Connect F5 WAF for NGINX to NGINX Security Monitoring

This document explains how to use NGINX Ingress Controller to configure NGINX Agent for sending F5 F5 WAF for NGINX metrics to NGINX Security Monitoring.

Prerequisites

This guide assumes that you have an installation of NGINX Instance Manager with NGINX Security Monitoring which is reachable from the Kubernetes cluster on which NGINX Ingress Controller is deployed.

If you use custom container images, NGINX Agent must be installed along with F5 WAF for NGINX. See the Dockerfile for examples of how to install NGINX Agent or the NGINX Agent installation documentation for more information.

Deploying NGINX Ingress Controller with NGINX Agent configuration

  1. Add the below arguments to the values.yaml file:

    nginxAgent:
    enable: true
    instanceManager:
        host: "<FQDN or IP address of NGINX Instance Manager>"

  2. Follow the Installation with Helm instructions to deploy NGINX Ingress Controller with custom resources enabled, and optionally set other nginxAgent.* values if required.

  1. Add the below argument to the manifest file of NGINX Ingress Controller:

    args:
  - -agent=true
  - -agent-instance-group=<NGINX Ingress Controller deployment name>

  2. Create a ConfigMap with an nginx-agent.conf file which must be mounted to /etc/nginx-agent/nginx-agent.conf in the NGINX Ingress Controller pod.

     kind: ConfigMap
 apiVersion: v1
 metadata:
   name: <configmap name>
   namespace: <namespace where NGINX Ingress Controller will be installed>
 data:
   nginx-agent.conf: |-
     log:
       level: error
       path: ""
     server:
       host: "<FQDN or IP address of NGINX Instance Manager>"
       grpcPort: 443
     tls:
       enable: true
       skip_verify: false
     features:
     - registration
     - nginx-counting
     - metrics-sender
     - dataplane-status
     extensions:
     - nginx-app-protect
     - nap-monitoring
     nginx_app_protect:
       report_interval: 15s
       precompiled_publication: true
     nap_monitoring:
       collector_buffer_size: 20000
       processor_buffer_size: 20000
       syslog_ip: 127.0.0.1
       syslog_port: 1514

    See the NGINX Agent Configuration Overview for more configuration options.

The features list must not contain nginx-config-async or nginx-ssl-config as these features can cause conflicts with NGINX Ingress Controller.

  1. Make sure that the ConfigMap is mounted to the NGINX Ingress Controller pod at /etc/nginx-agent/nginx-agent.conf by adding the following to the NGINX Ingress Controller deployment manifest:

     volumeMounts:
 - name: agent-conf
   mountPath: /etc/nginx-agent/nginx-agent.conf
   subPath: nginx-agent.conf

  2. Follow the Installation with Manifests instructions to deploy NGINX Ingress Controller with custom resources enabled.

Once NGINX Ingress Controller is installed the pods will be visible in the NGINX Instance Monitoring Instances dashboard.

Configuring F5 WAF for NGINX to send metrics to NGINX Agent

NGINX Agent runs a syslog listener which F5 WAF for NGINX can be configured to send logs to, which will then allow NGINX Agent to send metrics to NGINX Security Monitoring. The following examples show how to configure F5 WAF for NGINX to log to NGINX Agent.

Modifying the APLogConf in the examples may result in the Security Monitoring integration not working, as NGINX Agent expects a specific log format.