4. Select Install app from file.

  5. In the Upload app pop-up box, select Choose File and select the StackRox Kubernetes Security Platform add-on file.

  6. Click Upload.

  7. Click Restart Splunk, and confirm to restart.

  8. After Splunk restarts, select StackRox from the Apps menu.

  9. Click Create New Input.

  10. Either select StackRox Compliance to pull compliance data or StackRox Vulnerability Management to pull vulnerability data into Splunk.

  11. Enter a Name for the input.

  12. Select an Interval to pull data from Red Hat Advanced Cluster Security for Kubernetes. For example, every 14400 seconds.

  13. Select the Splunk Index to which you want to send the data.

  14. For Central Endpoint, enter the IP address or the name of your Central instance.

  15. Enter the API token you have generated for the add-on.

  16. Click Add.