|
| 1 | +--- |
| 2 | +title: "Connect NGINX App Protect WAF to NGINX Security Monitoring" |
| 3 | +weight: 1800 |
| 4 | +doctypes: ["concept"] |
| 5 | +toc: true |
| 6 | +--- |
| 7 | + |
| 8 | +This document explains how to use NGINX Ingress Controller to configure NGINX Agent for sending F5 NGINX App Protect WAF metrics to NGINX Security Monitoring. |
| 9 | + |
| 10 | +## Prerequisites |
| 11 | + |
| 12 | +This guide assumes that you have an installation of NGINX Instance Manager with [NGINX Security Monitoring](https://docs.nginx.com/nginx-management-suite/installation/vm-bare-metal/install-security-monitoring/) which is reachable from the Kubernetes cluster on which NGINX Ingress Controller is deployed. |
| 13 | + |
| 14 | +If you use custom container images, NGINX Agent must be installed along with NGINX App Protect WAF. See the [Dockerfile](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/build/Dockerfile) for examples of how to install NGINX Agent or the [NGINX Agent installation documentation](https://docs.nginx.com/nginx-agent/installation-upgrade/) for more information. |
| 15 | + |
| 16 | +## Deploying NGINX Ingress Controller with GlobalConfiguration resource |
| 17 | + |
| 18 | +{{<tabs name="deploy-config-resource">}} |
| 19 | + |
| 20 | +{{%tab name="Using Helm"%}} |
| 21 | + |
| 22 | +1. Add the below arguments to the `values.yaml` file: |
| 23 | + ```yaml |
| 24 | + nginxAgent: |
| 25 | + enable: true |
| 26 | + instanceManager: |
| 27 | + host: "<FQDN or IP address of NGINX Instance Manager>" |
| 28 | + ``` |
| 29 | +
|
| 30 | +2. Follow the [Installation with Helm]({{< relref "/installation/installing-nic/installation-with-helm.md" >}}) instructions to deploy NGINX Ingress Controller with custom resources enabled, and optionally set other `nginxAgent.*` values if required. |
| 31 | + |
| 32 | +{{%/tab%}} |
| 33 | + |
| 34 | +{{%tab name="Using Manifests"%}} |
| 35 | + |
| 36 | +1. Add the below argument to the manifest file of NGINX Ingress Controller: |
| 37 | + |
| 38 | + ```yaml |
| 39 | + args: |
| 40 | + - -agent=true |
| 41 | + - -agent-instance-group=<NGINX Ingress Controller deployment name> |
| 42 | + ``` |
| 43 | + |
| 44 | +2. Create a ConfigMap with an `nginx-agent.conf` file which must be mounted to `/etc/nginx-agent/nginx-agent.conf` in the NGINX Ingress Controller pod. |
| 45 | + ```yaml |
| 46 | + kind: ConfigMap |
| 47 | + apiVersion: v1 |
| 48 | + name: <configmap name> |
| 49 | + namespace: <namespace where NGINX Ingress Controller will be installed> |
| 50 | + data: |
| 51 | + nginx-agent.conf: |- |
| 52 | + log: |
| 53 | + level: error |
| 54 | + path: "" |
| 55 | + server: |
| 56 | + host: "<FQDN or IP address of NGINX Instance Manager>" |
| 57 | + grpcPort: 443 |
| 58 | + features: |
| 59 | + - registration |
| 60 | + - nginx-counting |
| 61 | + - metrics-sender |
| 62 | + - dataplane-status |
| 63 | + extensions: |
| 64 | + - nginx-app-protect |
| 65 | + - nap-monitoring |
| 66 | + nginx_app_protect: |
| 67 | + report_interval: 15s |
| 68 | + precompiled_publication: true |
| 69 | + nap_monitoring: |
| 70 | + collector_buffer_size: 20000 |
| 71 | + processor_buffer_size: 20000 |
| 72 | + syslog_ip: 127.0.0.1 |
| 73 | + syslog_port: 1514 |
| 74 | + ``` |
| 75 | + See the [NGINX Agent Configuration Overview](https://docs.nginx.com/nginx-agent/configuration/configuration-overview/) for more configuration options. |
| 76 | + |
| 77 | +{{< note >}} The `features` list must not contain `nginx-config-async` or `nginx-ssl-config` as these features can cause conflicts with NGINX Ingress Controller.{{< /note >}} |
| 78 | + |
| 79 | +3. Follow the [Installation with Manifests]({{< relref "/installation/installing-nic/installation-with-manifests.md" >}}) instructions to deploy NGINX Ingress Controller with custom resources enabled. |
| 80 | + |
| 81 | +{{%/tab%}} |
| 82 | + |
| 83 | +{{</tabs>}} |
| 84 | + |
| 85 | +Once NGINX Ingress Controller is installed the pods will be visible in the NGINX Instance Monitoring Instances dashboard. |
| 86 | + |
| 87 | +## Configuring NGINX App Protect WAF to send metrics to NGINX Agent |
| 88 | + |
| 89 | +NGINX Agent runs a syslog listener which NGINX App Protect WAF can be configured to send logs to, which will then allow NGINX Agent to send metrics to NGINX Security Monitoring. The following examples show how to configure NGINX App Protect WAF to log to NGINX Agent. |
| 90 | + |
| 91 | +- [Custom Resources example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/custom-resources/security-monitoring) |
| 92 | +- [Ingress Resources example](https://github.com/nginxinc/kubernetes-ingress/tree/v3.4.3/examples/ingress-resources/security-monitoring) |
| 93 | + |
| 94 | +{{< note >}} Modifying the APLogConf in the examples may result in the Security Monitoring integration not working, as NGINX Agent expects a specific log format.{{< /note >}} |
0 commit comments