splunk · sbylica-splunk · Aug 11, 2025 · Jun 18, 2025 · Jun 24, 2025 · Jun 24, 2025
@@ -1,4 +1,4 @@
-SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=http://xxx.xxx.xxx.xxx:8088
+SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://xxx.xxx.xxx.xxx:8088
 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxxxxxxxxxxxx
 #Uncomment the following line if using untrusted SSL certificates
 #SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
@@ -23,16 +23,16 @@ docker exec -it ansible_sc4s /bin/bash
 
 * To authenticate with username and password:
 ``` bash 
-ansible-playbook -i path/to/inventory.yaml -u <username> --ask-pass path/to/playbooks/docker.yml
+ansible-playbook -i ansible/inventory/inventory.yaml -u <username> --ask-pass ansible/playbooks/playbooks/docker.yml
 or
-ansible-playbook -i path/to/inventory.yaml -u <username> --ask-pass path/to/playbooks/podman.yml
+ansible-playbook -i ansible/inventory/inventory.yaml -u <username> --ask-pass ansible/playbooks/playbooks/podman.yml
 
 ```
 * To authenticate using a key pair:
 ``` bash 
-ansible-playbook -i path/to/inventory.yaml -u <username> --key-file <key_file> path/to/playbooks/docker.yml
+ansible-playbook -i ansible/inventory/inventory.yaml -u <username> --key-file <key_file> ansible/playbooks/playbooks/docker.yml
 or
-ansible-playbook -i path/to/inventory.yaml -u <username> --key-file <key_file> path/to/playbooks/podman.yml
+ansible-playbook -i ansible/inventory/inventory.yaml -u <username> --key-file <key_file> ansible/playbooks/playbooks/podman.yml
 ```
 
 # Step 3: Validate your configuration

@@ -51,7 +51,7 @@ ansible-playbook -i path/to/inventory_swarm.yaml -u <username> --key-file <key_f
 |sc4s    | 1        | Swarm        |
 
 * To scale your number of services:
-```sudo docker service update --replicas 2 sc4s_sc4s```
+```sudo docker service update --replicas 2 SC4S_sc4s```
 
 * To see services running in a given stack: 
 ```sudo docker stack services sc4s```

@@ -0,0 +1,106 @@
+You can install SC4S on AWS with EKS. To do this, you can use a deployment file and a basic configuration information.
+
+Refer to AWS [documentation](https://docs.aws.amazon.com/eks/latest/userguide/sample-deployment.html) on how to set up your AWS environment. 
+
+Before you begin you also need to have `kubectl` installed.
+
+# Prepare your initial configuration
+1. First create a file named `/opt/sc4s/env_file` and add the following environment variables and values:
+
+``` dotenv
+--8<---- "ansible/resources/env_file"
+```
+Then create a configmap with variables provided in the file
+```
+kubectl create configmap sc4s-config --from-env-file=/opt/sc4s/env_file -n sc4s
+```
+
+2. Create a deployment configuration file based on this:
+``` yaml
+--8<---- "docs/resources/docker/sc4s_deployment.yaml"
+```
+
+Please note that this file may need to be modified based on your requirements, such as the ports being used.
+You can view the default range of ports opened by the nodePort [here](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport).
+
+3. (Optioinal) To use local filters you have to load them into a configmap, and uncomment parts of the deployment file related to them:
+
+```
+kubectl create configmap sc4s-local-filter-config \                  
+  --from-file=/opt/sc4s/local/config/app_parsers  -n sc4s
+```
+
+This loads files from app_parsers directory only, [here](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#create-configmaps-from-files) is the documentation explaining other use cases.
+
+# Deploy SC4S with your configuration
+1. To run SC4S simply run this command in the directory where your deployment file is located:
+```bash
+kubectl apply -f sc4s_deployment.yaml
+```
+
+You can use a load balancer with SC4S, to set it up properly refer to our [documentation](../architecture/lb/index.md).
+
+2. You can use following commands to check if SC4S deployment and NodePort service is running.
+
+To get pods:
+```bash
+kubectl get pods -n sc4s
+```
+
+To get NodePort service:
+```bash
+kubectl get services -n sc4s
+```
+
+Check the logs using this command:
+```bash
+kubectl logs {your_pod_name} -n sc4s
+```
+
+You should see something like this:
+```ini
+SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:fallback...
+SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events...
+syslog-ng checking config
+sc4s version=3.37.0
+Configuring the health check port to: 8080
+[2025-08-01 17:40:50 +0000] [130] [INFO] Starting gunicorn 23.0.0
+[2025-08-01 17:40:50 +0000] [130] [INFO] Listening at: http://0.0.0.0:8080 (130)
+[2025-08-01 17:40:50 +0000] [130] [INFO] Using worker: sync
+[2025-08-01 17:40:50 +0000] [133] [INFO] Booting worker with pid: 133
+starting syslog-ng
+```
+
+If the pod does not start you can debug it with this command:
+```bash
+kubectl describe pod {your_pod_name} -n sc4s
+```
+
+3. You can use following commands to check if SC4S deployment and NodePort service is running.
+
+
+# Validate your configuration
+
+SC4S performs checks to ensure that the container starts properly and that the syntax of the underlying syslog-ng
+configuration is correct. Once the checks are complete, validate that SC4S properly communicate with Splunk.
+To do this, execute the following search in Splunk:
+
+```ini
+index=* sourcetype=sc4s:events "starting up"
+```
+
+# Update SC4S 
+Whenever the image is upgraded or when you want your configuration changes to be applied, run the command:
+
+```bash
+kubectl apply -f sc4s_deployment.yaml
+```
+
+Kubectl will detect if there are any changes to be made and rollout new pods if necessary.
+
+# Stop SC4S
+
+To delete the deployment run this command in the directory where your deployment file is located:
+```bash
+kubectl delete -f sc4s_deployment.yaml
+```
@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sc4s-deployment
+  namespace: sc4s
+  labels:
+    app: sc4s-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sc4s-app
+  template:
+    metadata:
+      labels:
+        app: sc4s-app
+    spec:
+      volumes:
+      - name: config-volume
+        configMap:
+          name: sc4s-config
+      # Uncomment only if local parser used
+      # - name: local-filter-config
+      #   configMap:
+      #     name: sc4s-local-filter-config 
+
+      containers:
+      - name: sc4s
+        image: ghcr.io/splunk/splunk-connect-for-syslog/container3:latest
+        imagePullPolicy: IfNotPresent
+
+        resources:  
+          requests:
+            cpu: "500m"
+            memory: "512Mi"
+          limits:
+            cpu: "2000m"
+            memory: "2Gi"
+
+        envFrom:
+          - configMapRef:
+              name: sc4s-config
+
+        # Uncomment only if local parser used
+        # volumeMounts:
+        # - name: local-filter-config
+        #   mountPath: /etc/syslog-ng/conf.d/local/config/app_parsers
+        #   readOnly: true
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sc4s-nodeport-service
+  namespace: sc4s
+spec:
+  selector:
+    app: sc4s-app
+  type: NodePort 
+  ports:
+    - port: 514
+      targetPort: 514
+      name: "tcp514"
+      protocol: TCP
+      nodePort: 30514
+    - port: 514
+      targetPort: 514
+      name: "udp514"
+      protocol: UDP
+      nodePort: 30514
+    - port: 601
+      targetPort: 601
+      name: "tcp601"
+      protocol: TCP
+      nodePort: 30601
+    - port: 6514
+      targetPort: 6514
+      name: "tcp6514"
+      protocol: TCP
+      nodePort: 30515
+    - port: 8080
+      targetPort: 8080
+      name: "healthcheck"
+      protocol: TCP
+      nodePort: 30080
@@ -64,6 +64,8 @@ nav:
           - Docker Swarm: "gettingstarted/ansible-docker-swarm.md"
           - Podman/Docker: "gettingstarted/ansible-docker-podman.md"
           - mk8s: "gettingstarted/ansible-mk8s.md"
+        - Cloud (Experimental):
+          - EKS (Experimental): "gettingstarted/eks.md"
   - Create a parser: "create-parser.md"
   - Configuration: "configuration.md"
   - Destinations: "destinations.md"