Ganesh – NGINX & Cloud Infrastructure Engineer

How I Fixed NAP v5 Security Monitoring in NIM on AKS

Written by

ganesh

in

Background

I was tasked with integrating NGINX App Protect (NAP) v5 with NGINX Instance Manager (NIM) 2.21 Security Monitoring on an AKS cluster. The goal: WAF security events from NAP should appear in the NIM Security Monitoring dashboard in real time.

The Architecture

The setup involved three main components running as a 3-container pod in Kubernetes:

  • nginx-plus – NGINX Plus R36-P3 with App Protect module
  • waf-enforcer – NAP v5 enforcement engine
  • waf-config-mgr – Policy configuration manager

NIM 2.21 runs separately with ClickHouse as the backend for security event storage, and nginx-agent v2.46.1 is supposed to forward events from NAP to NIM via a syslog listener on port 5514.

The Problem

WAF attacks were being blocked by NAP, but zero events appeared in NIM Security Monitoring. The nginx-agent was running but the syslog listener on port 5514 was never starting.

Root Cause Investigation

After deep investigation including analyzing the DPM dqlite database, I found the root cause: the NIM license was a null placeholder with current_report_type=initial and no JWT token. This caused DPM entitlement check to fail, which blocked the nginx-app-protect feature from being granted to nginx-agent, which meant the syslog listener on port 5514 never started.

The Fix

Since fixing the license required vendor involvement, I implemented a Python-based NAP event forwarder as a workaround:

  1. Changed NAP security log from syslog to file-based logging
  2. Wrote a Python script nap_forwarder.py that tails the security log file
  3. The script parses NAP key=value log format and maps fields to ClickHouse schema
  4. Events are inserted directly into ClickHouse nms.v4_security_events via HTTP API
  5. Deployed via ConfigMap mounted into the nginx-plus container

Result

Within minutes, WAF security events started appearing in NIM Security Monitoring dashboard. The solution bypassed the broken DPM license chain entirely while maintaining full event visibility for security operations.

Key Takeaways

  • Always verify DPM license entitlements when nginx-agent features are missing
  • NAP v5 syslog forwarding depends on DPM granting the nginx-app-protect feature
  • Direct ClickHouse insertion is a viable workaround for broken agent pipelines
  • Understanding the full data flow is essential for troubleshooting complex multi-component systems

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts