6 Enabling Network Security Group Logging #
Currently securitygroup
uses an iptables-based firewall by
default. This section provides information for enabling Open vSwitch (OVS)
Network Security Group logging.
As a prerequisite, the system configuration must specify the native OVS
firewall driver. Under [securitygroup]
in
~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2
,
change the firewall driver to firewall_driver = openvswitch
.
Use the following steps to enable logging for
securitygroup
.
Add log as a
service_plugin
in~/openstack/my_cloud/config/neutron/neutron.conf.j2
.service_plugins = {{ neutron_service_plugins }},log
Add the
log
extension in theagent
section of~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2
.[agent] extensions = log
Add the
log
extension in theagent
section of~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2
. If other extensions are configured (such asqos
), thelog
extension must be added manually or the functionality of the other extension will break.[agent] extensions = log
Configure the
network_log
section in~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2
. If a custom file is configured to use for output logs, log file rotation must be done manually. Using a custom log file is optional. Setrate_limit
andburst_limit
according to the environment.[network_log] rate_limit = 100 burst_limit = 25 local_output_log_base = /var/log/neutron/security_group.log
Commit changes to git.
ardana >
cd ~/openstack/ardana/ansible/ardana >
git add -Aardana >
git commit -m "Enable logging for security groups"Run configuration processor and ready deployment playbooks.
ardana >
ansible-playbook -i hosts/localhost config-processor-run.ymlardana >
ansible-playbook -i hosts/localhost ready-deployment.ymlFor a cloud that is already deployed, run the
neutron-reconfigure.yml
playbook or follow cloud deployment steps.ardana >
cd ~/scratch/ansible/next/ardana/ansible/ardana >
ansible-playbook -i hosts/verb_hosts neutron-reconfigure.yml orardana >
ansible-playbook -i hosts/verb_hosts site.yml
We recommend enabling logging for securitygroup
and
OSV-based firewall features during deployment.
After deployment, Network Security Group logging can be enabled with the following OpenStackClient commands:
ardana >
source ~/service.osrcardana >
openstack network loggable resources list +-----------------+ | Supported types | +-----------------+ | security_group | +-----------------+ardana >
openstack network log create --resource-type security_group \ --event ALL --enable sg_log_adminardana >
openstack network log show sg_log_admin +-----------------+--------------------------------------+ | Field | Value | +-----------------+--------------------------------------+ | Description | | | Enabled | True | | Event | ALL | | ID | c9e7b763-3013-4a40-b697-c18f7cb9d588 | | Name | sg_log_admin | | Resource | None | | Target | None | | Type | security_group | | created_at | 2019-04-26T15:17:43Z | | revision_number | 0 | | updated_at | 2019-04-26T15:17:43Z | +-----------------+--------------------------------------+