Documentation forSecurity Event Manager

Install a node-level SEM agent running in Kubernetes as DaemonSet

This section describes how to monitor your kubernetes (K8s) cluster containers in the SEM Console using a node-level agent running as DaemonSet.

See the Kubernetes website located at https://kubernetes.io for information about DaemonSet and the Kubernetes open-source platform. See the Docker website located at https://docker.com for information about the Docker open-source platform.
The procedures in this section do not focus on collecting logs to a single file.

Node-level agent example

The following diagram illustrates how the node-level agent collects and transfers the container logs to the SEM manager.

In this example, the following procedures occur:

  1. The App container pushes all non-persistent logs to STDOUT (standard output).

  2. The log collecting container collects and writes the logs to the persistent file on the node.

  3. The node-level agent running in the pod collects the recorded logs from the file.

  4. When the log collection process is completed, the agent sends the logs to the SEM manager.

Required files

Create the following files in the same location:

  • Dockerfile - A Yaml file that creates the docker image.

  • prepare-conf - The server that stores the connection settings.

  • swiagent-daemon-set.yaml - The daemon set yaml file.

    This file can be stored in a different location.

Agent installation prerequisites

Before you install the node-level agent in a Kubernetes cluster, perform the following procedures:

  1. Install the Kubernetes Kubectl command line tool on the targeted system.

    See the Kubernetes documentation located at https://kubernetes.io/docs/home for instructions.

  2. Install docker on the targeted system.

    See the docker docs website located at https://docs.docker.com for instructions.

  3. Prepare the SEM agent installer.

    See SEM Agent pre-installation checklist for instructions.

  4. Create a new connector profile in the SEM Console. After the node-level agent is deployed, the agent will be added to the connector profile.

About the config setting script

The config setting script changes the spop.conf file on the running pod during the spool up process. This script executes when the pods spool up.

In the following procedures, prepare-conf.sh will be the name of the config setting script.
#!/bin/bash
cat > /usr/local/contego/ContegoSPOP/spop.conf << EOL
ManagerAddress=${SEM_MANAGER_IP_ADDRESS}
ManagerInstallPort=37890
ManagerSecurePort=37891
NioManagerSecurePort=37892
profile.default=${SEM_PROFILE_NAME}
EOL

The profile.default parameter adds the installed node agent to the pre-prepared connector profile. This value can be inserted as the exact profile name (case sensitive).

Build the docker image

The following snippet provides an example of a docker image.

In this snippet, agent-installer.bin is name of the agent installer. Rename the installer if you have an installer with a different name. Additionally, rename all occurrences in Dockerfile.

If you need to rebuild the docker image with new agent installer, you can use the --no-cache argument during build to build it. Otherwise, docker will use the cache.
FROM debian:12-slim

ADD ./agent-installer.bin /
ADD ./prepare-conf.sh /

ENV SWI_SEM_NO_INSTALL "0"

RUN set -eux; \
      apt-get update; \
      apt-get install -y; \
      chmod 777 /tmp; \
      chmod 777 agent-installer.bin; \
      chmod 777 prepare-conf.sh;

RUN /bin/bash -c "./agent-installer.bin -i silent"

Build the docker image on a cluster control plane machine

  1. Navigate to the target location hosting Dockerfile.

  2. Build the image using the following command:

    docker build -t swi-sem-agent .

    where swi-sem-agent is the image name. Be sure to include the period ( . ) preceded by one space at the end of the command.

Build the docker image on a non-cluster control plane machine

If you are building the image on a machine that is not the cluster control plane, perform the following steps to migrate the image: 

  1. Open a Command Prompt window.

  2. Save the build image to a tar file using the following command:

    docker save -o ./swi-sem-agent.tar swiagent

  3. Copy the tar and yaml files to a machine hosting the docker and kubernetes cluster.

  4. Load the tar file and supdoc option to docker using the following command:

    docker load -i ./swi-sem-agent.tar

  5. Verify that the image was imported to docker using the following command:

    docker images

Troubleshooting

If kubernetes cannot load the image, try running the docker image using the following command:

docker run swiagent:latest

Build the DaemonSet image

The following snippet provides an example of a DaemonSet image.

apiVersion: v1
kind: Namespace
metadata:
  name: swi
  labels:
    name: swi-sem-agent
---
apiVersion: v1
kind: Service
metadata:
  name: swi-sem-agent-port-service
spec:
  type: NodePort
  selector:
    app: swi-agent
  ports:
  - name: install-port
    port: 37890
    targetPort: 37890
  - name: control-port
    port: 37891
    targetPort: 37891
  - name: message-port
    port: 37892
    targetPort: 37892
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: swi-sem-agent
  namespace: swi
  labels:
    k8s-app: swi-sem-agent
spec:
  selector:
    matchLabels:
      name: swi-sem-agent
  template:
    metadata:
      labels:
        name: swi-sem-agent
    spec:
      tolerations:
      - key: node-role.kubernetes.io/control-plane
        operator: Exists
        effect: NoSchedule
      - key: node-role.kubernetes.io/master
        operator: Exists
        effect: NoSchedule
      containers:
      - name: swi-sem-agent
        image: swi-sem-agent:latest
        imagePullPolicy: IfNotPresent
        env:
      - name: SEM_MANAGER_IP_ADDRESS
        value: "ip.ad.dre.ss"
      - name: SEM_PROFILE_NAME
        value: "profile-name"
      args: [/bin/sh, -c, './prepare-conf.sh && /usr/local/contego/ContegoSPOP/SWLEMAgent start && tail -f /usr/local/contego/ContegoSPOP/spoplog.txt']
      resources:
        limits:
          memory: 500Mi
      requests:
        cpu: 100m
        memory: 200Mi
      volumeMounts:
      - name: var-log
        mountPath: /var/log
        readOnly: true
    terminationGracePeriodSeconds: 30
    dnsPolicy: Default
    volumes:
      - name: var-log
        hostPath:
          path: /var/log

In this example, the first section creates the service that makes the visible ports available for agent-to-manager communications. The second section creates daemonSet, which spawns the agent container on each kubernetes cluster node.

The following table describes the container settings.

Setting Description
env

Includes two container specifications:

  • SEM_MANAGER_IP_ADDRESS - The SEM Manager IP address that connects to the agent.

  • SEM_PROFILE_NAME - The name of the default connector profile that becomes the agent when the installation is completed. Create this profile on the SEM manager before you deploy the agent.

args

Sets the SEM manager IP address and default profile and starts the agent service.

The first part of the command executes the prepare-conf.sh script that sets the manager IP address and default profile. The second part of the command starts the agent service in the container.

volumeMounts

The mounted volume required by the agent to access and read the log file.

In this example, the agent container is mounted in the /var/log directory of the node.

Deploy DaemonSet to the host machine

  1. Open a Command Prompt window.

  2. Apply DaemonSet to the cluster using the following command:

    kubectl apply -f swi-agent-daemon-set.yaml

    where swi-agent-daemon-set.yaml is the name of the yaml file.

  3. Open the SEM Console.
  4. Verify that:

    • The agent is installed correctly.

      See Verify the SEM Agent connection for more information.

    • The agent was added to the specified connector profile.

      In the SEM Console, locate the agent between the nodes. On the right side, there will be a tag with the name of the profile or added connector.