This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security Guide / Enabling Network Security Group Logging
Applies to SUSE OpenStack Cloud 9

6 Enabling Network Security Group Logging

  

Currently securitygroup uses an iptables-based firewall by default. This section provides information for enabling Open vSwitch (OVS) Network Security Group logging.

As a prerequisite, the system configuration must specify the native OVS firewall driver. Under [securitygroup] in ~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2, change the firewall driver to firewall_driver = openvswitch.

Use the following steps to enable logging for securitygroup.

  1. Add log as a service_plugin in ~/openstack/my_cloud/config/neutron/neutron.conf.j2. 

    service_plugins = {{ neutron_service_plugins }},log

  2. Add the log extension in the agent section of ~/openstack/my_cloud/config/neutron/ml2_conf.ini.j2. 

    [agent]
extensions = log

  3. Add the log extension in the agent section of ~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2. If other extensions are configured (such as qos), the log extension must be added manually or the functionality of the other extension will break. 

    [agent]
extensions = log

  4. Configure the network_log section in ~/openstack/my_cloud/config/neutron/openvswitch_agent.ini.j2. If a custom file is configured to use for output logs, log file rotation must be done manually. Using a custom log file is optional. Set rate_limit and burst_limit according to the environment. 

    [network_log]
rate_limit = 100
burst_limit = 25
local_output_log_base = /var/log/neutron/security_group.log

  5. Commit changes to git. 

    ardana > cd ~/openstack/ardana/ansible/
ardana > git add -A
ardana > git commit -m "Enable logging for security groups"

  6. Run configuration processor and ready deployment playbooks. 

    ardana > ansible-playbook -i hosts/localhost config-processor-run.yml
ardana > ansible-playbook -i hosts/localhost ready-deployment.yml

  7. For a cloud that is already deployed, run the neutron-reconfigure.yml playbook or follow cloud deployment steps. 

    ardana > cd ~/scratch/ansible/next/ardana/ansible/
ardana > ansible-playbook -i hosts/verb_hosts neutron-reconfigure.yml
or
ardana > ansible-playbook -i hosts/verb_hosts site.yml
Note
Note

We recommend enabling logging for securitygroup and OSV-based firewall features during deployment.

After deployment, Network Security Group logging can be enabled with the following OpenStackClient commands: 

ardana > source ~/service.osrc
ardana > openstack network loggable resources list

+-----------------+

| Supported types |

+-----------------+

| security_group  |

+-----------------+


ardana > openstack network log create --resource-type security_group \
--event ALL --enable sg_log_admin
ardana > openstack network log show sg_log_admin

+-----------------+--------------------------------------+

| Field           | Value                                |

+-----------------+--------------------------------------+

| Description     |                                      |

| Enabled         | True                                 |

| Event           | ALL                                  |

| ID              | c9e7b763-3013-4a40-b697-c18f7cb9d588 |

| Name            | sg_log_admin                         |

| Resource        | None                                 |

| Target          | None                                 |

| Type            | security_group                       |

| created_at      | 2019-04-26T15:17:43Z                 |

| revision_number | 0                                    |

| updated_at      | 2019-04-26T15:17:43Z                 |

+-----------------+--------------------------------------+