You can install SC4S on AWS with EKS. To do this, you can use a deployment file and a basic configuration information.

Refer to AWS documentation on how to set up your AWS environment.

Before you begin you also need to have kubectl installed.

Prepare your initial configuration

1. First create a file named /opt/sc4s/env_file and add the following environment variables and values:

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://xxx.xxx.xxx.xxx:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=xxxxxxxxxxxxxxxxxx
#Uncomment the following line if using untrusted SSL certificates
#SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no

Then create a configmap with variables provided in the file

kubectl create configmap sc4s-config --from-env-file=/opt/sc4s/env_file -n sc4s

2. Create a deployment configuration file based on this:

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: sc4s-deployment
     namespace: sc4s
     labels:
       app: sc4s-app
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: sc4s-app
     template:
       metadata:
         labels:
           app: sc4s-app
       spec:
         volumes:
         - name: config-volume
           configMap:
             name: sc4s-config
         # Uncomment only if local parser used
         # - name: local-filter-config
         #   configMap:
         #     name: sc4s-local-filter-config 
   
         containers:
         - name: sc4s
           image: ghcr.io/splunk/splunk-connect-for-syslog/container3:latest
           imagePullPolicy: IfNotPresent
   
           resources:  
             requests:
               cpu: "500m"
               memory: "512Mi"
             limits:
               cpu: "2000m"
               memory: "2Gi"
   
           envFrom:
             - configMapRef:
                 name: sc4s-config
   
           # Uncomment only if local parser used
           # volumeMounts:
           # - name: local-filter-config
           #   mountPath: /etc/syslog-ng/conf.d/local/config/app_parsers
           #   readOnly: true
   
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: sc4s-nodeport-service
     namespace: sc4s
   spec:
     selector:
       app: sc4s-app
     type: NodePort 
     ports:
       - port: 514
         targetPort: 514
         name: "tcp514"
         protocol: TCP
         nodePort: 30514
       - port: 514
         targetPort: 514
         name: "udp514"
         protocol: UDP
         nodePort: 30514
       - port: 601
         targetPort: 601
         name: "tcp601"
         protocol: TCP
         nodePort: 30601
       - port: 6514
         targetPort: 6514
         name: "tcp6514"
         protocol: TCP
         nodePort: 30515
       - port: 8080
         targetPort: 8080
         name: "healthcheck"
         protocol: TCP
         nodePort: 30080
   

Please note that this file may need to be modified based on your requirements, such as the ports being used. You can view the default range of ports opened by the nodePort here.

3. (Optioinal) To use local filters you have to load them into a configmap, and uncomment parts of the deployment file related to them:

kubectl create configmap sc4s-local-filter-config \                  
  --from-file=/opt/sc4s/local/config/app_parsers  -n sc4s

This loads files from app_parsers directory only, here is the documentation explaining other use cases.

Deploy SC4S with your configuration

1. To run SC4S simply run this command in the directory where your deployment file is located:

   kubectl apply -f sc4s_deployment.yaml
   

You can use a load balancer with SC4S, to set it up properly refer to our documentation.

2. You can use following commands to check if SC4S deployment and NodePort service is running.

To get pods:

kubectl get pods -n sc4s

To get NodePort service:

kubectl get services -n sc4s

Check the logs using this command:

kubectl logs {your_pod_name} -n sc4s

You should see something like this:

SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:fallback...
SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:events...
syslog-ng checking config
sc4s version=3.37.0
Configuring the health check port to: 8080
[2025-08-01 17:40:50 +0000] [130] [INFO] Starting gunicorn 23.0.0
[2025-08-01 17:40:50 +0000] [130] [INFO] Listening at: http://0.0.0.0:8080 (130)
[2025-08-01 17:40:50 +0000] [130] [INFO] Using worker: sync
[2025-08-01 17:40:50 +0000] [133] [INFO] Booting worker with pid: 133
starting syslog-ng

If the pod does not start you can debug it with this command:

kubectl describe pod {your_pod_name} -n sc4s

3. You can use following commands to check if SC4S deployment and NodePort service is running.

Validate your configuration

SC4S performs checks to ensure that the container starts properly and that the syntax of the underlying syslog-ng configuration is correct. Once the checks are complete, validate that SC4S properly communicate with Splunk. To do this, execute the following search in Splunk:

index=* sourcetype=sc4s:events "starting up"

Update SC4S

Whenever the image is upgraded or when you want your configuration changes to be applied, run the command:

kubectl apply -f sc4s_deployment.yaml

Kubectl will detect if there are any changes to be made and rollout new pods if necessary.

Stop SC4S

To delete the deployment run this command in the directory where your deployment file is located:

kubectl delete -f sc4s_deployment.yaml