yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1796200] Re: Network security group logging: only DROP events being logged

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ryan Beisner <1796200@xxxxxxxxxxxxxxxxxx>
Date: Sat, 06 Oct 2018 21:13:44 -0000
Reply-to: Bug 1796200 <1796200@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1782576 ***
    https://bugs.launchpad.net/bugs/1782576

** This bug has been marked a duplicate of bug 1782576
   Logging - No SG-log data found at /var/log/syslog

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1796200

Title:
  Network security group logging: only DROP events being logged

Status in neutron:
  New

Bug description:
  Network security group logging not working: empty file being created
  w/o actual logs

  On the clear Openstack (Ubuntu Xenial, Queens release) I have tried to
  enable a security groups logging as stated in
  https://docs.openstack.org/neutron/queens/admin/config-logging.html
  doc, and it's not working as expected.

  =================

  Actual behaviour: Logfile has been created in place specified in config from "neutron" user, but:
  - only DROP events has been created; ACCEPT events are missing;
  - ICMP traffic is not logged at all.

  Expected behaviour: Logfile has been created & NSG traffic data also
  being logged into for bot ACCEPT and DROP events.

  ==========

  Additional information:

  a) OpenStack has been deployed from scratch using Juju and upstream
  bundles (with only two charms being modified locally, enabling
  necessary config changes for following upstream documentation
  mentioned above), here is actual charm link:
  http://paste.openstack.org/show/731530/

  b) Full OpenStack configuration commands from flavors till verifying
  that networking itself is working:
  http://paste.openstack.org/show/731529/ (take a look at the EOF: I'm
  trying to ping my instance floating IP, I cannot, but after enabling a
  rule in NSG it succeeded - so traffic is actually being passed to
  instance and security groups are working);

  c) Config files that should be modified, according to documentation:

  neutron-api neutron.conf: http://paste.openstack.org/show/731531/
  neutron-gateway /etc/neutron/plugins/ml2/openvswitch_agent.ini: http://paste.openstack.org/show/731534/
  nova-compute /etc/neutron/plugins/ml2/openvswitch_agent.ini: http://paste.openstack.org/show/731535/

  Security groups rules: http://paste.openstack.org/show/731541/
  OVS firewall log without any traffic yet: http://paste.openstack.org/show/731542/

  Try to reach HTTPS (which is blocked by security groups):
  http://paste.openstack.org/show/731543/ - all OK, is't being logged.

  But, if try to login to SSH (it's enabled via NSG rules) - nothing
  appears in NSG log; however, corresponding rules has been applied to
  Open vSwitch: http://paste.openstack.org/show/731544/

  Also, nothing also happens in NSG log when trying to reach instance by
  ICMP (regular ping, for example).

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1796200/+subscriptions

References

[Bug 1796200] [NEW] Network security group logging not working: empty file being created w/o actual logs
From: Vladimir Grevtsev, 2018-10-04