Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / Documentation / Security Guide / Enabling Network Security Group Logging
Applies to SUSE OpenStack Cloud 9

6 Enabling Network Security Group Logging

Currently securitygroup uses an iptables-based firewall by default. This section provides information for enabling Open vSwitch (OVS) Network Security Group logging.

As a prerequisite, the system configuration must specify the native OVS firewall driver. Under [securitygroup] in ~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2, change the firewall driver to firewall_driver = openvswitch.

Use the following steps to enable logging for securitygroup.

  1. Add log as a service_plugin in ~/openstack/my_cloud/config/neutron/neutron.conf.j2.

    service_plugins = {{ neutron_service_plugins }},log
  2. Add the log extension in the agent section of ~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2.

    [agent]
    extensions = log
  3. Add the log extension in the agent section of ~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2. If other extensions are configured (such as qos), the log extension must be added manually or the functionality of the other extension will break.

    [agent]
    extensions = log
  4. Configure the network_log section in ~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2. If a custom file is configured to use for output logs, log file rotation must be done manually. Using a custom log file is optional. Set rate_limit and burst_limit according to the environment.

    [network_log]
    rate_limit = 100
    burst_limit = 25
    local_output_log_base = /var/log/neutron/security_group.log
  5. Commit changes to git.

    ardana > cd ~/openstack/ardana/ansible/
    ardana > git add -A
    ardana > git commit -m "Enable logging for security groups"
  6. Run configuration processor and ready deployment playbooks.

    ardana > ansible-playbook -i hosts/localhost config-processor-run.yml
    ardana > ansible-playbook -i hosts/localhost ready-deployment.yml
  7. For a cloud that is already deployed, run the neutron-reconfigure.yml playbook or follow cloud deployment steps.

    ardana > cd ~/scratch/ansible/next/ardana/ansible/
    ardana > ansible-playbook -i hosts/verb_hosts neutron-reconfigure.yml
    or
    ardana > ansible-playbook -i hosts/verb_hosts site.yml
Note
Note

We recommend enabling logging for securitygroup and OSV-based firewall features during deployment.

After deployment, Network Security Group logging can be enabled with the following OpenStackClient commands:

ardana > source ~/service.osrc
ardana > openstack network loggable resources list

+-----------------+

| Supported types |

+-----------------+

| security_group  |

+-----------------+


ardana > openstack network log create --resource-type security_group \
--event ALL --enable sg_log_admin
ardana > openstack network log show sg_log_admin

+-----------------+--------------------------------------+

| Field           | Value                                |

+-----------------+--------------------------------------+

| Description     |                                      |

| Enabled         | True                                 |

| Event           | ALL                                  |

| ID              | c9e7b763-3013-4a40-b697-c18f7cb9d588 |

| Name            | sg_log_admin                         |

| Resource        | None                                 |

| Target          | None                                 |

| Type            | security_group                       |

| created_at      | 2019-04-26T15:17:43Z                 |

| revision_number | 0                                    |

| updated_at      | 2019-04-26T15:17:43Z                 |

+-----------------+--------------------------------------+