Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Specifying Firewall Log Label #4652

Closed
edwardbadboy opened this issue Feb 22, 2023 · 2 comments · Fixed by #4748
Closed

Allow Specifying Firewall Log Label #4652

edwardbadboy opened this issue Feb 22, 2023 · 2 comments · Fixed by #4748
Assignees
@qiyueyao
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@edwardbadboy
Copy link
Contributor

edwardbadboy commented Feb 22, 2023
edited
Loading

Describe the problem/challenge you have
Antrea NetworkPolicy and ClusterNetworkPolicy allows to turn on firewall rule log. The first packet in a connection which hits the rule will generate log message /var/log/antrea/networkpolicy/np.log.

The log format is as below.

<yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length>
    Deduplication:
<yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> [<num of packets> packets in <duplicate duration>]

It will be helpful that the ACNP and ANP allows to specify a log label in rule definition, and the log label is written to the log message.

Describe the solution you'd like

For example:

  egress:
    - action: Drop
      ...
      name: exampleDropRule
      enableLogging: true
      logLabel: "arbitrary string shorter than 32 chars"  #### introduce a new field for log label
  ingress:
    - action: Allow
      ...
      name: exampleAllowRule
      enableLogging: true
      logLabel: "arbitrary string shorter than 32 chars"  #### introduce a new field for log label

The log label then appears in the firewall log line.

<yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log label>
    Deduplication:
<yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log label> [<num of packets> packets in <duplicate duration>]

This allow some convenient operations like specifying the same log label on multiple rules across multiple ACNPs, then grep the firewall logs via this log label.
@edwardbadboy edwardbadboy added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 22, 2023
@qiyueyao
Copy link
Contributor

qiyueyao commented Feb 23, 2023
edited
Loading

Thanks @edwardbadboy @Dyanngg. I have one open question about this feature: how about moving logLabel to a sub-field of enableLogging, so that it is more organized? Something like

  egress:
    - action: Drop
      ...
      name: exampleDropRule
      enableLogging:
        logStatus: true
        logLabel: "arbitrary string shorter than 32 chars"  #### introduce a new field for log label

Thinking twice, maybe the con is for users not requesting log label, it is troublesome to update the current manifest.

@qiyueyao
Copy link
Contributor

After discussion with @salv-orlando, the above approach is not backport compatible. Here is a new proposal:

egress:
    - action: Drop
      ...
      name: exampleDropRule
      logSetting:
        enabled: true
        logLabel: "arbitrary string shorter than 32 chars"  #### introduce a new field for log label

Where logSetting and enableLogging cannot be set at the same time.

@qiyueyao qiyueyao mentioned this issue Mar 23, 2023
Merged
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Mar 26, 2023
@qiyueyao
Add Log Label to Audit Logging
5b76b48 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logSetting" to the crd, which has two
fields "enabled" and "logLabel". "logSetting" and "enableLogging"
cannot be used at the same time. "enabled" must always be specified
when used. "logLabel" defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Mar 30, 2023
@qiyueyao
Add Log Label to Audit Logging
c3a2376 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logSetting" to the crd, which has two
fields "enabled" and "logLabel". "logSetting" and "enableLogging"
cannot be used at the same time. "enabled" must always be specified
when used. "logLabel" defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Mar 30, 2023
@qiyueyao
Add Log Label to Audit Logging
6755648 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logSetting" to the crd, which has two
fields "enabled" and "logLabel". "logSetting" and "enableLogging"
cannot be used at the same time. "enabled" must always be specified
when used. "logLabel" defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Mar 31, 2023
@qiyueyao
Add Log Label to Audit Logging
4ab1c3c 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logSetting" to the crd, which has two
fields "enabled" and "logLabel". "logSetting" and "enableLogging"
cannot be used at the same time. "enabled" must always be specified
when used. "logLabel" defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue Apr 27, 2023
@qiyueyao
Add Log Label to Audit Logging
7cbe8ee 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logSetting" to the crd, which has two
fields "enabled" and "logLabel". "logSetting" and "enableLogging"
cannot be used at the same time. "enabled" must always be specified
when used. "logLabel" defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue May 1, 2023
@qiyueyao
Add Log Label to Audit Logging
9eecdbf 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logSettings" to the CRDs, which has two
fields "enabled" and "logLabel". "logSettings" and "enableLogging"
cannot be used at the same time. "enabled" must always be specified
when used. "logLabel" defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue May 15, 2023
@qiyueyao
Add Log Label to Audit Logging
b234534 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logLabel" to the CRDs, which will be
printed in the logs and exported to flow records. "logLabel"
defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue May 17, 2023
@qiyueyao
Add Log Label to Audit Logging
3278d6c 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logLabel" to the CRDs, which will be
printed in the logs and exported to flow records. "logLabel"
defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue May 18, 2023
@qiyueyao
Add Log Label to Audit Logging
e06a11a 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logLabel" to the CRDs, which will be
printed in the logs and exported to flow records. "logLabel"
defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue May 18, 2023
@qiyueyao
Add Log Label to Audit Logging
f4e19e1 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logLabel" to the CRDs, which will be
printed in the logs and exported to flow records. "logLabel"
defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
qiyueyao added a commit to qiyueyao/antrea that referenced this issue May 19, 2023
@qiyueyao
Add Log Label to Audit Logging
63eccb7 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logLabel" to the CRDs, which will be
printed in the logs and exported to flow records. "logLabel"
defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
tnqn pushed a commit that referenced this issue May 19, 2023
@qiyueyao
Add Log Label to Audit Logging (#4748)
326f307 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logLabel" to the CRDs, which will be
printed in the logs and exported to flow records. "logLabel"
defaults to empty value.

Fixes #4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
ceclinux pushed a commit to ceclinux/antrea that referenced this issue Jun 5, 2023
@qiyueyao @ceclinux
Add Log Label to Audit Logging (antrea-io#4748)
d915773 
Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logLabel" to the CRDs, which will be
printed in the logs and exported to flow records. "logLabel"
defaults to empty value.

Fixes antrea-io#4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qiyueyao qiyueyao

Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Log Label to Audit Logging qiyueyao/antrea
2 participants
@edwardbadboy @qiyueyao