Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. Logging security group actions

You can create packet logs for security groups to monitor traffic flows in and out of virtual machine (VM) instances in Red Hat OpenStack Services on OpenShift (RHOSO) environments. Each log stores data about packet flow events and appends it to a common log file on the instance’s Compute host.

You can associate any instance port with one or more security groups and define one or more rules for each security group. For example, you can create a rule to allow inbound SSH traffic to any virtual machine in a security group. You can create another rule in the same security group to allow virtual machines in that group to initiate and respond to ICMP (ping) messages.

Then you can create logs to record combinations of packet flow events. For example, the following command creates a log to capture all ACCEPT events in the security group, security-group1. 

$ openstack network log create my-log1 \
--resource-type security_group \
--resource security-group1 \
--event ACCEPT

You can create multiple logs to capture data about specific combinations of security groups and packet flow events.

You can configure the following parameters:

--resource-type
You must set this required parameter to security_group.
--resource <security_group_name|security_group_ID>
Optional: limit the log to a specific security group. If you do not specify a resource, the log will capture events from all security groups on the specified ports in the project.
--target <port_ID|port_name>
Optional: limit the log to a specific port in the security group. If you do not specify a target, the log will capture events from all ports in the security group in the project.
--event (types of events to log)

You can choose to log the following packet flow events:

  • DROP: Log one DROP log entry for each incoming or outgoing session that is dropped.

    Note

    If you log dropped traffic on one or more security groups, the Networking service logs dropped traffic on all security groups.

  • ACCEPT: Log one ACCEPT log entry for each new session that is allowed by the security group.
  • ALL (drop and accept): Log all DROP and ACCEPT events. If you do not set –event ACCEPT or –event DROP, the Networking service defaults to ALL.
Note

The Networking service writes all log data to the same file on every Compute node: /var/log/containers/openvswitch/ovn-controller.log.

This section contains the following topics:

8.1. Verifying that security group logging is enabled
Copier lien

To prepare your Red Hat OpenStack Services on OpenShift (RHOSO) environment for network packet logging, ensure that the Networking service (neutron) has loaded the logging service plug-in and the logging extension.

Prerequisites

  • You have the oc command line tool installed on your workstation.
  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.

Procedure

  1. Access the remote shell for the OpenStackClient pod from your workstation: 

    $ oc rsh -n openstack openstackclient

  2. Enter the following command: 

    $ openstack extension list --network --max-width=72 | grep logging

    If the Networking service has loaded the logging service plug-in and extension, the output includes the following: 

    | Logging API          | logging              | Provides a logging API |

  3. If the openstack extension list output does not include the Logging API Extension, update the control plane:

    1. Create a YAML file and add the following content: 

      apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack-control-plane
spec:
  neutron:
    template:
      customServiceConfig: |
        [DEFAULT]
        service_plugins=log

    2. Apply the updated OpenStackControlPlane CR configuration: 

      $ oc apply -f <control_plane_update.yaml>
      • Replace <control_plane_updates.yaml> with the name of the YAML file that contains your update.

  4. Wait until RHOCP creates the resources related to the OpenStackControlPlane CR. Check the status of the control plane deployment: 

    $ oc get openstackcontrolplane -n openstack
    Sample output
    NAME                      STATUS    MESSAGE
openstack-control-plane   Unknown   Setup started

    The OpenStackControlPlane resources are created when the status is "Setup complete".

    Tip

    Append the -w option to the get command to track deployment progress.

Verification

  • Confirm that the Networking service has successfully loaded the Logging API Extension by repeating step 1.

Additional resources

8.2. Creating log objects for security groups
Copier lien

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, you create log objects with the resource type security_group.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient
  • You have created security groups.
  • You have created security group rules for the security groups.
  • You have assigned ports to the security groups.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. Create a log by using the openstack network log create command with the appropriate set of arguments.

    Example 1: Log ACCEPT events from the security group sg1 on all ports
    $ openstack network log create my-log1 \
--resource-type security_group \
--resource sg1 \
–event ACCEPT
    Example 2: Log ACCEPT events from all security groups on all ports
    openstack network log create my-log3 \
--resource-type security_group \
–event ACCEPT

    Verification

    Confirm that the that the log was created: 

    $ openstack network log list

8.3. Listing and viewing log objects for security groups
Copier lien

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, you can list and view security group log objects.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient
  • You have created security groups.
  • You have created security group rules for the security groups.
  • You have assigned ports to the security groups.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. To list all log objects in a project: 

    $ openstack network log list

  3. To view details of a log object: 

    $ openstack network log show <log_object_name>
    • Replace <log_object_name> with the name of the log object.

8.4. Enabling and disabling log objects for security groups
Copier lien

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, when you create a log object, it is enabled by default. You can disable or enable a log object.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient
  • You have created security groups.
  • You have created security group rules for the security groups.
  • You have assigned ports to the security groups.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. To disable a log object, enter the following command: 

    $ openstack network log set --disable <log_object_name>
    • Replace <log_object_name> with the name of the log object.

  3. To enable a log object, enter the following command: 

    $ openstack network log set --enable <log_object_name>
    • Replace <log_object_name> with the name of the log object.

8.5. Renaming a log object for security groups
Copier lien

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, you can change the name of a log object.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient
  • You have created security groups.
  • You have created security group rules for the security groups.
  • You have assigned ports to the security groups.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. To rename a log object, enter the following command: 

    $ openstack network log set --name <new_log_object_name> <object>
    • Replace <new_log_object_name> with the new name of the log object.
    • Replace <object> with the old name or ID of the log object.

8.6. Deleting a log object for security groups
Copier lien

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, you can delete log objects.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient
  • You have created security groups.
  • You have created security group rules for the security groups.
  • You have assigned ports to the security groups.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. To delete one or more log objects, enter the following command: 

    $ openstack network log delete <log_object_name> [<log_object_name> ...]

    Replace <log_object_name> with the name of the log object to delete. To delete multiple log objects, enter a list of log object names, separated by spaces.

8.7. Accessing security group log content
Copier lien

The Red Hat OpenStack Services on OpenShift (RHOSO) Networking service (neutron) aggregates security group logs from all instances on a Compute node in one location: /var/log/containers/openvswitch/ovn-controller.log.

The log file contains other log objects. Security group log entries include the string acl_log.

8.8. Sample security group log content
Copier lien

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, security group log content includes the following data:

  • A timestamp of the packet flow.
  • A status of the flow: ACCEPT or DROP.
  • An indication of the originator of the flow. For example, which project or log resource generated the events.
  • An identifier of the associated instance interface (Neutron port ID).

  • Layer 2, 3 and 4 information such as MAC, address, port, and protocol.

    Example: logged data from an ACCEPT event
2022-11-30T03:29:12.868Z|00111|acl_log(ovn_pinctrl1)|INFO|name="neutron-bc53f8df-2318-4d08-8e12-89e92b08deec", verdict=allow, severity=info, direction=from-lport: udp,vlan_tci=0x0000,dl_src=fa:16:3e:70:c4:45,dl_dst=fa:16:3e:66:8b:18,nw_src=192.168.100.59,nw_dst=192.168.100.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=68,tp_dst=67

In Red Hat OpenStack Services on OpenShift (RHOSO) environments, to avoid overwhelming the control plane with the transmission of logging data, the Networking service (neutron) limits on the maximum number of packets that it logs per second with the rate_limit_interval parameter. The default value is 100 packets per second.

When the number of packets the Networking service logs reaches the rate limit, the Networking service queues the excess packets to be logged with the rate_limit_burst parameter. The default value is 25 packets in the log queue.

You can modify the values of these parameters to meet the logging requirements of your networks.

Logging rate and burst limits do not limit control of data traffic. They limit only the transmission of logging data.

Prerequisites

  • You have the oc command line tool installed on your workstation.
  • You are logged on to a workstation that has access to the RHOSO control plane as a user with cluster-admin privileges.

  • The Networking service (neutron) has loaded the logging service plug-in and the logging extension.

    For more information, see Section 8.1, “Verifying that security group logging is enabled”.

Procedure

  1. Create a YAML file and add the following content: 

    apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack-control-plane
spec:
  neutron:
    template:
      customServiceConfig: |
        [network_log]
        rate_limit: <logged_packets>
        burst_limit: <queued_packets>
    • Replace <logged_packets> with the maximum number of packets that can be logged per second.
    • Replace <queued_packets> with the maximum number of packets that can be placed in the queue to be logged per second.

  2. Apply the updated OpenStackControlPlane CR configuration: 

    $ oc apply -f <control_plane_update.yaml>
    • Replace <control_plane_update.yaml> with the name of the YAML file that contains your update.

  3. Wait until Red Hat OpenShift Container Platform (RHOCP) creates the resources related to the OpenStackControlPlane CR. Check the status of the control plane deployment: 

    $ oc get openstackcontrolplane -n OPENSTACK
    Sample output
    NAME                      STATUS    MESSAGE
openstack-control-plane   Unknown   Setup started

    The OpenStackControlPlane resources are created when the status is "Setup complete".

    Tip

    Append the -w option to the get command to track deployment progress.

Verification

  • Confirm that your rate and burst configuration changes are updated.

    Create one log object, and verify the meter band entry: 

    $ oc rsh -n openstack ovsdbserver-nb-0 ovn-nbctl --no-leader list meter-band
     
    _uuid               : 721334bc-8e45-417a-a523-9e4d56dd97c3
action              : drop
burst_size : 55
external_ids        : {}
rate : 132
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début