Uploaded image for project: 'Docs for Red Hat Developers'
  1. Docs for Red Hat Developers
  2. RHDEVDOCS-3162

Collect OVN Audit Logs

XMLWordPrintable

    • devex docs #206 Aug 19-Sep 9
    • 3
    • Undefined

      Documentation use cases:

      • As a customer reviewing the release notes, I need to quickly understand the name and purpose of this enhancement.
      • As a cluster administrator searching for instructions, I need to clearly understand when, why, and how to collect OVN audit logs.

      Here's an overview that will appear in both the release note and procedure topic.

      • Logs from "/ovn/acl-audit-log.log" are forwarded through the "audit" pipeline.
      • Log entries populate the hostname field with the node from which the log originated.
      • Log entries populate the level field.
      • Log entries populate the timestamp field.

      Procedures:

      • How to enable/configure this functionality.
        To configure this functional please follow these steps:
        1) Create OCP cluster >= 4.8 version with networkType: OVNKubernetes
        2) Deploy CLO
        3) Enable audit logs in clusterlog forwarder.
      • How to verify that this functionality works.
        Fluentd will collect OVN logs from nodes and forward it to end point like elastic. In case of elastic one can search audit-000001
        index to verify document is present. Each of the document should have structured mentioned below in example log event.
      • How to troubleshoot if it doesn't work.
        Please check the node where ovn logs are enabled. There should be a file /var/log/ovn/acl-audit-log.log. If this file is present then
        check respective fluentd pod logs for troubleshooting.

      References:

      • Add this new collection source and any lists of collection sources.

      Example log event received at output:

      {
  "@timestamp" : "2021-07-06T08:26:58..687000+00:00",
  "hostname":"ip.abc.iternal",
  "level":"info",
  "message" : "2021-07-06T08:26:58.687Z|00004|acl_log(ovn_pinctrl0)|INFO|name=\"verify-audit-logging_deny-all\", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:12,dl_dst=0a:58:0a:81:02:14,nw_src=10.129.2.18,nw_dst=10.129.2.20,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0"
}

      Notes

      • Consider reviewing the remaining audit pipelines as we may want to apply the same AC to all audit logs

      Sample Message:

       2021-07-06T08:26:58.687Z|00004|acl_log(ovn_pinctrl0)|INFO|name="verify-audit-logging_deny-all", verdict=drop, severity=alert: icmp,vlan_tci=0x0000,dl_src=0a:58:0a:81:02:12,dl_dst=0a:58:0a:81:02:14,nw_src=10.129.2.18,nw_dst=10.129.2.20,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=8,icmp_code=0

            rdlugyhe Rolfe Dlugy-Hegwer
            rdlugyhe Rolfe Dlugy-Hegwer
            Anping Li Anping Li
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: