The request is about to have a log file where security groups events are logged to be consumed by security department, like any other commercial firewall vendor has. Customer wants to have a way to check if an instance is trying to execute restricted operations or accessing to restricted ports in remote servers. Logs could be configured to log all events (accepts & denies) or only denies. The best way to log this events is to use the same format that iptables, because this format is recognized by almost every correlation logs toos. Audit the firewall logs is a requirement from PCI to consider a system PCI compliance. This request is based on this blueprint: https://blueprints.launchpad.net/neutron/+spec/security-group-logging Use Case In case of attack, security tools use this kind of logs to detect the attack and to find patterns on the log to block it. It is also useful for auditing, troubleshooting and monitoring.
I added links to the RFE launchpad bug, spec and blueprint.
This RFE was not internally prioritized for OSP 12. The upstream spec has not yet merged, which means that this will not merge for Pike. Retargeting for 13 for now.
*** Bug 1465262 has been marked as a duplicate of this bug. ***
Hi Assaf, As bug 1465262 was CLOSED duplicate of this bug, I comment here. Fujitsu finished their patch set for security group feature itself, please see below. https://review.openstack.org/#/q/(topic:bug/1468366+OR+topic:bp/security-group-logging)++NOT+label:Workflow-1+NOT+status:abandoned You might wonder why Fujitsu think so as the patches below are not merged yet, which was included in the original patch set. [Patches] https://review.openstack.org/#/c/534616/ https://review.openstack.org/#/c/530070/ [Original patch set] https://review.openstack.org/#/q/topic:bug/1468366+NOT+status:abandoned These patches are for test. Therefore, from Fujitsu point of view, it's OK not to be merged in Queens cycle. Fujitsu's target for these patches is Rocky cycle now. As above, Fujitsu thinks they have finished their development for security group logging in Queens cycle. Best regards, Yasuyuki
Hi Assaf, Nir, Let me add one comment on the patch below, which is listed in the security-group-logging topic and first posted in Feb. 26 and merged in Mar. 8. Make log extension more generic https://review.openstack.org/#/c/548136/ As the patch commit comment below says, this patch is for the security group logging using iptables, which is not supported yet. FJ worked this patch for future work to make security group logging using iptables supported. Then, security group logging using ovs agent, which is supported, works without this patch. -------------------- Currently, log extension is only compatible with ovs agent [1]. In order to support security group logging based iptables, this patch will make log extension compatible with linuxbridge agent, too. [1] https://bugs.launchpad.net/neutron/+bug/1743463 -------------------- In this sense, as I wrote comment#16, FJ's work on security group logging for Queens finished at that point. Best regards, Yasuyuki
Hi Nir, Assaf, Yoshiki, We tested this feature with ML2/OVS + OVS firewall driver using OSP13. However, we found the logs were not recorded. Our upstream developer identified this is related to the patch below. According to him, after the patch, packets were not forwarded to OVS table No.91 and 92. https://review.openstack.org/#/c/550421 Then, he posted the patches below and those patches were merged in master branch. I confirmed that after applying these patches, this feature worked as expected using OSP13 (Puddle 2018-07-13.1). https://review.openstack.org/#/c/587681 https://review.openstack.org/#/c/587770 Now, our engineers are working to backport these patches to stable/queens branch. Could you please backport these patches into OSP13 so that we can use this feature in OSP13? Best regard, Yasuyuki
Hi Nir, Could you please review Yasuyuki's comment above and share your view on this? The code for this feature itself got merged and available on OSP13, but there was a bug which Interfere with the expected behavior... So Fujitsu need to request backporting this. 1. AFAICS, Fujitsu get following upstream work done. https://review.openstack.org/#/c/591545/ ---> backport of https://review.openstack.org/#/c/587770/ 2. And I couldn't see progress for following in queens https://review.openstack.org/#/c/587681 So I may need to ask Fujitsu about current status on this 2nd one. I believe that we could ship it in OSP feature z3 or later release once the backporting of the 2nd item to stable/queens get done in upsrtream, and Fujitsu will be able to do testing using OSP13 code which includes required fixes. Is my - and Yasuyuki's - understanding correct? Best Regards, Yoshiki
Hi Nir, Yoshiki, I believe commit below is the backport of the 2nd patch. https://review.openstack.org/#/c/591545/ Best regards, Yasuyuki
Hi Yasuyuki, Thank you for your input. And I confirmed your comment on BZ#1621429 as well. According to your comment on BZ#1621429 [1], you suggested Brian to get those fix included into OSP13 on the BZ already. So we'd better to discuss on the BZ, right? [1] https://bugzilla.redhat.com/show_bug.cgi?id=1621429#c5 Correct me if my understanding is incorrect. Best, Yoshiki
Hi Nir, Assaf, Just FYI, we got following input from Fujitsu. -------- Patches should be applied to OSP13 are below. 1. Fix no ACCEPT event can get for security group logging master: https://review.openstack.org/#/c/587681/ queens: https://review.openstack.org/#/c/591547/ 2. Fix no packet log data when debug is set False in configuration master: https://review.openstack.org/#/c/587770/ queens: https://review.openstack.org/#/c/591545/ --------
Hi Nir, Assaf, Yoshiki, I confirmed security group logging works as expected with openstack-neutron-12.0.4-2.el7ost. [Test environment] Puddle: 2018-11-07.3 - rhosp-director-images-13.0-20181107.1.el7ost.noarch - Contaniner image tag: rhosp13/2018-11-05.3 [Test result] security group logging works as expected as below. - traffic allowed in security group is logged with ACCEPT. - traffic NOT allowed in security group is logged with DROP. ======================================================== (overcloud) [stack@osp13dr ~]$ openstack server create --volume vol-testsrv1 --flavor m1.xsmall --security-group sec-grp-yaskobay --key-name yaskobay --nic net-id=34441b44-886a-47f1-bc44-61a8d81204d6 testsrv1 (overcloud) [stack@osp13dr ~]$ openstack server create --volume vol-testsrv2 --flavor m1.xsmall --security-group sec-grp-yaskobay --key-name yaskobay --nic net-id=34441b44-886a-47f1-bc44-61a8d81204d6 testsrv2 (overcloud) [stack@osp13dr ~]$ openstack network loggable resources list +-----------------+ | Supported types | +-----------------+ | security_group | +-----------------+ (overcloud) [stack@osp13dr ~]$ (overcloud) [stack@osp13dr ~]$ openstack network log create --resource-type security_group --description "Collecting all security events in project demo" --enable --event ALL Log_Created +-----------------+------------------------------------------------+ | Field | Value | +-----------------+------------------------------------------------+ | Description | Collecting all security events in project demo | | Enabled | True | | Event | ALL | | ID | 013d7b6b-8aea-4ec1-a5a6-8a6acf183819 | | Name | Log_Created | | Project | d23e21c7dee641aa84c0daf837f4f035 | | Resource | None | | Target | None | | Type | security_group | | created_at | 2018-11-15T17:28:38Z | | revision_number | 0 | | tenant_id | d23e21c7dee641aa84c0daf837f4f035 | | updated_at | 2018-11-15T17:28:38Z | +-----------------+------------------------------------------------+ (overcloud) [stack@osp13dr ~]$ (overcloud) [stack@osp13dr ~]$ openstack server list --host overcloud-compute-0.localdomain +--------------------------------------+----------+--------+-----------------+-------+-----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+-----------------+-------+-----------+ | 2a2dcbc5-2a52-4b8c-aaab-9fb24a1a0eaa | testsrv1 | ACTIVE | net1=10.10.1.10 | | m1.xsmall | +--------------------------------------+----------+--------+-----------------+-------+-----------+ (overcloud) [stack@osp13dr ~]$ openstack server list --host overcloud-compute-1.localdomain +--------------------------------------+----------+--------+----------------------------------+-------+-----------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+----------+--------+----------------------------------+-------+-----------+ | 29e43540-f663-47a0-88d7-03bc36f917ef | testsrv2 | ACTIVE | net1=10.10.1.3 | | m1.xsmall | | 39ec053e-89a7-4711-91db-3588cb382b6e | Server1 | ACTIVE | net1=10.10.1.13, 192.168.110.117 | | m1.xsmall | +--------------------------------------+----------+--------+----------------------------------+-------+-----------+ (overcloud) [stack@osp13dr ~]$ (overcloud) [stack@osp13dr ~]$ openstack security group rule list sec-grp-yaskobay +--------------------------------------+-------------+-----------+------------+-----------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+------------+-----------------------+ | 0df69605-6b84-41bd-800d-e6e42bf5fddd | icmp | 0.0.0.0/0 | | None | | 14d110e5-56dc-4f81-977b-9316be34a6cd | None | None | | None | | 5e262cfb-931d-4ef9-978b-b553ce09a0d7 | tcp | 0.0.0.0/0 | 22:22 | None | | e0925720-62a6-405b-adbf-d108725a4fe5 | None | None | | None | +--------------------------------------+-------------+-----------+------------+-----------------------+ (overcloud) [stack@osp13dr ~]$ (overcloud) [stack@osp13dr ~]$ ssh -i yaskobay.pem cloud-user.110.117 Last login: Wed Nov 14 22:51:43 2018 from 192.168.110.10 [cloud-user@server1 ~]$ ssh -i yaskobay.pem cloud-user.1.3 [cloud-user@testsrv2 ~]$ [cloud-user@testsrv2 ~]$ ping 10.10.1.10 | while read pong; do echo "$(date): $pong"; done Thu Nov 15 12:31:29 EST 2018: PING 10.10.1.10 (10.10.1.10) 56(84) bytes of data. Thu Nov 15 12:31:29 EST 2018: 64 bytes from 10.10.1.10: icmp_seq=1 ttl=64 time=10.3 ms ^C [cloud-user@testsrv2 ~]$ [root@overcloud-compute-0 ~]# tail -n 2 /var/log/containers/neutron/syslog 2018-11-15 12:30:36.995 309988 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=fb8459e0-5479-4260-a9af-11f65f892724 pkt=ethernet(dst='fa:16:3e:5b:89:27',ethertype=2048,src='fa:16:3e:a0:e6:3d'), ipv4(csum=51643,dst='10.10.1.2',flags=2,header_length=5,identification=23234,offset=0,option=None,proto=17,src='10.10.1.10',tos=0,total_length=80,ttl=64,version=4), udp(csum=63408,dst_port=53,src_port=33804,total_length=60), '\xc3\xc0\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x013\x04rhel\x04pool\x03ntp\x03org\x0eopenstacklocal\x00\x00\x1c\x00\x01' 2018-11-15 12:31:29.385 309988 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=fb8459e0-5479-4260-a9af-11f65f892724 pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=28608,dst='10.10.1.10',flags=2,header_length=5,identification=46280,offset=0,option=None,proto=1,src='10.10.1.3',tos=0,total_length=84,ttl=64,version=4), icmp(code=0,csum=16398,data=echo(data='q\xad\xed[\x00\x00\x00\x00\x89p\x04\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567',id=3236,seq=1),type=8) [root@overcloud-compute-0 ~]# [root@overcloud-compute-1 ~]# tail -n 2 /var/log/containers/neutron/syslog 2018-11-15 12:30:53.130 312151 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=37d9023f-7b71-4356-9212-f8875a36b76b pkt=ethernet(dst='fa:16:3e:5b:89:27',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=22337,dst='10.10.1.2',flags=2,header_length=5,identification=52547,offset=0,option=None,proto=17,src='10.10.1.3',tos=0,total_length=80,ttl=64,version=4), udp(csum=8581,dst_port=53,src_port=44657,total_length=60), 'o\x8e\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x013\x04rhel\x04pool\x03ntp\x03org\x0eopenstacklocal\x00\x00\x1c\x00\x01' 2018-11-15 12:31:29.384 312151 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=37d9023f-7b71-4356-9212-f8875a36b76b pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=28608,dst='10.10.1.10',flags=2,header_length=5,identification=46280,offset=0,option=None,proto=1,src='10.10.1.3',tos=0,total_length=84,ttl=64,version=4), icmp(code=0,csum=16398,data=echo(data='q\xad\xed[\x00\x00\x00\x00\x89p\x04\x00\x00\x00\x00\x00\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&\'()*+,-./01234567',id=3236,seq=1),type=8) [root@overcloud-compute-1 ~]# [cloud-user@testsrv2 ~]$ ssh -i yaskobay.pem cloud-user.1.10 "curl -s -I -X GET http://10.10.1.10/" HTTP/1.1 200 OK Date: Thu, 15 Nov 2018 17:42:01 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) Last-Modified: Thu, 15 Nov 2018 17:38:37 GMT ETag: "c-57ab785512a7b" Accept-Ranges: bytes Content-Length: 12 Content-Type: text/html; charset=UTF-8 [cloud-user@testsrv2 ~]$ [cloud-user@testsrv2 ~]$ date; curl -s -I -X GET http://10.10.1.10 Thu Nov 15 12:44:07 EST 2018 ^C [cloud-user@testsrv2 ~]$ [root@overcloud-compute-0 ~]# tail -n 2 /var/log/containers/neutron/syslog 2018-11-15 12:44:07.926 309988 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=DROP project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=fb8459e0-5479-4260-a9af-11f65f892724 pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=24338,dst='10.10.1.10',flags=2,header_length=5,identification=50569,offset=0,option=None,proto=6,src='10.10.1.3',tos=0,total_length=60,ttl=64,version=4), tcp(ack=0,bits=2,csum=21059,dst_port=80,offset=10,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1410), TCPOptionSACKPermitted(kind=4,length=2), TCPOptionTimestamps(kind=8,length=10,ts_ecr=0,ts_val=952395), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=7)],seq=4114697666,src_port=42488,urgent=0,window_size=28200) 2018-11-15 12:44:08.926 309988 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=DROP project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=fb8459e0-5479-4260-a9af-11f65f892724 pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=24337,dst='10.10.1.10',flags=2,header_length=5,identification=50570,offset=0,option=None,proto=6,src='10.10.1.3',tos=0,total_length=60,ttl=64,version=4), tcp(ack=0,bits=2,csum=20058,dst_port=80,offset=10,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1410), TCPOptionSACKPermitted(kind=4,length=2), TCPOptionTimestamps(kind=8,length=10,ts_ecr=0,ts_val=953396), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=7)],seq=4114697666,src_port=42488,urgent=0,window_size=28200) [root@overcloud-compute-0 ~]# [root@overcloud-compute-1 ~]# tail -n 2 /var/log/containers/neutron/syslog 2018-11-15 12:44:07.925 312151 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=37d9023f-7b71-4356-9212-f8875a36b76b pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=24338,dst='10.10.1.10',flags=2,header_length=5,identification=50569,offset=0,option=None,proto=6,src='10.10.1.3',tos=0,total_length=60,ttl=64,version=4), tcp(ack=0,bits=2,csum=21059,dst_port=80,offset=10,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1410), TCPOptionSACKPermitted(kind=4,length=2), TCPOptionTimestamps(kind=8,length=10,ts_ecr=0,ts_val=952395), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=7)],seq=4114697666,src_port=42488,urgent=0,window_size=28200) 2018-11-15 12:44:08.926 312151 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=37d9023f-7b71-4356-9212-f8875a36b76b pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=24337,dst='10.10.1.10',flags=2,header_length=5,identification=50570,offset=0,option=None,proto=6,src='10.10.1.3',tos=0,total_length=60,ttl=64,version=4), tcp(ack=0,bits=2,csum=20058,dst_port=80,offset=10,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1410), TCPOptionSACKPermitted(kind=4,length=2), TCPOptionTimestamps(kind=8,length=10,ts_ecr=0,ts_val=953396), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=7)],seq=4114697666,src_port=42488,urgent=0,window_size=28200) [root@overcloud-compute-1 ~]# (overcloud) [stack@osp13dr ~]$ openstack security group rule create --dst-port 80:80 --protocol tcp sec-grp-yaskobay (overcloud) [stack@osp13dr ~]$ openstack security group rule list sec-grp-yaskobay +--------------------------------------+-------------+-----------+------------+-----------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+------------+-----------------------+ | 0bab44b7-78d7-48d0-9281-c058a5eb2e6a | tcp | 0.0.0.0/0 | 80:80 | None | | 0df69605-6b84-41bd-800d-e6e42bf5fddd | icmp | 0.0.0.0/0 | | None | | 14d110e5-56dc-4f81-977b-9316be34a6cd | None | None | | None | | 5e262cfb-931d-4ef9-978b-b553ce09a0d7 | tcp | 0.0.0.0/0 | 22:22 | None | | e0925720-62a6-405b-adbf-d108725a4fe5 | None | None | | None | +--------------------------------------+-------------+-----------+------------+-----------------------+ (overcloud) [stack@osp13dr ~]$ (overcloud) [stack@osp13dr ~]$ ssh -i yaskobay.pem cloud-user.110.117 Last login: Thu Nov 15 12:40:40 2018 from host-10-10-1-13.openstacklocal [cloud-user@server1 ~]$ ssh -i yaskobay.pem cloud-user.1.3 Last login: Thu Nov 15 12:40:50 2018 from host-10-10-1-13.openstacklocal [cloud-user@testsrv2 ~]$ date; curl -s -I -X GET http://10.10.1.10 Thu Nov 15 12:48:16 EST 2018 HTTP/1.1 200 OK Date: Thu, 15 Nov 2018 17:48:16 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) Last-Modified: Thu, 15 Nov 2018 17:38:37 GMT ETag: "c-57ab785512a7b" Accept-Ranges: bytes Content-Length: 12 Content-Type: text/html; charset=UTF-8 [cloud-user@testsrv2 ~]$ [root@overcloud-compute-0 ~]# tail -n 2 /var/log/containers/neutron/syslog 2018-11-15 12:44:08.926 309988 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=DROP project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=fb8459e0-5479-4260-a9af-11f65f892724 pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=24337,dst='10.10.1.10',flags=2,header_length=5,identification=50570,offset=0,option=None,proto=6,src='10.10.1.3',tos=0,total_length=60,ttl=64,version=4), tcp(ack=0,bits=2,csum=20058,dst_port=80,offset=10,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1410), TCPOptionSACKPermitted(kind=4,length=2), TCPOptionTimestamps(kind=8,length=10,ts_ecr=0,ts_val=953396), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=7)],seq=4114697666,src_port=42488,urgent=0,window_size=28200) 2018-11-15 12:48:16.942 309988 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=fb8459e0-5479-4260-a9af-11f65f892724 pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=13477,dst='10.10.1.10',flags=2,header_length=5,identification=61430,offset=0,option=None,proto=6,src='10.10.1.3',tos=0,total_length=60,ttl=64,version=4), tcp(ack=0,bits=2,csum=5482,dst_port=80,offset=10,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1410), TCPOptionSACKPermitted(kind=4,length=2), TCPOptionTimestamps(kind=8,length=10,ts_ecr=0,ts_val=1201412), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=7)],seq=4163615474,src_port=42490,urgent=0,window_size=28200) [root@overcloud-compute-0 ~]# [root@overcloud-compute-1 ~]# tail -n 2 /var/log/containers/neutron/syslog 2018-11-15 12:48:00.877 312151 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=37d9023f-7b71-4356-9212-f8875a36b76b pkt=ethernet(dst='fa:16:3e:5b:89:27',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=26409,dst='10.10.1.2',flags=2,header_length=5,identification=48479,offset=0,option=None,proto=17,src='10.10.1.3',tos=0,total_length=76,ttl=64,version=4), udp(csum=28774,dst_port=53,src_port=60318,total_length=56), '\xa7/\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0fhost-10-10-1-13\x0eopenstacklocal\x00\x00\x1c\x00\x01' 2018-11-15 12:48:16.941 312151 INFO neutron.services.logapi.drivers.openvswitch.ovs_firewall_log [-] action=ACCEPT project_id=d23e21c7dee641aa84c0daf837f4f035 log_resource_ids=[u'013d7b6b-8aea-4ec1-a5a6-8a6acf183819'] vm_port=37d9023f-7b71-4356-9212-f8875a36b76b pkt=ethernet(dst='fa:16:3e:a0:e6:3d',ethertype=2048,src='fa:16:3e:fb:a1:be'), ipv4(csum=13477,dst='10.10.1.10',flags=2,header_length=5,identification=61430,offset=0,option=None,proto=6,src='10.10.1.3',tos=0,total_length=60,ttl=64,version=4), tcp(ack=0,bits=2,csum=5482,dst_port=80,offset=10,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1410), TCPOptionSACKPermitted(kind=4,length=2), TCPOptionTimestamps(kind=8,length=10,ts_ecr=0,ts_val=1201412), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=7)],seq=4163615474,src_port=42490,urgent=0,window_size=28200) [root@overcloud-compute-1 ~]# ======================================================== Please see the attached security_group_logging_test_result.log for details including neutron container's config changes. Best regards, Yasuyuki
Created attachment 1506223 [details] test result of security group logging
Hi Nir, Assaf As I wrote in C#29, I confirmed that security group logging works as expected with the neutron errata provided by bug 1621429. Would you please consider if RH can support this feature on OSP13 with the errata? Best regards, Yasuyuki
Hi Nir, Assaf, Any comments about support this feature on OSP13 with the errata provided by bug 1621429? Best regards, Yasuyuki