NTA in K8s with NGINX in K8s

This document is for:

Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This feature is available with Invicti API Security Standalone or Bundle.

To collect access logs from NGINX, configure it to forward logs using the Syslog protocol. In this setup, NGINX acts as a reverse proxy and sends access logs to the Traffic Signal Aggregator (TSA), which is part of Invicti's Network Traffic Analyzer (NTA).

The TSA receives logs over UDP and forwards them to the Reconstructor service, which analyzes the data to reconstruct API activity for security analysis.

Both NTA and NGINX run on Kubernetes:

NTA (TSA + Reconstructor) is deployed in a Kubernetes cluster using Helm.
NGINX is also deployed in the same Kubernetes cluster and configured to forward access logs to the TSA service using the Syslog protocol.

This document explains how to:

Deploy NTA (TSA + Reconstructor) in Kubernetes
Deploy and configure NGINX to forward logs via Syslog
Validate the integration

The configuration is a 3-step process:

Prerequisites

Step 1: Deploy NTA in Kubernetes using Helm
Step 3: Configure NGINX to forward logs via Syslog
Step 4: Test the setup

Prerequisites

Before getting started, ensure the following:

You have access to a Kubernetes cluster (e.g., Minikube, EKS, GKE).
kubectl is configured and connected to the cluster (verify by running kubectl get nodes).
NGINX version 1.9.11 or later is deployed in a Kubernetes pod (verify with nginx -v).
You have access to Invicti Enterprise, and can navigate to APIs > Sources to add a New source and copy the Registration token.
Helm is installed (verify with helm version).
The NGINX pod can reach the TSA service over UDP port 15400.

Step 1: Deploy NTA in Kubernetes using Helm

Since we are using the default namespace, you do not need to create a new namespace. You can proceed with the following Helm command below to install the Invicti API Discovery components.

Deploy NTA in K8s using Helm

Use the following Helm command to install the Invicti API Discovery components with the required configuration:

helm install invicti-api-discovery oci://registry.invicti.com/invicti-api-discovery --version 25.4.0 -n default --set imageRegistryUsername=<your-username> --set imageRegistryPassword=<your-password> --set trafficSource.tsa.enabled=true --set trafficSource.tsa.syslogEnabled=true --set reconstructor.JWT_TOKEN="<your-apihub-jwt-token>"

🔧 Replace the following placeholders with your actual credentials:

<your-username> and <your-password> - your image registry credentials - email address used for Invicti Enterprise and the password can be found under Agents > Manage Agents > New agent > Docker CLI & Openshift section, copy the password in field 2- When prompted, enter the password below.

<your-apihub-jwt-token>) - your APPI Hub JWT token. You can find the ApiHub token under APIs > Sources > New source > copy the Registration token > click Save!

Verify deployment

Run the following command to ensure the components were deployed successfully:

kubectl get pods -n default

You should see pods for both TSA and Reconstructor running in the default namespace.

Step 2: Configure NGINX to forward logs via Syslog

To enable log forwarding from NGINX to the TSA service using the Syslog protocol, you’ll need to modify the NGINX configuration file.

Update the configuration

Locate the nginx.config file. It is typically located at /etc/nginx/nginx.conf or within /etc/nginx/conf.d/.
Update the configuration

Edit the configuration file and add the following custom log format under the http block:

 http {

log_format tsalogformat

'@@@http_x_request_id=$http_x_request_id'

'@@@request_scheme=$scheme'

'@@@request_host=$host'

'@@@remote_addr=$remote_addr'

'@@@request_method=$request_method'

'@@@request_uri=$request_uri'

'@@@server_protocol=$server_protocol'

'@@@response_status=$status'

'@@@request_body=$request_body'

'@@@header_referer=$http_referer'

'@@@header_accept=$http_accept'

'@@@header_content_type=$http_content_type'

'@@@server_port=$server_port';

}



Configure the access_log to use Syslog

Still within the same http block, locate the access_log directive and replace it with the following:

access_log syslog:server=invicti-api-discovery-tsa-service.default.svc.cluster.local:15400,facility=local7,tag=nginx,severity=info tsalogformat;

🔧 Replace invicti-api-discovery-tsa-service.default.svc.cluster.local with the actual DNS name of your TSA service in the cluster.

To retrieve the TSA service name, run:

kubectl get services

Look for the service associated with TSA (typically named invicti-api-discovery-tsa-service).

Restart NGINX

After making the changes, restart NGINX to apply the new configuration:

sudo systemctl restart nginx



or, if you're running it inside a container:

nginx -s reload



Step 3: Test the setup

Follow the steps below to verify that NGINX is successfully forwarding logs to the TSA service and that the NTA components are functioning correctly.

Check pod status

Run the following command to list all pods:

kubectl get pods



You should see entries similar to the following. Wait until both pods show a Running status:

Check the TSA logs

Verify that TSA is receiving logs by checking its logs:

kubectl logs deployment/invicti-api-discovery-tsa



You should see incoming Syslog messages that resemble log entries from NGINX.

Check Reconstructor logs

kubectl logs deployment/invicti-api-discovery-reconstructor

Look for parsed and processed API activity in the logs.

Notes

✅ UDP Port 15400 must be reachable between the NGINX pod and the TSA service.
🔄 TSA and Reconstructor are deployed using Helm and communicate with each other internally within the cluster.
🧪 Before restarting NGINX or deploying changes, always validate the configuration syntax: