Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation / Security Guide / Enabling Network Security Group Logging
Applies to SUSE OpenStack Cloud 9

6 Enabling Network Security Group Logging

  

Currently securitygroup uses an iptables-based firewall by default. This section provides information for enabling Open vSwitch (OVS) Network Security Group logging.

As a prerequisite, the system configuration must specify the native OVS firewall driver. Under [securitygroup] in ~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2, change the firewall driver to firewall_driver = openvswitch.

Use the following steps to enable logging for securitygroup.

  1. Add log as a service_plugin in ~/openstack/my_cloud/config/neutron/neutron.conf.j2. 

    service_plugins = {{ neutron_service_plugins }},log

  2. Add the log extension in the agent section of ~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2. 

    [agent]
extensions = log

  3. Add the log extension in the agent section of ~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2. If other extensions are configured (such as qos), the log extension must be added manually or the functionality of the other extension will break. 

    [agent]
extensions = log

  4. Configure the network_log section in ~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2. If a custom file is configured to use for output logs, log file rotation must be done manually. Using a custom log file is optional. Set rate_limit and burst_limit according to the environment. 

    [network_log]
rate_limit = 100
burst_limit = 25
local_output_log_base = /var/log/neutron/security_group.log

  5. Commit changes to git. 

    ardana > cd ~/openstack/ardana/ansible/
ardana > git add -A
ardana > git commit -m "Enable logging for security groups"

  6. Run configuration processor and ready deployment playbooks. 

    ardana > ansible-playbook -i hosts/localhost config-processor-run.yml
ardana > ansible-playbook -i hosts/localhost ready-deployment.yml

  7. For a cloud that is already deployed, run the neutron-reconfigure.yml playbook or follow cloud deployment steps. 

    ardana > cd ~/scratch/ansible/next/ardana/ansible/
ardana > ansible-playbook -i hosts/verb_hosts neutron-reconfigure.yml
or
ardana > ansible-playbook -i hosts/verb_hosts site.yml
Note
Note

We recommend enabling logging for securitygroup and OSV-based firewall features during deployment.

After deployment, Network Security Group logging can be enabled with the following OpenStackClient commands: 

ardana > source ~/service.osrc
ardana > openstack network loggable resources list

+-----------------+

| Supported types |

+-----------------+

| security_group  |

+-----------------+


ardana > openstack network log create --resource-type security_group \
--event ALL --enable sg_log_admin
ardana > openstack network log show sg_log_admin

+-----------------+--------------------------------------+

| Field           | Value                                |

+-----------------+--------------------------------------+

| Description     |                                      |

| Enabled         | True                                 |

| Event           | ALL                                  |

| ID              | c9e7b763-3013-4a40-b697-c18f7cb9d588 |

| Name            | sg_log_admin                         |

| Resource        | None                                 |

| Target          | None                                 |

| Type            | security_group                       |

| created_at      | 2019-04-26T15:17:43Z                 |

| revision_number | 0                                    |

| updated_at      | 2019-04-26T15:17:43Z                 |

+-----------------+--------------------------------------+