-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support L7 Network Policy Logging #4625
Conversation
Codecov Report
@@ Coverage Diff @@
## main #4625 +/- ##
==========================================
- Coverage 68.39% 67.19% -1.21%
==========================================
Files 400 418 +18
Lines 58298 62823 +4525
==========================================
+ Hits 39872 42212 +2340
- Misses 15656 17679 +2023
- Partials 2770 2932 +162
*This pull request uses carry forward flags. Click here to find out more.
|
rulesData := bytes.NewBuffer(nil) | ||
sid := 1 | ||
|
||
var tagKeyword string | ||
if enableLogging { | ||
tagKeyword = " tag: session, 30, seconds;" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't find doc about these keywords, could you share a link and add comment to help understand?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suricata lacks the documentation for "tag", which is an open ticket. Looking into the codebase, it's handled in their file detect-engine-tag
. Also Snort has a similar functionality, doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you add this information to code comment? otherwise people who looks at this will have the same question.
09a9fc0
to
5c70bd2
Compare
4fe41a6
to
a9dc3f7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not finished yet, will add other comments later.
|
||
Layer 7 traffic that matches the NetworkPolicy will be logged in an event | ||
triggered log file (`/var/log/antrea/networkpolicy/l7engine/eve-YEAR-MONTH-DAY.json`). | ||
The event type for this log is `alert`. If `enableLogging` is set for the rule, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean the dropped request will be logged regardless of whether enableLogging is enabled? Is it configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will be logged regardless of enableLogging
. Based on my investigation of Suricata doc, there is no workaround to configure this. It is either log all events or no log at all, only the packets can be configured with enableLogging
, but they can only be logged in the same file. I also asked in the Suricata community, this doesn't seem a high priority feature request, since we have postprocess tooling.
rulesData := bytes.NewBuffer(nil) | ||
sid := 1 | ||
|
||
var tagKeyword string | ||
if enableLogging { | ||
tagKeyword = " tag: session, 30, seconds;" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you add this information to code comment? otherwise people who looks at this will have the same question.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall, just some small suggestions.
Antrea-native policy now supports layer 7 NetworkPolicy. To provide more information for users, logging for this feature is introduced. Antrea-native policy is not accurate enough in reporting packet status before sending to l7 engine. Logs are fixed to reflect "Redirect" action. Audit logging UT are updated to cover more cases. L7 engine provides its own logs. Currently, Suricata is used as L7 engine. Configuration is updated to generate two log files, fast.log and eve.json Both files locates at /var/log/antrea/networkpolicy/. Documentation is updated. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-all |
1 similar comment
/test-all |
Antrea-native policy now supports layer 7 NetworkPolicy. To provide more information for users, logging for this feature is introduced. Antrea-native policy is not accurate enough in reporting packet status before sending to l7 engine. Logs are fixed to reflect "Redirect" action. Audit logging UT are updated to cover more cases. L7 engine provides its own logs. Currently, Suricata is used as L7 engine. Configuration is updated to generate two log files, fast.log and eve.json Both files locates at /var/log/antrea/networkpolicy/. Documentation is updated. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Fix inaccurate Antrea Native Policy logging, where the L7NP will be logged as
Redirect
notAllow
. Update UT to cover more cases.Add event log file for Suricata at
/var/log/antrea/networkpolicy/l7engine
. Due to the limitation of available Suricata options, currentlyeve.log
logs all the alerts (reject
&pass
) regardless ofenableLogging
, event_type: "alert". Meanwhile packets are only logged ifenableLogging: true
, "event_type: "packet".