From 7cbe8eed31908323d9d5b79bb0a0231139f00d26 Mon Sep 17 00:00:00 2001
From: Qiyue Yao <yaoq@vmware.com>
Date: Thu, 16 Mar 2023 04:21:15 -0700
Subject: [PATCH] Add Log Label to Audit Logging

Antrea native policies support firewall rule logs. Adding a rule
label to the log allows convenient post-processing of the logs
like grepping the same log labels.

This feature adds a field "logSetting" to the crd, which has two
fields "enabled" and "logLabel". "logSetting" and "enableLogging"
cannot be used at the same time. "enabled" must always be specified
when used. "logLabel" defaults to empty value.

Fixes #4652

Signed-off-by: Qiyue Yao <yaoq@vmware.com>
---
 .../antrea/crds/clusternetworkpolicy.yaml     |  20 +
 build/charts/antrea/crds/networkpolicy.yaml   |  20 +
 build/yamls/antrea-aks.yml                    |  40 ++
 build/yamls/antrea-crds.yml                   |  40 ++
 build/yamls/antrea-eks.yml                    |  40 ++
 build/yamls/antrea-gke.yml                    |  40 ++
 build/yamls/antrea-ipsec.yml                  |  40 ++
 build/yamls/antrea.yml                        |  40 ++
 docs/antrea-network-policy.md                 | 100 ++-
 .../antrea-multicluster-leader-global.yml     |  76 ++-
 ...cluster.crd.antrea.io_resourceexports.yaml |  38 +-
 ...cluster.crd.antrea.io_resourceimports.yaml |  38 +-
 .../controller/networkpolicy/audit_logging.go |  27 +-
 .../networkpolicy/audit_logging_test.go       |  26 +-
 pkg/agent/controller/networkpolicy/cache.go   |   8 +
 .../networkpolicy/networkpolicy_controller.go |   4 +-
 .../controller/networkpolicy/reconciler.go    |  13 +-
 .../networkpolicy/reconciler_test.go          |  17 +-
 .../connections/conntrack_connections_test.go |  21 +-
 pkg/agent/openflow/client.go                  |   2 +-
 pkg/agent/openflow/network_policy.go          |  41 +-
 pkg/agent/openflow/network_policy_test.go     |  48 +-
 pkg/agent/openflow/testing/mock_openflow.go   |   5 +-
 pkg/agent/types/networkpolicy.go              |   6 +
 pkg/apis/controlplane/types.go                |   8 +
 pkg/apis/controlplane/v1beta2/generated.pb.go | 576 ++++++++++++------
 pkg/apis/controlplane/v1beta2/generated.proto |  11 +-
 pkg/apis/controlplane/v1beta2/types.go        |   8 +
 .../v1beta2/zz_generated.conversion.go        |  32 +
 .../v1beta2/zz_generated.deepcopy.go          |  21 +
 .../controlplane/zz_generated.deepcopy.go     |  21 +
 pkg/apis/crd/v1alpha1/types.go                |  14 +
 .../crd/v1alpha1/zz_generated.deepcopy.go     |  21 +
 pkg/apiserver/openapi/zz_generated.openapi.go |  29 +-
 .../networkpolicy/antreanetworkpolicy.go      |   2 +
 .../networkpolicy/antreanetworkpolicy_test.go |  66 ++
 .../networkpolicy/clusternetworkpolicy.go     |   1 +
 .../clusternetworkpolicy_test.go              |  65 ++
 pkg/controller/networkpolicy/crd_utils.go     |   9 +
 .../networkpolicy/crd_utils_test.go           |  29 +
 .../networkpolicy/networkpolicy_controller.go |  28 +-
 .../networkpolicy_controller_test.go          |  43 +-
 pkg/controller/networkpolicy/validate.go      |  18 +
 pkg/controller/networkpolicy/validate_test.go |  26 +
 test/e2e/antreapolicy_test.go                 |   3 +-
 test/e2e/utils/anp_spec_builder.go            |   7 +-
 test/e2e/utils/cnp_spec_builder.go            |   7 +-
 47 files changed, 1451 insertions(+), 344 deletions(-)

diff --git a/build/charts/antrea/crds/clusternetworkpolicy.yaml b/build/charts/antrea/crds/clusternetworkpolicy.yaml
index 2f9ac6017c7..b57a437f897 100644
--- a/build/charts/antrea/crds/clusternetworkpolicy.yaml
+++ b/build/charts/antrea/crds/clusternetworkpolicy.yaml
@@ -383,6 +383,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -645,6 +655,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/build/charts/antrea/crds/networkpolicy.yaml b/build/charts/antrea/crds/networkpolicy.yaml
index 617100f054f..a65da3d85b9 100644
--- a/build/charts/antrea/crds/networkpolicy.yaml
+++ b/build/charts/antrea/crds/networkpolicy.yaml
@@ -326,6 +326,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -559,6 +569,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-aks.yml b/build/yamls/antrea-aks.yml
index 2b5cbf397dd..7db5c484a8d 100644
--- a/build/yamls/antrea-aks.yml
+++ b/build/yamls/antrea-aks.yml
@@ -761,6 +761,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -1023,6 +1033,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
@@ -1857,6 +1877,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -2090,6 +2120,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-crds.yml b/build/yamls/antrea-crds.yml
index 86f6099c28b..726be13f379 100644
--- a/build/yamls/antrea-crds.yml
+++ b/build/yamls/antrea-crds.yml
@@ -754,6 +754,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -1016,6 +1026,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
@@ -1838,6 +1858,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -2071,6 +2101,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-eks.yml b/build/yamls/antrea-eks.yml
index 1d7bd09b0a4..3c43a552b0d 100644
--- a/build/yamls/antrea-eks.yml
+++ b/build/yamls/antrea-eks.yml
@@ -761,6 +761,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -1023,6 +1033,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
@@ -1857,6 +1877,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -2090,6 +2120,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-gke.yml b/build/yamls/antrea-gke.yml
index 332e1bc4969..50286a0db7d 100644
--- a/build/yamls/antrea-gke.yml
+++ b/build/yamls/antrea-gke.yml
@@ -761,6 +761,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -1023,6 +1033,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
@@ -1857,6 +1877,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -2090,6 +2120,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea-ipsec.yml b/build/yamls/antrea-ipsec.yml
index 8f320edc824..afc067a87ef 100644
--- a/build/yamls/antrea-ipsec.yml
+++ b/build/yamls/antrea-ipsec.yml
@@ -761,6 +761,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -1023,6 +1033,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
@@ -1857,6 +1877,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -2090,6 +2120,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/build/yamls/antrea.yml b/build/yamls/antrea.yml
index 5ec4e750882..016af1895a5 100644
--- a/build/yamls/antrea.yml
+++ b/build/yamls/antrea.yml
@@ -761,6 +761,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -1023,6 +1033,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
@@ -1857,6 +1877,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
                 egress:
                   type: array
                   items:
@@ -2090,6 +2120,16 @@ spec:
                         type: string
                       enableLogging:
                         type: boolean
+                      logSetting:
+                        type: object
+                        required:
+                          - enabled
+                        properties:
+                          enabled:
+                            type: boolean
+                          logLabel:
+                            type: string
+                            pattern: "^.{0,32}$"
             status:
               type: object
               properties:
diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md
index 7f184de34d9..c58b60c8ac3 100644
--- a/docs/antrea-network-policy.md
+++ b/docs/antrea-network-policy.md
@@ -20,6 +20,7 @@
     - [ACNP for IGMP traffic](#acnp-for-igmp-traffic)
     - [ACNP for multicast egress traffic](#acnp-for-multicast-egress-traffic)
     - [ACNP for HTTP traffic](#acnp-for-http-traffic)
+    - [ACNP with log setting](#acnp-with-log-setting)
   - [Behavior of <em>to</em> and <em>from</em> selectors](#behavior-of-to-and-from-selectors)
   - [Key differences from K8s NetworkPolicy](#key-differences-from-k8s-networkpolicy)
   - [<em>kubectl</em> commands for Antrea ClusterNetworkPolicy](#kubectl-commands-for-antrea-clusternetworkpolicy)
@@ -535,6 +536,50 @@ spec:
             host: "*.bar.com"  # not be considered.
 ```
 
+#### ACNP with log setting
+
+```yaml
+apiVersion: crd.antrea.io/v1alpha1
+kind: ClusterNetworkPolicy
+metadata:
+  name: acnp-with-log-setting
+spec:
+  priority: 5
+  tier: securityops
+  appliedTo:
+    - podSelector:
+        matchLabels:
+          role: db
+    - namespaceSelector:
+        matchLabels:
+          env: prod
+  ingress:
+    - action: Allow
+      from:
+        - podSelector:
+            matchLabels:
+              role: frontend
+          namespaceSelector:
+            matchLabels:
+              role: db
+      name: AllowFromFrontend
+      logSetting:
+        enabled: false
+        logLabel: "frontend-allowed"
+  egress:
+    - action: Drop
+      to:
+        - ipBlock:
+            cidr: 10.0.10.0/24
+      ports:
+        - protocol: TCP
+          port: 5978
+      name: DropToThirdParty
+      logSetting:
+        enabled: true
+        logLabel: "third-party-blocked"
+```
+
 Please refer to [Antrea Layer 7 NetworkPolicy](antrea-l7-network-policy.md) for extra information.
 
 **spec**: The ClusterNetworkPolicy `spec` has all the information needed to
@@ -696,30 +741,39 @@ to select Pods. More details can be found in the [ServiceAccountSelector](#servi
 **Note**: The order in which the egress rules are specified matters, i.e., rules will
 be enforced in the order in which they are written.
 
-**enableLogging**: Antrea-native policy ingress or egress rules can be
-audited by enabling its logging field. When `enableLogging` field is set to
-true, the first packet of any connection that matches this rule will be logged
-to a separate file (`/var/log/antrea/networkpolicy/np.log`) on the Node on
-which the rule is applied. These log files can then be retrieved for further
-analysis. By default, rules are not logged. The example policy logs all
-traffic that matches the "DropToThirdParty" egress rule, while the rule
-"AllowFromFrontend" is not logged. Specifically for drop and reject rules,
-deduplication is applied to reduce duplicated logs, and duplication buffer
-length is set to 1 second. If a rule name is not provided, an identifiable
-name will be generated for the rule and displayed in the log. For rules in layer
-7 NetworkPolicy, packets are logged with action `Redirect` prior to analysis by
-the layer 7 engine, more details are available in the corresponding engine logs.
-The rules are logged in the following format:
+**logSetting** and **enableLogging**: Antrea-native policy ingress or egress rules
+can be audited by enabling its logging field. Since v0.11.0, `enableLogging`
+became available and `logSetting` is introduced in v1.12.0. We will be deprecating
+`enableLogging` for `logSetting` so they should not be set at the same time.
+`logSetting.enabled` and `enableLogging` are equivalent. When `logSetting.enabled`
+or `enableLogging` field is set to true, the first packet of any connection that
+matches this rule will be logged to a separate file (`/var/log/antrea/networkpolicy/np.log`)
+on the Node on which the rule is applied. These log files can then be retrieved for
+further analysis. By default, rules are not logged. When using `logSetting`,
+`enabled` must be specified, if `enabled` is true and `logLabel` is provided, the
+label will be displayed in the log, otherwise it defaults to empty value.
+
+The [first example](#acnp-with-stand-alone-selectors) policy logs all traffic that
+matches the "DropToThirdParty" egress rule, while the rule "AllowFromFrontend" is
+not logged. The [eleventh example](#acnp-with-log-setting) policy logs all traffic
+that matches the "DropToThirdParty" egress rule with "third-party-blocked", but does
+not log "AllowFromFrontend" which is not enabled even when a label is provided.
+Specifically for drop and reject rules, deduplication is applied to reduce duplicated
+logs, and duplication buffer length is set to 1 second. If a rule name is not
+provided, an identifiable name will be generated for the rule and displayed in the log.
+For rules in layer 7 NetworkPolicy, packets are logged with action `Redirect` prior
+to analysis by the layer 7 engine, more details are available in the corresponding
+engine logs. The rules are logged in the following format:
 
 ```text
-    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length>
+    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label>
     Deduplication:
-    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> [<num of packets> packets in <duplicate duration>]
+    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label> [<num of packets> packets in <duplicate duration>]
 
     Examples:
-    2020/11/02 22:21:21.148395 AntreaPolicyAppTierIngressRule AntreaNetworkPolicy:default/test-anp test-rule Allow 61800 10.10.1.65 35402 10.0.0.5 80 TCP 60
-    2021/06/24 23:56:41.346165 AntreaPolicyEgressRule AntreaNetworkPolicy:default/test-anp test-rule Drop 44900 10.10.1.65 35402 10.0.0.5 80 TCP 60 [3 packets in 1.011379442s]
-    2022/09/20 02:21:25.879364 AntreaPolicyIngressRule AntreaNetworkPolicy:default/test-anp ingress-drop-1cffec1 Drop 44900 10.10.1.14 <nil> 10.10.1.15 <nil> ICMP 84
+    2020/11/02 22:21:21.148395 AntreaPolicyAppTierIngressRule AntreaNetworkPolicy:default/test-anp test-rule Allow 61800 10.10.1.65 35402 10.0.0.5 80 TCP 60 custom-log-label
+    2021/06/24 23:56:41.346165 AntreaPolicyEgressRule AntreaNetworkPolicy:default/test-anp test-rule Drop 44900 10.10.1.65 35402 10.0.0.5 80 TCP 60 custom-log-label [3 packets in 1.011379442s]
+    2023/03/29 02:21:25.879364 AntreaPolicyEgressRule AntreaNetworkPolicy:default/test-anp DropToThirdParty Drop 44900 10.10.1.14 <nil> 10.10.1.15 <nil> ICMP 84 third-party-blocked
 ```
 
 Kubernetes NetworkPolicies can also be audited using Antrea logging to the same file
@@ -733,13 +787,13 @@ using Antrea logging for Kubernetes NetworkPolicies, the rule name field is not
 set and defaults to `<nil>` value. The rules are logged in the following format:
 
 ```text
-    <yyyy/mm/dd> <time> <ovs-table-name> <k8s-network-policy-reference> <nil> Allow <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length>
+    <yyyy/mm/dd> <time> <ovs-table-name> <k8s-network-policy-reference> <nil> Allow <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label>
     Default dropped traffic:
-    <yyyy/mm/dd> <time> <ovs-table-name> K8sNetworkPolicy <nil> Drop <nil> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> [<num of packets> packets in <duplicate duration>]
+    <yyyy/mm/dd> <time> <ovs-table-name> K8sNetworkPolicy <nil> Drop <nil> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label> [<num of packets> packets in <duplicate duration>]
 
     Examples:
-    2022/07/26 06:55:56.170456 IngressRule K8sNetworkPolicy:default/test-np-log <nil> Allow 190 10.10.1.82 49518 10.10.1.84 80 TCP 60
-    2022/07/26 06:55:57.142206 IngressDefaultRule K8sNetworkPolicy <nil> Drop <nil> 10.10.1.83 38608 10.10.1.84 80 TCP 60
+    2022/07/26 06:55:56.170456 IngressRule K8sNetworkPolicy:default/test-np-log <nil> Allow 190 10.10.1.82 49518 10.10.1.84 80 TCP 60 <nil>
+    2022/07/26 06:55:57.142206 IngressDefaultRule K8sNetworkPolicy <nil> Drop <nil> 10.10.1.83 38608 10.10.1.84 80 TCP 60 <nil>
 ```
 
 Fluentd can be used to assist with collecting and analyzing the logs. Refer to the
diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml
index b361d645ec4..70a0b688a35 100644
--- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml
+++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml
@@ -784,7 +784,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -1092,6 +1093,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
@@ -1672,7 +1689,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -1980,6 +1998,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
@@ -3476,7 +3510,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -3784,6 +3819,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
@@ -4364,7 +4415,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -4672,6 +4724,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml
index fc5d680b9a5..5d9601e8d6b 100644
--- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml
+++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml
@@ -479,7 +479,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -787,6 +788,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
@@ -1367,7 +1384,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -1675,6 +1693,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml
index 1e0dc7a17c2..6686e1c89a2 100644
--- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml
+++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml
@@ -477,7 +477,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -785,6 +786,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
@@ -1365,7 +1382,8 @@ spec:
                         enableLogging:
                           description: EnableLogging is used to indicate if agent
                             should generate logs when rules are matched. Should be
-                            default to false.
+                            default to false. This field can't be used with LogSetting,
+                            will be deprecated.
                           type: boolean
                         from:
                           description: Rule is matched if traffic originates from
@@ -1673,6 +1691,22 @@ spec:
                                 type: object
                             type: object
                           type: array
+                        logSetting:
+                          description: LogSetting is used to specify logging behaviors
+                            of the rules when matched. This field can't be used with
+                            EnableLogging.
+                          properties:
+                            enabled:
+                              description: LogEnabled indicates if logs should be
+                                generated when rules are matched.
+                              type: boolean
+                            logLabel:
+                              description: LogLabel is a keyword included in the NetworkPolicy
+                                logs if this rule is matched and has log enabled.
+                              type: string
+                          required:
+                          - enabled
+                          type: object
                         name:
                           description: Name describes the intention of this rule.
                             Name should be unique within the policy.
diff --git a/pkg/agent/controller/networkpolicy/audit_logging.go b/pkg/agent/controller/networkpolicy/audit_logging.go
index 213aec1459b..8869452093f 100644
--- a/pkg/agent/controller/networkpolicy/audit_logging.go
+++ b/pkg/agent/controller/networkpolicy/audit_logging.go
@@ -20,6 +20,7 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
@@ -68,6 +69,7 @@ type logInfo struct {
 	tableName   string // name of the table sending packetin
 	npRef       string // Network Policy name reference
 	ruleName    string // Network Policy rule name for Antrea-native policies
+	logLabel    string
 	disposition string // Allow/Drop of the rule sending packetin
 	ofPriority  string // openflow priority of the flow sending packetin
 	srcIP       string // source IP of the traffic logged
@@ -135,7 +137,7 @@ func (l *AntreaPolicyLogger) updateLogKey(logMsg string, bufferLength time.Durat
 // LogDedupPacket logs information in ob based on disposition and duplication conditions.
 func (l *AntreaPolicyLogger) LogDedupPacket(ob *logInfo) {
 	// Deduplicate non-Allow packet log.
-	logMsg := fmt.Sprintf("%s %s %s %s %s %s %s %s %s %s %d", ob.tableName, ob.npRef, ob.ruleName, ob.disposition, ob.ofPriority, ob.srcIP, ob.srcPort, ob.destIP, ob.destPort, ob.protocolStr, ob.pktLength)
+	logMsg := fmt.Sprintf("%s %s %s %s %s %s %s %s %s %s %d %s", ob.tableName, ob.npRef, ob.ruleName, ob.disposition, ob.ofPriority, ob.srcIP, ob.srcPort, ob.destIP, ob.destPort, ob.protocolStr, ob.pktLength, ob.logLabel)
 	if ob.disposition == openflow.DispositionToString[openflow.DispositionAllow] {
 		l.anpLogger.Printf(logMsg)
 	} else {
@@ -215,7 +217,8 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, c *Controller, ob *logInfo) er
 		isK8sDefaultDeny := (cnpDenyRegVal == 0) && (disposition == openflow.DispositionDrop || disposition == openflow.DispositionRej)
 		if isK8sDefaultDeny {
 			// For K8s NetworkPolicy implicit drop action, we cannot get Namespace/name.
-			ob.npRef, ob.ofPriority, ob.ruleName = string(v1beta2.K8sNetworkPolicy), "<nil>", "<nil>"
+			ob.npRef = string(v1beta2.K8sNetworkPolicy)
+			fillLogInfoPlaceholders([]*string{&ob.ruleName, &ob.logLabel, &ob.ofPriority})
 			return nil
 		}
 	}
@@ -228,14 +231,14 @@ func getNetworkPolicyInfo(pktIn *ofctrl.PacketIn, c *Controller, ob *logInfo) er
 	if err != nil {
 		return fmt.Errorf("received error while unloading conjunction id from reg: %v", err)
 	}
-	ob.npRef, ob.ofPriority, ob.ruleName = c.ofClient.GetPolicyInfoFromConjunction(conjID)
+	ob.npRef, ob.ofPriority, ob.ruleName, ob.logLabel = c.ofClient.GetPolicyInfoFromConjunction(conjID)
+	ob.logLabel = strings.Replace(ob.logLabel, " ", "-", -1)
 	if ob.npRef == "" || ob.ofPriority == "" {
 		return fmt.Errorf("networkpolicy not found for conjunction id: %v", conjID)
 	}
-	// Placeholder for K8s NetworkPolicies without rule names.
-	if ob.ruleName == "" {
-		ob.ruleName = "<nil>"
-	}
+	// Fill in placeholders for Antrea native policies without log labels,
+	// K8s NetworkPolicies without rule names or log labels.
+	fillLogInfoPlaceholders([]*string{&ob.ruleName, &ob.logLabel, &ob.ofPriority})
 	return nil
 }
 
@@ -250,7 +253,15 @@ func getPacketInfo(packet *binding.Packet, ob *logInfo) {
 		ob.destPort = strconv.Itoa(int(packet.DestinationPort))
 	} else {
 		// Placeholders for ICMP packets without port numbers.
-		ob.srcPort, ob.destPort = "<nil>", "<nil>"
+		fillLogInfoPlaceholders([]*string{&ob.srcPort, &ob.destPort})
+	}
+}
+
+func fillLogInfoPlaceholders(logItems []*string) {
+	for i, v := range logItems {
+		if *v == "" {
+			*logItems[i] = "<nil>"
+		}
 	}
 }
 
diff --git a/pkg/agent/controller/networkpolicy/audit_logging_test.go b/pkg/agent/controller/networkpolicy/audit_logging_test.go
index 184457f3115..d9f55715c24 100644
--- a/pkg/agent/controller/networkpolicy/audit_logging_test.go
+++ b/pkg/agent/controller/networkpolicy/audit_logging_test.go
@@ -131,6 +131,7 @@ func newLogInfo(disposition string) (*logInfo, string) {
 		tableName:   openflow.AntreaPolicyIngressRuleTable.GetName(),
 		npRef:       "AntreaNetworkPolicy:default/test",
 		ruleName:    "test-rule",
+		logLabel:    "test-label",
 		ofPriority:  "0",
 		disposition: disposition,
 		srcIP:       "0.0.0.0",
@@ -140,9 +141,9 @@ func newLogInfo(disposition string) (*logInfo, string) {
 		protocolStr: "TCP",
 		pktLength:   60,
 	}
-	expected := fmt.Sprintf("%s %s %s %s %s %s %s %s %s %s %d", testLogInfo.tableName, testLogInfo.npRef, testLogInfo.ruleName,
+	expected := fmt.Sprintf("%s %s %s %s %s %s %s %s %s %s %d %s", testLogInfo.tableName, testLogInfo.npRef, testLogInfo.ruleName,
 		testLogInfo.disposition, testLogInfo.ofPriority, testLogInfo.srcIP, testLogInfo.srcPort, testLogInfo.destIP, testLogInfo.destPort,
-		testLogInfo.protocolStr, testLogInfo.pktLength)
+		testLogInfo.protocolStr, testLogInfo.pktLength, testLogInfo.logLabel)
 	return testLogInfo, expected
 }
 
@@ -258,7 +259,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 	}
 	testANPRef := "AntreaNetworkPolicy:default/test-anp"
 	testK8sRef := "K8sNetworkPolicy:default/test-anp"
-	testPriority, testRule := "61800", "test-rule"
+	testPriority, testRule, testOldLogLabel, testLogLabel, defaultLog := "61800", "test-rule", "test log label", "test-log-label", "<nil>"
 	allowDispositionData := []byte{0x11, 0x00, 0x00, 0x11}
 	dropCNPDispositionData := []byte{0x11, 0x00, 0x0c, 0x11}
 	dropK8sDispositionData := []byte{0x11, 0x00, 0x08, 0x11}
@@ -278,7 +279,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 			tableID: openflow.AntreaPolicyIngressRuleTable.GetID(),
 			expectedCalls: func(mockClient *openflowtest.MockClientMockRecorder) {
 				mockClient.GetPolicyInfoFromConjunction(gomock.Any()).Return(
-					testANPRef, testPriority, testRule)
+					testANPRef, testPriority, testRule, testOldLogLabel)
 			},
 			dispositionData: allowDispositionData,
 			wantOb: &logInfo{
@@ -287,6 +288,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 				npRef:       testANPRef,
 				ofPriority:  testPriority,
 				ruleName:    testRule,
+				logLabel:    testLogLabel,
 			},
 		},
 		{
@@ -294,7 +296,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 			tableID: openflow.IngressRuleTable.GetID(),
 			expectedCalls: func(mockClient *openflowtest.MockClientMockRecorder) {
 				mockClient.GetPolicyInfoFromConjunction(gomock.Any()).Return(
-					testK8sRef, testPriority, "")
+					testK8sRef, testPriority, "", "")
 			},
 			dispositionData: allowDispositionData,
 			wantOb: &logInfo{
@@ -302,7 +304,8 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 				disposition: actionAllow,
 				npRef:       testK8sRef,
 				ofPriority:  testPriority,
-				ruleName:    "<nil>",
+				ruleName:    defaultLog,
+				logLabel:    defaultLog,
 			},
 		},
 		{
@@ -310,7 +313,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 			tableID: openflow.AntreaPolicyIngressRuleTable.GetID(),
 			expectedCalls: func(mockClient *openflowtest.MockClientMockRecorder) {
 				mockClient.GetPolicyInfoFromConjunction(gomock.Any()).Return(
-					testANPRef, testPriority, testRule)
+					testANPRef, testPriority, testRule, testOldLogLabel)
 			},
 			dispositionData: dropCNPDispositionData,
 			wantOb: &logInfo{
@@ -319,6 +322,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 				npRef:       testANPRef,
 				ofPriority:  testPriority,
 				ruleName:    testRule,
+				logLabel:    testLogLabel,
 			},
 		},
 		{
@@ -329,8 +333,9 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 				tableName:   openflow.IngressDefaultTable.GetName(),
 				disposition: actionDrop,
 				npRef:       "K8sNetworkPolicy",
-				ofPriority:  "<nil>",
-				ruleName:    "<nil>",
+				ofPriority:  defaultLog,
+				ruleName:    defaultLog,
+				logLabel:    defaultLog,
 			},
 		},
 		{
@@ -338,7 +343,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 			tableID: openflow.AntreaPolicyIngressRuleTable.GetID(),
 			expectedCalls: func(mockClient *openflowtest.MockClientMockRecorder) {
 				mockClient.GetPolicyInfoFromConjunction(gomock.Any()).Return(
-					testANPRef, testPriority, testRule)
+					testANPRef, testPriority, testRule, testOldLogLabel)
 			},
 			dispositionData: redirectDispositionData,
 			wantOb: &logInfo{
@@ -347,6 +352,7 @@ func TestGetNetworkPolicyInfo(t *testing.T) {
 				npRef:       testANPRef,
 				ofPriority:  testPriority,
 				ruleName:    testRule,
+				logLabel:    testLogLabel,
 			},
 		},
 	}
diff --git a/pkg/agent/controller/networkpolicy/cache.go b/pkg/agent/controller/networkpolicy/cache.go
index f88110cc38f..03cb6f99d2a 100644
--- a/pkg/agent/controller/networkpolicy/cache.go
+++ b/pkg/agent/controller/networkpolicy/cache.go
@@ -98,6 +98,8 @@ type rule struct {
 	SourceRef *v1beta.NetworkPolicyReference
 	// EnableLogging is a boolean indicating whether logging is required for Antrea Policies. Always false for K8s NetworkPolicy.
 	EnableLogging bool
+	// LogSetting specifies logging behaviors of the rule when matched.
+	LogSetting *v1beta.RuleLogSetting
 }
 
 func (r *rule) Less(r2 *rule) bool {
@@ -180,6 +182,11 @@ func (r *CompletedRule) isIGMPEgressPolicyRule() bool {
 	return false
 }
 
+// isLogEnabled aggregates whether log is enabled for the rule from EnableLogging and LogSetting.
+func (r *CompletedRule) isLogEnabled() bool {
+	return r.EnableLogging || r.LogSetting != nil
+}
+
 // ruleCache caches Antrea AddressGroups, AppliedToGroups and NetworkPolicies,
 // can construct complete rules that can be used by reconciler to enforce.
 type ruleCache struct {
@@ -687,6 +694,7 @@ func toRule(r *v1beta.NetworkPolicyRule, policy *v1beta.NetworkPolicy, maxPriori
 		PolicyUID:       policy.UID,
 		SourceRef:       policy.SourceRef,
 		EnableLogging:   r.EnableLogging,
+		LogSetting:      r.LogSetting,
 	}
 	rule.ID = hashRule(rule)
 	rule.PolicyName = policy.Name
diff --git a/pkg/agent/controller/networkpolicy/networkpolicy_controller.go b/pkg/agent/controller/networkpolicy/networkpolicy_controller.go
index c446b074946..7b75b8ab310 100644
--- a/pkg/agent/controller/networkpolicy/networkpolicy_controller.go
+++ b/pkg/agent/controller/networkpolicy/networkpolicy_controller.go
@@ -645,7 +645,7 @@ func (c *Controller) syncRule(key string) error {
 		vlanID := c.l7VlanIDAllocator.allocate(key)
 		rule.L7RuleVlanID = &vlanID
 
-		if err := c.l7RuleReconciler.AddRule(key, rule.SourceRef.ToString(), vlanID, rule.L7Protocols, rule.EnableLogging); err != nil {
+		if err := c.l7RuleReconciler.AddRule(key, rule.SourceRef.ToString(), vlanID, rule.L7Protocols, rule.isLogEnabled()); err != nil {
 			return err
 		}
 	}
@@ -690,7 +690,7 @@ func (c *Controller) syncRules(keys []string) error {
 				vlanID := c.l7VlanIDAllocator.allocate(key)
 				rule.L7RuleVlanID = &vlanID
 
-				if err := c.l7RuleReconciler.AddRule(key, rule.SourceRef.ToString(), vlanID, rule.L7Protocols, rule.EnableLogging); err != nil {
+				if err := c.l7RuleReconciler.AddRule(key, rule.SourceRef.ToString(), vlanID, rule.L7Protocols, rule.isLogEnabled()); err != nil {
 					return err
 				}
 			}
diff --git a/pkg/agent/controller/networkpolicy/reconciler.go b/pkg/agent/controller/networkpolicy/reconciler.go
index d4180e4bdee..1efa9890354 100644
--- a/pkg/agent/controller/networkpolicy/reconciler.go
+++ b/pkg/agent/controller/networkpolicy/reconciler.go
@@ -538,6 +538,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1
 			TableID:       table,
 			PolicyRef:     rule.SourceRef,
 			EnableLogging: rule.EnableLogging,
+			LogSetting:    rule.LogSetting,
 		}
 		return ofRuleByServicesMap, lastRealized
 	} else if isIGMP {
@@ -580,6 +581,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1
 				TableID:       table,
 				PolicyRef:     rule.SourceRef,
 				EnableLogging: rule.EnableLogging,
+				LogSetting:    rule.LogSetting,
 			}
 		}
 	} else {
@@ -610,6 +612,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1
 				TableID:       table,
 				PolicyRef:     rule.SourceRef,
 				EnableLogging: rule.EnableLogging,
+				LogSetting:    rule.LogSetting,
 			}
 		}
 
@@ -634,6 +637,7 @@ func (r *reconciler) computeOFRulesForAdd(rule *CompletedRule, ofPriority *uint1
 					TableID:       table,
 					PolicyRef:     rule.SourceRef,
 					EnableLogging: rule.EnableLogging,
+					LogSetting:    rule.LogSetting,
 				}
 				ofRuleByServicesMap[svcKey] = ofRule
 			}
@@ -733,6 +737,7 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule,
 				TableID:       table,
 				PolicyRef:     newRule.SourceRef,
 				EnableLogging: newRule.EnableLogging,
+				LogSetting:    newRule.LogSetting,
 			}
 			err := r.idAllocator.allocateForRule(ofRule)
 			if err != nil {
@@ -745,7 +750,7 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule,
 		} else {
 			addedTo := ofPortsToOFAddresses(newOFPorts.Difference(lastRealized.podOFPorts[igmpServicesKey]))
 			deletedTo := ofPortsToOFAddresses(lastRealized.podOFPorts[igmpServicesKey].Difference(newOFPorts))
-			if err := r.updateOFRule(ofID, nil, addedTo, nil, deletedTo, ofPriority, newRule.EnableLogging, false); err != nil {
+			if err := r.updateOFRule(ofID, nil, addedTo, nil, deletedTo, ofPriority, newRule.isLogEnabled(), false); err != nil {
 				return err
 			}
 		}
@@ -790,6 +795,7 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule,
 					TableID:       table,
 					PolicyRef:     newRule.SourceRef,
 					EnableLogging: newRule.EnableLogging,
+					LogSetting:    newRule.LogSetting,
 				}
 				err := r.idAllocator.allocateForRule(ofRule)
 				if err != nil {
@@ -816,7 +822,7 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule,
 					addedTo = ofPortsToOFAddresses(newOFPorts.Difference(originalOfPortsSet))
 					deletedTo = ofPortsToOFAddresses(originalOfPortsSet.Difference(newOFPorts))
 				}
-				if err := r.updateOFRule(ofID, addedFrom, addedTo, deletedFrom, deletedTo, ofPriority, newRule.EnableLogging, len(newRule.From.LabelIdentities) > 0); err != nil {
+				if err := r.updateOFRule(ofID, addedFrom, addedTo, deletedFrom, deletedTo, ofPriority, newRule.isLogEnabled(), len(newRule.From.LabelIdentities) > 0); err != nil {
 					return err
 				}
 				// Delete valid servicesKey from staleOFIDs.
@@ -861,6 +867,7 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule,
 					TableID:       table,
 					PolicyRef:     newRule.SourceRef,
 					EnableLogging: newRule.EnableLogging,
+					LogSetting:    newRule.LogSetting,
 				}
 				// If the PolicyRule for the original services doesn't exist and IPBlocks is present, it means the
 				// reconciler hasn't installed flows for IPBlocks, then it must be added to the new PolicyRule.
@@ -908,7 +915,7 @@ func (r *reconciler) update(lastRealized *lastRealized, newRule *CompletedRule,
 					addedTo = svcGroupIDsToOFAddresses(newGroupIDSet.Difference(originalGroupIDSet))
 					deletedTo = svcGroupIDsToOFAddresses(originalGroupIDSet.Difference(newGroupIDSet))
 				}
-				if err := r.updateOFRule(ofID, addedFrom, addedTo, deletedFrom, deletedTo, ofPriority, newRule.EnableLogging, false); err != nil {
+				if err := r.updateOFRule(ofID, addedFrom, addedTo, deletedFrom, deletedTo, ofPriority, newRule.isLogEnabled(), false); err != nil {
 					return err
 				}
 				if r.fqdnController != nil {
diff --git a/pkg/agent/controller/networkpolicy/reconciler_test.go b/pkg/agent/controller/networkpolicy/reconciler_test.go
index 5148bd40c3e..fbf5d8cdbfa 100644
--- a/pkg/agent/controller/networkpolicy/reconciler_test.go
+++ b/pkg/agent/controller/networkpolicy/reconciler_test.go
@@ -167,7 +167,7 @@ func TestReconcilerForget(t *testing.T) {
 				"foo": {
 					ofIDs: map[servicesKey]uint32{servicesKey1: 8, servicesKey2: 9},
 					CompletedRule: &CompletedRule{
-						rule: &rule{Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1, EnableLogging: false},
+						rule: &rule{Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1},
 					},
 				},
 			},
@@ -1237,12 +1237,12 @@ func TestReconcilerUpdate(t *testing.T) {
 		{
 			"updating-cnp-ingress-rule",
 			&CompletedRule{
-				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1, EnableLogging: false},
+				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1},
 				FromAddresses: addressGroup1,
 				TargetMembers: appliedToGroup1,
 			},
 			&CompletedRule{
-				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1, EnableLogging: false},
+				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, SourceRef: &cnp1},
 				FromAddresses: addressGroup2,
 				TargetMembers: appliedToGroup2,
 			},
@@ -1257,12 +1257,12 @@ func TestReconcilerUpdate(t *testing.T) {
 		{
 			"updating-cnp-ingress-rule-uninstall",
 			&CompletedRule{
-				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta2.Service{serviceHTTP}, SourceRef: &cnp1, EnableLogging: false},
+				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta2.Service{serviceHTTP}, SourceRef: &cnp1},
 				FromAddresses: addressGroup1,
 				TargetMembers: appliedToGroupWithDiffContainerPort,
 			},
 			&CompletedRule{
-				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta2.Service{serviceHTTP}, SourceRef: &cnp1, EnableLogging: false},
+				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, Services: []v1beta2.Service{serviceHTTP}, SourceRef: &cnp1},
 				FromAddresses: addressGroup1,
 				TargetMembers: appliedToGroupWithSingleContainerPort,
 			},
@@ -1277,11 +1277,11 @@ func TestReconcilerUpdate(t *testing.T) {
 		{
 			"updating-mcnp-ingress",
 			&CompletedRule{
-				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, From: v1beta2.NetworkPolicyPeer{LabelIdentities: []uint32{1}}, SourceRef: &cnp1, EnableLogging: false},
+				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, From: v1beta2.NetworkPolicyPeer{LabelIdentities: []uint32{1}}, SourceRef: &cnp1},
 				TargetMembers: appliedToGroup1,
 			},
 			&CompletedRule{
-				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, From: v1beta2.NetworkPolicyPeer{LabelIdentities: []uint32{1}}, SourceRef: &cnp1, EnableLogging: false},
+				rule:          &rule{ID: "ingress-rule", Direction: v1beta2.DirectionIn, PolicyPriority: &policyPriority, TierPriority: &tierPriority, From: v1beta2.NetworkPolicyPeer{LabelIdentities: []uint32{1}}, SourceRef: &cnp1},
 				TargetMembers: appliedToGroup2,
 			},
 			[]types.Address{},
@@ -2305,7 +2305,8 @@ func (m policyRuleMatcher) Matches(x interface{}) bool {
 		!sliceEqual(a.To, b.To) ||
 		a.PolicyRef != b.PolicyRef ||
 		a.Direction != b.Direction ||
-		a.EnableLogging != b.EnableLogging {
+		a.EnableLogging != b.EnableLogging ||
+		a.LogSetting != b.LogSetting {
 		return false
 	}
 	return true
diff --git a/pkg/agent/flowexporter/connections/conntrack_connections_test.go b/pkg/agent/flowexporter/connections/conntrack_connections_test.go
index d5894376153..ffcdd2bd8d9 100644
--- a/pkg/agent/flowexporter/connections/conntrack_connections_test.go
+++ b/pkg/agent/flowexporter/connections/conntrack_connections_test.go
@@ -74,17 +74,16 @@ var (
 	}
 	action = secv1alpha1.RuleActionAllow
 	rule1  = agenttypes.PolicyRule{
-		Direction:     cpv1beta.DirectionIn,
-		From:          []agenttypes.Address{},
-		To:            []agenttypes.Address{},
-		Service:       []cpv1beta.Service{},
-		Action:        &action,
-		Priority:      nil,
-		Name:          "",
-		FlowID:        uint32(0),
-		TableID:       uint8(10),
-		PolicyRef:     &np1,
-		EnableLogging: false,
+		Direction: cpv1beta.DirectionIn,
+		From:      []agenttypes.Address{},
+		To:        []agenttypes.Address{},
+		Service:   []cpv1beta.Service{},
+		Action:    &action,
+		Priority:  nil,
+		Name:      "",
+		FlowID:    uint32(0),
+		TableID:   uint8(10),
+		PolicyRef: &np1,
 	}
 )
 
diff --git a/pkg/agent/openflow/client.go b/pkg/agent/openflow/client.go
index 03064d039b9..cf6902cc9bc 100644
--- a/pkg/agent/openflow/client.go
+++ b/pkg/agent/openflow/client.go
@@ -213,7 +213,7 @@ type Client interface {
 	InitialTLVMap() error
 
 	// Find Network Policy reference and OFpriority by conjunction ID.
-	GetPolicyInfoFromConjunction(ruleID uint32) (string, string, string)
+	GetPolicyInfoFromConjunction(ruleID uint32) (string, string, string, string)
 
 	// RegisterPacketInHandler uses SubscribePacketIn to get PacketIn message and process received
 	// packets through registered handlers.
diff --git a/pkg/agent/openflow/network_policy.go b/pkg/agent/openflow/network_policy.go
index dbd5bf33c84..899350d9a6f 100644
--- a/pkg/agent/openflow/network_policy.go
+++ b/pkg/agent/openflow/network_policy.go
@@ -667,9 +667,10 @@ type policyRuleConjunction struct {
 	metricFlows   []binding.Flow
 	// NetworkPolicy reference information for debugging usage, its value can be nil
 	// for conjunctions that are not built for a specific NetworkPolicy, e.g. DNS packetin Conjunction.
-	npRef       *v1beta2.NetworkPolicyReference
-	ruleName    string
-	ruleTableID uint8
+	npRef        *v1beta2.NetworkPolicyReference
+	ruleName     string
+	ruleTableID  uint8
+	ruleLogLabel string
 }
 
 // clause groups conjunctive match flows. Matches in a clause represent source addresses(for fromClause), or destination
@@ -1015,7 +1016,7 @@ func (c *clause) addAddrFlows(featureNetworkPolicy *featureNetworkPolicy, addrTy
 
 // addServiceFlows translates the specified Antrea Service to conjunctiveMatchFlow,
 // and returns corresponding conjMatchFlowContextChange.
-func (c *clause) addServiceFlows(featureNetworkPolicy *featureNetworkPolicy, services []v1beta2.Service, priority *uint16, matchSrc bool, enableLogging bool) []*conjMatchFlowContextChange {
+func (c *clause) addServiceFlows(featureNetworkPolicy *featureNetworkPolicy, services []v1beta2.Service, priority *uint16, matchSrc, enableLogging bool) []*conjMatchFlowContextChange {
 	var conjMatchFlowContextChanges []*conjMatchFlowContextChange
 	for _, service := range services {
 		matches := generateServiceConjMatches(c.ruleTable.GetID(), service, priority, featureNetworkPolicy.ipProtocols, matchSrc)
@@ -1177,6 +1178,9 @@ func (f *featureNetworkPolicy) calculateActionFlowChangesForRule(rule *types.Pol
 		npRef:    rule.PolicyRef,
 		ruleName: rule.Name,
 	}
+	if rule.LogSetting != nil {
+		conj.ruleLogLabel = rule.LogSetting.LogLabel
+	}
 	nClause, ruleTable, dropTable := conj.calculateClauses(rule)
 	conj.ruleTableID = rule.TableID
 	_, isEgress := f.egressTables[rule.TableID]
@@ -1191,15 +1195,15 @@ func (f *featureNetworkPolicy) calculateActionFlowChangesForRule(rule *types.Pol
 		var metricFlows []binding.Flow
 		if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1alpha1.RuleActionDrop {
 			metricFlows = append(metricFlows, f.denyRuleMetricFlow(ruleOfID, isIngress, rule.TableID))
-			actionFlows = append(actionFlows, f.conjunctionActionDenyFlow(ruleOfID, ruleTable, rule.Priority, DispositionDrop, rule.EnableLogging))
+			actionFlows = append(actionFlows, f.conjunctionActionDenyFlow(ruleOfID, ruleTable, rule.Priority, DispositionDrop, rule.IsLogEnabled()))
 		} else if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1alpha1.RuleActionReject {
 			metricFlows = append(metricFlows, f.denyRuleMetricFlow(ruleOfID, isIngress, rule.TableID))
-			actionFlows = append(actionFlows, f.conjunctionActionDenyFlow(ruleOfID, ruleTable, rule.Priority, DispositionRej, rule.EnableLogging))
+			actionFlows = append(actionFlows, f.conjunctionActionDenyFlow(ruleOfID, ruleTable, rule.Priority, DispositionRej, rule.IsLogEnabled()))
 		} else if rule.IsAntreaNetworkPolicyRule() && *rule.Action == crdv1alpha1.RuleActionPass {
-			actionFlows = append(actionFlows, f.conjunctionActionPassFlow(ruleOfID, ruleTable, rule.Priority, rule.EnableLogging))
+			actionFlows = append(actionFlows, f.conjunctionActionPassFlow(ruleOfID, ruleTable, rule.Priority, rule.IsLogEnabled()))
 		} else {
 			metricFlows = append(metricFlows, f.allowRulesMetricFlows(ruleOfID, isIngress, rule.TableID)...)
-			actionFlows = append(actionFlows, f.conjunctionActionFlow(ruleOfID, ruleTable, dropTable.GetNext(), rule.Priority, rule.EnableLogging, rule.L7RuleVlanID)...)
+			actionFlows = append(actionFlows, f.conjunctionActionFlow(ruleOfID, ruleTable, dropTable.GetNext(), rule.Priority, rule.IsLogEnabled(), rule.L7RuleVlanID)...)
 		}
 		conj.actionFlows = actionFlows
 		conj.metricFlows = metricFlows
@@ -1222,20 +1226,20 @@ func (f *featureNetworkPolicy) addRuleToConjunctiveMatch(conj *policyRuleConjunc
 	if conj.fromClause != nil {
 		for _, addr := range rule.From {
 			match := generateAddressConjMatch(conj.fromClause.ruleTable.GetID(), addr, types.SrcAddress, rule.Priority)
-			f.addActionToConjunctiveMatch(conj.fromClause, match, rule.EnableLogging, isMCNPRule)
+			f.addActionToConjunctiveMatch(conj.fromClause, match, rule.IsLogEnabled(), isMCNPRule)
 		}
 	}
 	if conj.toClause != nil {
 		for _, addr := range rule.To {
 			match := generateAddressConjMatch(conj.toClause.ruleTable.GetID(), addr, types.DstAddress, rule.Priority)
-			f.addActionToConjunctiveMatch(conj.toClause, match, rule.EnableLogging, isMCNPRule)
+			f.addActionToConjunctiveMatch(conj.toClause, match, rule.IsLogEnabled(), isMCNPRule)
 		}
 	}
 	if conj.serviceClause != nil {
 		for _, eachService := range rule.Service {
 			matches := generateServiceConjMatches(conj.serviceClause.ruleTable.GetID(), eachService, rule.Priority, f.ipProtocols, false)
 			for _, match := range matches {
-				f.addActionToConjunctiveMatch(conj.serviceClause, match, rule.EnableLogging, isMCNPRule)
+				f.addActionToConjunctiveMatch(conj.serviceClause, match, rule.IsLogEnabled(), isMCNPRule)
 			}
 		}
 	}
@@ -1456,13 +1460,13 @@ func (c *policyRuleConjunction) calculateChangesForRuleCreation(featureNetworkPo
 	isMCNPRule := containsLabelIdentityAddress(rule.From)
 	var ctxChanges []*conjMatchFlowContextChange
 	if c.fromClause != nil {
-		ctxChanges = append(ctxChanges, c.fromClause.addAddrFlows(featureNetworkPolicy, types.SrcAddress, rule.From, rule.Priority, rule.EnableLogging, isMCNPRule)...)
+		ctxChanges = append(ctxChanges, c.fromClause.addAddrFlows(featureNetworkPolicy, types.SrcAddress, rule.From, rule.Priority, rule.IsLogEnabled(), isMCNPRule)...)
 	}
 	if c.toClause != nil {
-		ctxChanges = append(ctxChanges, c.toClause.addAddrFlows(featureNetworkPolicy, types.DstAddress, rule.To, rule.Priority, rule.EnableLogging, isMCNPRule)...)
+		ctxChanges = append(ctxChanges, c.toClause.addAddrFlows(featureNetworkPolicy, types.DstAddress, rule.To, rule.Priority, rule.IsLogEnabled(), isMCNPRule)...)
 	}
 	if c.serviceClause != nil {
-		ctxChanges = append(ctxChanges, c.serviceClause.addServiceFlows(featureNetworkPolicy, rule.Service, rule.Priority, false, rule.EnableLogging)...)
+		ctxChanges = append(ctxChanges, c.serviceClause.addServiceFlows(featureNetworkPolicy, rule.Service, rule.Priority, false, rule.IsLogEnabled())...)
 	}
 	return ctxChanges
 }
@@ -1532,16 +1536,16 @@ func (f *featureNetworkPolicy) getPolicyRuleConjunction(ruleID uint32) *policyRu
 	return conj.(*policyRuleConjunction)
 }
 
-func (c *client) GetPolicyInfoFromConjunction(ruleID uint32) (string, string, string) {
+func (c *client) GetPolicyInfoFromConjunction(ruleID uint32) (string, string, string, string) {
 	conjunction := c.featureNetworkPolicy.getPolicyRuleConjunction(ruleID)
 	if conjunction == nil {
-		return "", "", ""
+		return "", "", "", ""
 	}
 	priorities := conjunction.ActionFlowPriorities()
 	if len(priorities) == 0 {
-		return "", "", ""
+		return "", "", "", ""
 	}
-	return conjunction.npRef.ToString(), priorities[0], conjunction.ruleName
+	return conjunction.npRef.ToString(), priorities[0], conjunction.ruleName, conjunction.ruleLogLabel
 }
 
 // UninstallPolicyRuleFlows removes the Openflow entry relevant to the specified NetworkPolicy rule.
@@ -1793,6 +1797,7 @@ func (f *featureNetworkPolicy) updateConjunctionActionFlows(conj *policyRuleConj
 		npRef:         conj.npRef,
 		ruleName:      conj.ruleName,
 		ruleTableID:   conj.ruleTableID,
+		ruleLogLabel:  conj.ruleLogLabel,
 	}
 	return newConj
 }
diff --git a/pkg/agent/openflow/network_policy_test.go b/pkg/agent/openflow/network_policy_test.go
index 90384198019..2c620e3bee2 100644
--- a/pkg/agent/openflow/network_policy_test.go
+++ b/pkg/agent/openflow/network_policy_test.go
@@ -1345,50 +1345,48 @@ func TestClient_GetPolicyInfoFromConjunction(t *testing.T) {
 		ruleName: fmt.Sprint(ruleID1),
 	}
 	conj2 := &policyRuleConjunction{
-		id:          ruleID2,
-		actionFlows: []binding.Flow{EgressRuleTable.ofTable.BuildFlow(priority100).Done()},
-		npRef:       npRef,
-		ruleName:    fmt.Sprint(ruleID2),
+		id:           ruleID2,
+		actionFlows:  []binding.Flow{EgressRuleTable.ofTable.BuildFlow(priority100).Done()},
+		npRef:        npRef,
+		ruleName:     fmt.Sprint(ruleID2),
+		ruleLogLabel: "test-log-label",
 	}
 	c.featureNetworkPolicy.policyCache.Add(conj1)
 	c.featureNetworkPolicy.policyCache.Add(conj2)
 
 	tests := []struct {
-		name         string
-		ruleID       uint32
-		wantNpRef    string
-		wantPriority string
-		wantRuleName string
+		name             string
+		ruleID           uint32
+		wantNpRef        string
+		wantPriority     string
+		wantRuleName     string
+		wantRuleLogLabel string
 	}{
 		{
-			name:         "conjunction not found",
-			ruleID:       uint32(100),
-			wantNpRef:    "",
-			wantPriority: "",
-			wantRuleName: "",
+			name:   "conjunction not found",
+			ruleID: uint32(100),
 		},
 		{
-			name:         "conjunction empty priorities",
-			ruleID:       ruleID1,
-			wantNpRef:    "",
-			wantPriority: "",
-			wantRuleName: "",
+			name:   "conjunction empty priorities",
+			ruleID: ruleID1,
 		},
 		{
-			name:         "conjunction no error",
-			ruleID:       ruleID2,
-			wantNpRef:    "K8sNetworkPolicy:ns1/np1",
-			wantPriority: "100",
-			wantRuleName: fmt.Sprint(ruleID2),
+			name:             "conjunction no error",
+			ruleID:           ruleID2,
+			wantNpRef:        "K8sNetworkPolicy:ns1/np1",
+			wantPriority:     "100",
+			wantRuleName:     fmt.Sprint(ruleID2),
+			wantRuleLogLabel: "test-log-label",
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			gotNpRef, gotPriority, gotRuleName := c.GetPolicyInfoFromConjunction(tc.ruleID)
+			gotNpRef, gotPriority, gotRuleName, gotRuleLogLabel := c.GetPolicyInfoFromConjunction(tc.ruleID)
 			assert.Equal(t, tc.wantNpRef, gotNpRef)
 			assert.Equal(t, tc.wantPriority, gotPriority)
 			assert.Equal(t, tc.wantRuleName, gotRuleName)
+			assert.Equal(t, tc.wantRuleLogLabel, gotRuleLogLabel)
 		})
 	}
 }
diff --git a/pkg/agent/openflow/testing/mock_openflow.go b/pkg/agent/openflow/testing/mock_openflow.go
index 5209a6bb51e..29e446f947d 100644
--- a/pkg/agent/openflow/testing/mock_openflow.go
+++ b/pkg/agent/openflow/testing/mock_openflow.go
@@ -198,13 +198,14 @@ func (mr *MockClientMockRecorder) GetPodFlowKeys(arg0 interface{}) *gomock.Call
 }
 
 // GetPolicyInfoFromConjunction mocks base method
-func (m *MockClient) GetPolicyInfoFromConjunction(arg0 uint32) (string, string, string) {
+func (m *MockClient) GetPolicyInfoFromConjunction(arg0 uint32) (string, string, string, string) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetPolicyInfoFromConjunction", arg0)
 	ret0, _ := ret[0].(string)
 	ret1, _ := ret[1].(string)
 	ret2, _ := ret[2].(string)
-	return ret0, ret1, ret2
+	ret3, _ := ret[3].(string)
+	return ret0, ret1, ret2, ret3
 }
 
 // GetPolicyInfoFromConjunction indicates an expected call of GetPolicyInfoFromConjunction
diff --git a/pkg/agent/types/networkpolicy.go b/pkg/agent/types/networkpolicy.go
index 66db9c09ff2..7420d63ea1d 100644
--- a/pkg/agent/types/networkpolicy.go
+++ b/pkg/agent/types/networkpolicy.go
@@ -89,6 +89,7 @@ type PolicyRule struct {
 	TableID       uint8
 	PolicyRef     *v1beta2.NetworkPolicyReference
 	EnableLogging bool
+	LogSetting    *v1beta2.RuleLogSetting
 }
 
 // IsAntreaNetworkPolicyRule returns if a PolicyRule is created for Antrea NetworkPolicy types.
@@ -96,6 +97,11 @@ func (r *PolicyRule) IsAntreaNetworkPolicyRule() bool {
 	return r.PolicyRef.Type != v1beta2.K8sNetworkPolicy
 }
 
+// IsLogEnabled aggregates whether log is enabled from EnableLogging and LogSetting.
+func (r *PolicyRule) IsLogEnabled() bool {
+	return r.EnableLogging || r.LogSetting != nil
+}
+
 // Priority is a struct that is composed of Antrea NetworkPolicy priority, rule priority and Tier priority.
 // It is used as the basic unit for priority sorting.
 type Priority struct {
diff --git a/pkg/apis/controlplane/types.go b/pkg/apis/controlplane/types.go
index 2ec299ed687..76cf720bcc2 100644
--- a/pkg/apis/controlplane/types.go
+++ b/pkg/apis/controlplane/types.go
@@ -260,6 +260,8 @@ type NetworkPolicyRule struct {
 	AppliedToGroups []string
 	// L7Protocols is a list of application layer protocols which should be matched.
 	L7Protocols []L7Protocol
+	// LogSetting specifies logging behaviors of the rules when matched.
+	LogSetting *RuleLogSetting
 }
 
 // Protocol defines network protocols supported for things like container ports.
@@ -351,6 +353,12 @@ type IPBlock struct {
 	Except []IPNet
 }
 
+// RuleLogSetting describes logging behaviors. Currently supports log labels.
+type RuleLogSetting struct {
+	// LogLabel is a keyword included in the NetworkPolicy logs if this rule is matched and has log enabled.
+	LogLabel string
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // NetworkPolicyList is a list of NetworkPolicy objects.
diff --git a/pkg/apis/controlplane/v1beta2/generated.pb.go b/pkg/apis/controlplane/v1beta2/generated.pb.go
index 222223ae3b8..f0a9f192e1b 100644
--- a/pkg/apis/controlplane/v1beta2/generated.pb.go
+++ b/pkg/apis/controlplane/v1beta2/generated.pb.go
@@ -1,4 +1,4 @@
-// Copyright 2022 Antrea Authors
+// Copyright 2023 Antrea Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -1027,10 +1027,38 @@ func (m *PodReference) XXX_DiscardUnknown() {
 
 var xxx_messageInfo_PodReference proto.InternalMessageInfo
 
+func (m *RuleLogSetting) Reset()      { *m = RuleLogSetting{} }
+func (*RuleLogSetting) ProtoMessage() {}
+func (*RuleLogSetting) Descriptor() ([]byte, []int) {
+	return fileDescriptor_fbaa7d016762fa1d, []int{35}
+}
+func (m *RuleLogSetting) XXX_Unmarshal(b []byte) error {
+	return m.Unmarshal(b)
+}
+func (m *RuleLogSetting) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	b = b[:cap(b)]
+	n, err := m.MarshalToSizedBuffer(b)
+	if err != nil {
+		return nil, err
+	}
+	return b[:n], nil
+}
+func (m *RuleLogSetting) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_RuleLogSetting.Merge(m, src)
+}
+func (m *RuleLogSetting) XXX_Size() int {
+	return m.Size()
+}
+func (m *RuleLogSetting) XXX_DiscardUnknown() {
+	xxx_messageInfo_RuleLogSetting.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_RuleLogSetting proto.InternalMessageInfo
+
 func (m *Service) Reset()      { *m = Service{} }
 func (*Service) ProtoMessage() {}
 func (*Service) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbaa7d016762fa1d, []int{35}
+	return fileDescriptor_fbaa7d016762fa1d, []int{36}
 }
 func (m *Service) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1058,7 +1086,7 @@ var xxx_messageInfo_Service proto.InternalMessageInfo
 func (m *ServiceReference) Reset()      { *m = ServiceReference{} }
 func (*ServiceReference) ProtoMessage() {}
 func (*ServiceReference) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbaa7d016762fa1d, []int{36}
+	return fileDescriptor_fbaa7d016762fa1d, []int{37}
 }
 func (m *ServiceReference) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1086,7 +1114,7 @@ var xxx_messageInfo_ServiceReference proto.InternalMessageInfo
 func (m *SupportBundleCollection) Reset()      { *m = SupportBundleCollection{} }
 func (*SupportBundleCollection) ProtoMessage() {}
 func (*SupportBundleCollection) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbaa7d016762fa1d, []int{37}
+	return fileDescriptor_fbaa7d016762fa1d, []int{38}
 }
 func (m *SupportBundleCollection) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1114,7 +1142,7 @@ var xxx_messageInfo_SupportBundleCollection proto.InternalMessageInfo
 func (m *SupportBundleCollectionList) Reset()      { *m = SupportBundleCollectionList{} }
 func (*SupportBundleCollectionList) ProtoMessage() {}
 func (*SupportBundleCollectionList) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbaa7d016762fa1d, []int{38}
+	return fileDescriptor_fbaa7d016762fa1d, []int{39}
 }
 func (m *SupportBundleCollectionList) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1142,7 +1170,7 @@ var xxx_messageInfo_SupportBundleCollectionList proto.InternalMessageInfo
 func (m *SupportBundleCollectionNodeStatus) Reset()      { *m = SupportBundleCollectionNodeStatus{} }
 func (*SupportBundleCollectionNodeStatus) ProtoMessage() {}
 func (*SupportBundleCollectionNodeStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbaa7d016762fa1d, []int{39}
+	return fileDescriptor_fbaa7d016762fa1d, []int{40}
 }
 func (m *SupportBundleCollectionNodeStatus) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1170,7 +1198,7 @@ var xxx_messageInfo_SupportBundleCollectionNodeStatus proto.InternalMessageInfo
 func (m *SupportBundleCollectionStatus) Reset()      { *m = SupportBundleCollectionStatus{} }
 func (*SupportBundleCollectionStatus) ProtoMessage() {}
 func (*SupportBundleCollectionStatus) Descriptor() ([]byte, []int) {
-	return fileDescriptor_fbaa7d016762fa1d, []int{40}
+	return fileDescriptor_fbaa7d016762fa1d, []int{41}
 }
 func (m *SupportBundleCollectionStatus) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@@ -1231,6 +1259,7 @@ func init() {
 	proto.RegisterType((*NodeStatsSummary)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.NodeStatsSummary")
 	proto.RegisterType((*PaginationGetOptions)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.PaginationGetOptions")
 	proto.RegisterType((*PodReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.PodReference")
+	proto.RegisterType((*RuleLogSetting)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.RuleLogSetting")
 	proto.RegisterType((*Service)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.Service")
 	proto.RegisterType((*ServiceReference)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.ServiceReference")
 	proto.RegisterType((*SupportBundleCollection)(nil), "antrea_io.antrea.pkg.apis.controlplane.v1beta2.SupportBundleCollection")
@@ -1244,179 +1273,182 @@ func init() {
 }
 
 var fileDescriptor_fbaa7d016762fa1d = []byte{
-	// 2737 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1a, 0x4b, 0x6f, 0x24, 0x47,
-	0x79, 0x7b, 0x1e, 0xb6, 0xe7, 0xf3, 0x63, 0xbd, 0xe5, 0x24, 0x6b, 0x92, 0xac, 0xbd, 0xe9, 0x40,
-	0xb4, 0xa0, 0x30, 0x13, 0x9b, 0x24, 0xbb, 0xe4, 0x05, 0x1e, 0xaf, 0xd7, 0x19, 0x62, 0x3b, 0x93,
-	0xb2, 0xa3, 0x48, 0x09, 0x09, 0x69, 0x77, 0xd7, 0xcc, 0x14, 0xdb, 0xd3, 0xd5, 0xa9, 0xae, 0x71,
-	0xd6, 0x39, 0xa0, 0x20, 0xe0, 0x10, 0x5e, 0x41, 0x08, 0x09, 0x71, 0xe3, 0xc6, 0x85, 0x5f, 0x90,
-	0x1b, 0xb7, 0x1c, 0x83, 0x10, 0x22, 0x27, 0x8b, 0x35, 0x22, 0x28, 0x07, 0x38, 0x70, 0x63, 0xb9,
-	0xa0, 0xaa, 0xae, 0x7e, 0x8e, 0x67, 0xbd, 0x63, 0x7b, 0x8d, 0x04, 0x39, 0xcd, 0xf4, 0xf7, 0xae,
-	0xaa, 0xef, 0xab, 0xef, 0xd1, 0x0d, 0xcf, 0x59, 0x9e, 0xe0, 0xc4, 0xaa, 0x52, 0x56, 0x0b, 0xff,
-	0xd5, 0xfc, 0xeb, 0xed, 0x9a, 0xe5, 0xd3, 0xa0, 0x66, 0x33, 0x4f, 0x70, 0xe6, 0xfa, 0xae, 0xe5,
-	0x91, 0xda, 0xce, 0xc2, 0x36, 0x11, 0xd6, 0x62, 0xad, 0x4d, 0x3c, 0xc2, 0x2d, 0x41, 0x9c, 0xaa,
-	0xcf, 0x99, 0x60, 0xa8, 0x1a, 0x72, 0x7d, 0x8b, 0x32, 0xfd, 0xaf, 0xea, 0x5f, 0x6f, 0x57, 0x25,
-	0x7f, 0x35, 0xcd, 0x5f, 0xd5, 0xfc, 0xf7, 0x5f, 0x19, 0xac, 0x2f, 0x10, 0x96, 0x08, 0x6a, 0x3b,
-	0x0b, 0x96, 0xeb, 0x77, 0xac, 0x85, 0xbc, 0xa6, 0xfb, 0xbf, 0xdc, 0xa6, 0xa2, 0xd3, 0xdb, 0xae,
-	0xda, 0xac, 0x5b, 0x6b, 0xb3, 0x36, 0xab, 0x29, 0xf0, 0x76, 0xaf, 0xa5, 0x9e, 0xd4, 0x83, 0xfa,
-	0xa7, 0xc9, 0x1f, 0xbf, 0x7e, 0x25, 0x50, 0x5a, 0x7c, 0xda, 0xb5, 0xec, 0x0e, 0xf5, 0x08, 0xdf,
-	0x4d, 0x74, 0x75, 0x89, 0xb0, 0x6a, 0x3b, 0xfd, 0x4a, 0x6a, 0x83, 0xb8, 0x78, 0xcf, 0x13, 0xb4,
-	0x4b, 0xfa, 0x18, 0x9e, 0x3c, 0x8c, 0x21, 0xb0, 0x3b, 0xa4, 0x6b, 0xf5, 0xf1, 0x7d, 0x65, 0x10,
-	0x5f, 0x4f, 0x50, 0xb7, 0x46, 0x3d, 0x11, 0x08, 0x9e, 0x67, 0x32, 0xff, 0x66, 0xc0, 0xc4, 0x92,
-	0xe3, 0x70, 0x12, 0x04, 0xab, 0x9c, 0xf5, 0x7c, 0xf4, 0x26, 0x8c, 0xc9, 0x95, 0x38, 0x96, 0xb0,
-	0x66, 0x8d, 0x8b, 0xc6, 0xa5, 0xf1, 0xc5, 0xc7, 0xaa, 0xa1, 0xe0, 0x6a, 0x5a, 0x70, 0x72, 0x26,
-	0x92, 0xba, 0xba, 0xb3, 0x50, 0x7d, 0x71, 0xfb, 0xdb, 0xc4, 0x16, 0xeb, 0x44, 0x58, 0x75, 0xf4,
-	0xe1, 0xde, 0xfc, 0x99, 0xfd, 0xbd, 0x79, 0x48, 0x60, 0x38, 0x96, 0x8a, 0x7a, 0x30, 0xd1, 0x96,
-	0xaa, 0xd6, 0x49, 0x77, 0x9b, 0xf0, 0x60, 0xb6, 0x70, 0xb1, 0x78, 0x69, 0x7c, 0xf1, 0xe9, 0x21,
-	0x8f, 0xbd, 0xba, 0x9a, 0xc8, 0xa8, 0xdf, 0xa3, 0x15, 0x4e, 0xa4, 0x80, 0x01, 0xce, 0xa8, 0x31,
-	0xff, 0x60, 0xc0, 0x74, 0x7a, 0xa5, 0x6b, 0x34, 0x10, 0xe8, 0x9b, 0x7d, 0xab, 0xad, 0xde, 0xd9,
-	0x6a, 0x25, 0xb7, 0x5a, 0xeb, 0xb4, 0x56, 0x3d, 0x16, 0x41, 0x52, 0x2b, 0xb5, 0xa0, 0x4c, 0x05,
-	0xe9, 0x46, 0x4b, 0x7c, 0x66, 0xd8, 0x25, 0xa6, 0xcd, 0xad, 0x4f, 0x6a, 0x45, 0xe5, 0x86, 0x14,
-	0x89, 0x43, 0xc9, 0xe6, 0x7b, 0x45, 0x38, 0x97, 0x26, 0x6b, 0x5a, 0xc2, 0xee, 0x9c, 0xc2, 0x21,
-	0x7e, 0xdf, 0x80, 0x73, 0x96, 0xe3, 0x10, 0x67, 0xf5, 0x84, 0x8f, 0xf2, 0x73, 0x5a, 0xad, 0x5c,
-	0x55, 0x56, 0x3a, 0xee, 0x57, 0x88, 0x7e, 0x68, 0xc0, 0x0c, 0x27, 0x5d, 0xb6, 0x93, 0x33, 0xa4,
-	0x78, 0x7c, 0x43, 0x1e, 0xd0, 0x86, 0xcc, 0xe0, 0x7e, 0xf9, 0xf8, 0x20, 0xa5, 0xe6, 0xa7, 0x06,
-	0x4c, 0x2d, 0xf9, 0xbe, 0x4b, 0x89, 0xb3, 0xc5, 0xfe, 0xc7, 0xa3, 0xe9, 0x4f, 0x06, 0xa0, 0xec,
-	0x5a, 0x4f, 0x21, 0x9e, 0xec, 0x6c, 0x3c, 0x3d, 0x37, 0x74, 0x3c, 0x65, 0x0c, 0x1e, 0x10, 0x51,
-	0x3f, 0x2a, 0xc2, 0x4c, 0x96, 0xf0, 0xb3, 0x98, 0xfa, 0xef, 0xc5, 0xd4, 0x5b, 0x30, 0x53, 0xb7,
-	0x02, 0x6a, 0x2f, 0xf5, 0x44, 0x87, 0x78, 0x82, 0xda, 0x96, 0xa0, 0xcc, 0x43, 0x8f, 0xc2, 0x58,
-	0x2f, 0x20, 0xdc, 0xb3, 0xba, 0x44, 0x1d, 0x46, 0x25, 0xf1, 0x9b, 0x97, 0x35, 0x1c, 0xc7, 0x14,
-	0x92, 0xda, 0xb7, 0x82, 0xe0, 0x6d, 0xc6, 0x9d, 0xd9, 0x42, 0x96, 0xba, 0xa9, 0xe1, 0x38, 0xa6,
-	0x30, 0x17, 0x60, 0xba, 0xde, 0xf3, 0x1c, 0x97, 0x5c, 0xa3, 0x2e, 0xd9, 0x24, 0x7c, 0x87, 0x70,
-	0x74, 0x01, 0x8a, 0x3d, 0xee, 0x6a, 0x55, 0xe3, 0x9a, 0xb9, 0xf8, 0x32, 0x5e, 0xc3, 0x12, 0x6e,
-	0xbe, 0x5f, 0x80, 0x0b, 0x21, 0x4f, 0x48, 0x2f, 0xad, 0x5d, 0x66, 0x5e, 0x8b, 0xb6, 0x7b, 0x3c,
-	0x34, 0xf8, 0x09, 0x18, 0xdf, 0x26, 0x16, 0x27, 0x7c, 0x8b, 0x5d, 0x27, 0x9e, 0x16, 0x34, 0xa3,
-	0x05, 0x8d, 0xd7, 0x13, 0x14, 0x4e, 0xd3, 0xa1, 0x47, 0x60, 0xc4, 0xf2, 0xe9, 0x0b, 0x64, 0x57,
-	0xdb, 0x3d, 0xa5, 0x39, 0x46, 0x96, 0x9a, 0x8d, 0x17, 0xc8, 0x2e, 0xd6, 0x58, 0xf4, 0x53, 0x03,
-	0x66, 0xb6, 0xfb, 0xf7, 0x69, 0xb6, 0xa8, 0x1c, 0x75, 0x79, 0xd8, 0x33, 0x3b, 0x60, 0xcb, 0xeb,
-	0xe7, 0xe5, 0xb9, 0x1d, 0x80, 0xc0, 0x07, 0x29, 0x36, 0x7f, 0x5d, 0x82, 0x99, 0x65, 0xb7, 0x17,
-	0x08, 0xc2, 0x33, 0xce, 0x75, 0xf7, 0xa3, 0xe8, 0xbb, 0x06, 0x4c, 0x93, 0x56, 0x8b, 0xd8, 0x82,
-	0xee, 0x90, 0x13, 0x0c, 0xa2, 0x59, 0xad, 0x75, 0x7a, 0x25, 0x27, 0x1c, 0xf7, 0xa9, 0x43, 0xdf,
-	0x81, 0x73, 0x31, 0xac, 0xd1, 0xac, 0xbb, 0xcc, 0xbe, 0x1e, 0xc5, 0xcf, 0x13, 0xc3, 0xda, 0xd0,
-	0x68, 0x6e, 0x10, 0x91, 0x84, 0xf0, 0x4a, 0x5e, 0x2e, 0xee, 0x57, 0x85, 0xae, 0xc0, 0x84, 0x60,
-	0xc2, 0x72, 0xa3, 0xe5, 0x97, 0x2e, 0x1a, 0x97, 0x8a, 0xc9, 0xbd, 0xbe, 0x95, 0xc2, 0xe1, 0x0c,
-	0x25, 0x5a, 0x04, 0x50, 0xcf, 0x4d, 0xab, 0x4d, 0x82, 0xd9, 0xb2, 0xe2, 0x8b, 0xf7, 0x7b, 0x2b,
-	0xc6, 0xe0, 0x14, 0x95, 0xf4, 0x6d, 0xbb, 0xc7, 0x39, 0xf1, 0x84, 0x7c, 0x9e, 0x1d, 0x51, 0x4c,
-	0xb1, 0x6f, 0x2f, 0x27, 0x28, 0x9c, 0xa6, 0x33, 0x3f, 0x31, 0x60, 0x7c, 0xa5, 0xfd, 0x7f, 0x50,
-	0x79, 0xfe, 0xde, 0x80, 0xb3, 0xa9, 0x85, 0x9e, 0x42, 0xa2, 0x7c, 0x33, 0x9b, 0x28, 0x87, 0x5e,
-	0x61, 0xca, 0xda, 0x01, 0x59, 0xf2, 0xc7, 0x45, 0x98, 0x4e, 0x51, 0x85, 0x29, 0xd2, 0x01, 0x60,
-	0xf1, 0xbe, 0x9f, 0xe8, 0x19, 0xa6, 0xe4, 0x7e, 0x96, 0x26, 0x0f, 0x48, 0x93, 0x2e, 0x9c, 0x5f,
-	0xb9, 0x21, 0x64, 0xba, 0x73, 0x57, 0x3c, 0x41, 0xc5, 0x2e, 0x26, 0x2d, 0xc2, 0x89, 0x67, 0x13,
-	0x74, 0x11, 0x4a, 0xa9, 0x34, 0x39, 0xa1, 0x45, 0x97, 0x36, 0x64, 0x8a, 0x54, 0x18, 0x54, 0x83,
-	0x8a, 0xfc, 0x0d, 0x7c, 0xcb, 0x26, 0x3a, 0xcf, 0x9c, 0xd3, 0x64, 0x95, 0x8d, 0x08, 0x81, 0x13,
-	0x1a, 0xf3, 0xdf, 0x06, 0x4c, 0x2b, 0xf5, 0x4b, 0x41, 0xc0, 0x6c, 0x1a, 0x66, 0xb8, 0x53, 0xa9,
-	0x8f, 0xa6, 0x2d, 0xad, 0x51, 0xaf, 0xff, 0xc8, 0xa5, 0xa0, 0xe2, 0x8e, 0x37, 0x29, 0xb9, 0xdc,
-	0x97, 0x72, 0xf2, 0x71, 0x9f, 0x46, 0xf3, 0x83, 0x12, 0x8c, 0xa7, 0x36, 0x1f, 0xbd, 0x02, 0x45,
-	0x9f, 0x39, 0x7a, 0xcd, 0x43, 0xf7, 0x78, 0x4d, 0xe6, 0x24, 0x66, 0x8c, 0xca, 0xaa, 0x42, 0x42,
-	0xa4, 0x44, 0xf4, 0x3d, 0x03, 0xa6, 0x48, 0xe6, 0x54, 0xd5, 0xe9, 0x8c, 0x2f, 0xae, 0x0e, 0x1d,
-	0xcf, 0x07, 0xfb, 0x46, 0x1d, 0xed, 0xef, 0xcd, 0x4f, 0xe5, 0x90, 0x39, 0x95, 0xe8, 0x11, 0x28,
-	0x52, 0x3f, 0x74, 0xeb, 0x89, 0xfa, 0x3d, 0xd2, 0xc0, 0x46, 0x33, 0xb8, 0xb5, 0x37, 0x5f, 0x69,
-	0x34, 0x75, 0xe3, 0x89, 0x25, 0x01, 0x7a, 0x03, 0xca, 0x3e, 0xe3, 0x42, 0x26, 0x1b, 0x79, 0x22,
-	0x5f, 0x1d, 0xd6, 0x46, 0xe9, 0x69, 0x4e, 0x93, 0x71, 0x91, 0xdc, 0x38, 0xf2, 0x29, 0xc0, 0xa1,
-	0x58, 0xf4, 0x1a, 0x94, 0x3c, 0xe6, 0x10, 0x95, 0x93, 0xc6, 0x17, 0x9f, 0x1d, 0x5a, 0x3c, 0x73,
-	0x48, 0xb2, 0xf0, 0x31, 0x15, 0x02, 0x12, 0xa4, 0x84, 0xa2, 0x36, 0x8c, 0x06, 0x84, 0xef, 0x50,
-	0x3b, 0x4c, 0x5f, 0xe3, 0x8b, 0x5f, 0x1f, 0x56, 0xfe, 0x66, 0xc8, 0x9e, 0xa8, 0x18, 0xdf, 0xdf,
-	0x9b, 0x1f, 0x8d, 0xa0, 0x91, 0x74, 0xf3, 0x37, 0x06, 0x4c, 0x65, 0x7d, 0x2f, 0x1b, 0x7e, 0xc6,
-	0xe1, 0xe1, 0x17, 0x47, 0x74, 0x61, 0x60, 0x44, 0xd7, 0xa1, 0xd8, 0xa3, 0x8e, 0xaa, 0xfe, 0x2a,
-	0xf5, 0xc7, 0xe2, 0x72, 0xb5, 0x71, 0xf5, 0xd6, 0xde, 0xfc, 0x43, 0x83, 0xc6, 0x44, 0x62, 0xd7,
-	0x27, 0x41, 0xf5, 0xe5, 0xc6, 0x55, 0x2c, 0x99, 0xcd, 0x77, 0x60, 0xe2, 0xf9, 0xad, 0xad, 0x66,
-	0x93, 0x33, 0xc1, 0x6c, 0xe6, 0x4a, 0xad, 0x1d, 0x16, 0x88, 0xfc, 0x3d, 0xf2, 0x3c, 0x0b, 0x04,
-	0x56, 0x18, 0x59, 0xac, 0x76, 0x89, 0xe8, 0x30, 0x27, 0x5f, 0xac, 0xae, 0x2b, 0x28, 0xd6, 0x58,
-	0x29, 0xc9, 0xb7, 0x44, 0x47, 0x9b, 0x17, 0x4b, 0x6a, 0x5a, 0xa2, 0x83, 0x15, 0xc6, 0xfc, 0x9d,
-	0x01, 0xa3, 0xba, 0x98, 0x41, 0xaf, 0x40, 0xc9, 0xa6, 0x0e, 0xd7, 0xf1, 0x75, 0xc4, 0xf2, 0x29,
-	0x56, 0xb2, 0xdc, 0xb8, 0x8a, 0xb1, 0x12, 0x88, 0x5e, 0x87, 0x11, 0x72, 0xc3, 0x26, 0xbe, 0xd0,
-	0x77, 0xc8, 0x11, 0x45, 0xc7, 0xab, 0x5c, 0x51, 0xc2, 0xb0, 0x16, 0x6a, 0xb6, 0xa0, 0xac, 0x08,
-	0xd0, 0xc3, 0x50, 0xa0, 0xbe, 0x32, 0x7f, 0xa2, 0x3e, 0xb3, 0xbf, 0x37, 0x5f, 0x68, 0x34, 0xb3,
-	0xe1, 0x53, 0xa0, 0xbe, 0xac, 0xd8, 0x7c, 0x4e, 0x5a, 0xf4, 0xc6, 0x1a, 0xf1, 0xda, 0xa2, 0xa3,
-	0x76, 0xb0, 0x9c, 0x54, 0x17, 0xcd, 0x14, 0x0e, 0x67, 0x28, 0xcd, 0x0e, 0xc0, 0xda, 0xe5, 0xf8,
-	0x94, 0x5e, 0x85, 0x52, 0x47, 0x08, 0xff, 0xa8, 0xb7, 0x51, 0xfa, 0xc4, 0xc3, 0x20, 0x91, 0x10,
-	0xac, 0x64, 0x9a, 0xbf, 0x32, 0x00, 0xad, 0xf7, 0x5c, 0x59, 0xe3, 0x07, 0x42, 0x39, 0x71, 0xc3,
-	0x6b, 0x31, 0xf4, 0x30, 0x94, 0x55, 0xb9, 0xa3, 0x3d, 0x23, 0x8e, 0xde, 0xd0, 0xcd, 0x43, 0x1c,
-	0x7a, 0x03, 0x4a, 0x3e, 0x73, 0x8e, 0x3c, 0x09, 0xcb, 0xdc, 0x92, 0x89, 0xc7, 0x30, 0x27, 0xc0,
-	0x4a, 0xae, 0xf9, 0x9e, 0x01, 0x95, 0xf8, 0x06, 0x51, 0x1e, 0xc6, 0x78, 0xe8, 0xab, 0xe5, 0x34,
-	0x3d, 0x17, 0x58, 0x61, 0xee, 0x20, 0x86, 0xae, 0xc0, 0x98, 0xaf, 0x77, 0x42, 0x7b, 0xea, 0x83,
-	0x71, 0xd3, 0xa8, 0xe1, 0xb7, 0x52, 0xff, 0x71, 0x4c, 0x6d, 0xfe, 0xbd, 0x08, 0x93, 0x1b, 0x44,
-	0xbc, 0xcd, 0xf8, 0xf5, 0x26, 0x73, 0xa9, 0xbd, 0x7b, 0x0a, 0xb9, 0xb1, 0x05, 0x65, 0xde, 0x73,
-	0x49, 0xb4, 0xc1, 0x4b, 0x43, 0x5f, 0x8f, 0x69, 0x7b, 0x71, 0xcf, 0x25, 0xc9, 0x39, 0xca, 0xa7,
-	0x00, 0x87, 0xe2, 0xd1, 0xb3, 0x70, 0xd6, 0xca, 0x0c, 0x47, 0xc2, 0xcc, 0x50, 0x51, 0x9e, 0x7d,
-	0x36, 0x3b, 0x37, 0x09, 0x70, 0x9e, 0x16, 0x5d, 0x92, 0x9b, 0x4a, 0x19, 0x97, 0xb9, 0x4c, 0x36,
-	0x25, 0x46, 0x7d, 0x22, 0xdc, 0xd0, 0x10, 0x86, 0x63, 0x2c, 0x7a, 0x1c, 0x26, 0x04, 0x25, 0x3c,
-	0xc2, 0xa8, 0x6b, 0xbf, 0x5c, 0x9f, 0x56, 0xed, 0x4b, 0x0a, 0x8e, 0x33, 0x54, 0x28, 0x80, 0x4a,
-	0xc0, 0x7a, 0x5c, 0xdd, 0xc3, 0xfa, 0x26, 0xbf, 0x76, 0xbc, 0xad, 0x88, 0xbd, 0x6e, 0x52, 0xde,
-	0xc7, 0x9b, 0x91, 0x70, 0x9c, 0xe8, 0x31, 0xff, 0x68, 0xc0, 0xb9, 0x0c, 0xd3, 0x29, 0x54, 0xf8,
-	0xdb, 0xd9, 0x0a, 0xff, 0xd9, 0x63, 0x2d, 0x72, 0x40, 0x8d, 0xff, 0x4f, 0x03, 0xce, 0x67, 0xe8,
-	0x64, 0xc2, 0xdc, 0x14, 0x96, 0xe8, 0x05, 0xe8, 0x51, 0x18, 0x93, 0x89, 0x73, 0xe3, 0x80, 0x01,
-	0xcc, 0x86, 0x86, 0xe3, 0x98, 0x42, 0x76, 0x95, 0xfa, 0xc5, 0x03, 0x65, 0x9e, 0x8a, 0xb9, 0x54,
-	0x57, 0xb9, 0x1a, 0x63, 0x70, 0x8a, 0x0a, 0x7d, 0x03, 0x10, 0x27, 0x96, 0x4b, 0xdf, 0x51, 0x8f,
-	0xd7, 0x2c, 0xea, 0xf6, 0x38, 0x51, 0x91, 0x38, 0x56, 0xbf, 0x5f, 0xf3, 0x22, 0xdc, 0x47, 0x81,
-	0x0f, 0xe0, 0x42, 0x5f, 0x84, 0xd1, 0x2e, 0x09, 0x02, 0xd9, 0x9d, 0x96, 0x94, 0xb1, 0x67, 0xb5,
-	0x80, 0xd1, 0xf5, 0x10, 0x8c, 0x23, 0xbc, 0x1a, 0xa8, 0x67, 0x16, 0xdd, 0x24, 0x84, 0xa3, 0xcb,
-	0x30, 0x69, 0xa5, 0xa6, 0xec, 0xc1, 0xac, 0xa1, 0x9c, 0xfe, 0xdc, 0xfe, 0xde, 0xfc, 0x64, 0x7a,
-	0xfc, 0x1e, 0xe0, 0x2c, 0x1d, 0x22, 0x30, 0x46, 0x7d, 0x3d, 0x00, 0x08, 0x8f, 0xea, 0xf2, 0xf0,
-	0x69, 0x46, 0xf1, 0x27, 0x1b, 0x1c, 0x77, 0xfe, 0xb1, 0x68, 0x34, 0x0f, 0xe5, 0xd6, 0x5b, 0x8e,
-	0x17, 0x05, 0x63, 0x45, 0x9e, 0xe5, 0xb5, 0x97, 0xae, 0x6e, 0x04, 0x38, 0x84, 0x23, 0x21, 0xfb,
-	0x7a, 0x5d, 0x8d, 0x44, 0x25, 0xda, 0xf1, 0x6b, 0x9c, 0xd4, 0x64, 0x20, 0x92, 0x8d, 0x53, 0x7a,
-	0xe4, 0x6d, 0xe1, 0x5a, 0xdb, 0xc4, 0x6d, 0x38, 0x44, 0x16, 0x93, 0x54, 0x8d, 0x14, 0x8a, 0x97,
-	0x26, 0xc3, 0xdb, 0x62, 0x2d, 0x8b, 0xc2, 0x79, 0x5a, 0xf3, 0x13, 0x03, 0xee, 0x3b, 0x38, 0x1a,
-	0xd1, 0x13, 0x50, 0x92, 0xf5, 0x8a, 0xf6, 0xbd, 0x87, 0xa2, 0xfb, 0x7b, 0x6b, 0xd7, 0x27, 0xb7,
-	0xf6, 0xe6, 0xb3, 0x27, 0x28, 0x81, 0x58, 0x91, 0x0f, 0xdd, 0xea, 0xc4, 0x79, 0xa2, 0x78, 0x58,
-	0xad, 0x55, 0x3a, 0x4e, 0xad, 0xf5, 0x8b, 0x91, 0x9c, 0xd3, 0xc9, 0x3b, 0x17, 0x3d, 0x03, 0x15,
-	0x87, 0x72, 0x62, 0xab, 0xa0, 0x09, 0x17, 0x3a, 0x17, 0x19, 0x7b, 0x35, 0x42, 0xdc, 0x4a, 0x3f,
-	0xe0, 0x84, 0x01, 0xd9, 0x50, 0x6a, 0x71, 0xd6, 0xd5, 0x2d, 0xc3, 0xf1, 0x12, 0x82, 0x8c, 0x81,
-	0x64, 0xf1, 0xd7, 0x38, 0xeb, 0x62, 0x25, 0x1c, 0xbd, 0x0e, 0x05, 0xc1, 0xf4, 0x94, 0xf1, 0x04,
-	0x54, 0x80, 0x56, 0x51, 0xd8, 0x62, 0xb8, 0x20, 0x98, 0x8c, 0x9e, 0x20, 0xeb, 0xb3, 0x97, 0x8f,
-	0xe8, 0xb3, 0x49, 0xf4, 0xc4, 0x8e, 0x1a, 0x8b, 0x56, 0xf3, 0xe1, 0x5c, 0x9e, 0x49, 0x52, 0x7d,
-	0x5f, 0x66, 0x7a, 0x05, 0x46, 0xac, 0xf0, 0x4c, 0x46, 0xd4, 0x99, 0x7c, 0x4d, 0xcd, 0x63, 0xa3,
-	0xc3, 0x58, 0xb8, 0xcd, 0xdb, 0x6f, 0xee, 0xc4, 0xef, 0xa2, 0xab, 0xf2, 0x84, 0x43, 0x26, 0xac,
-	0xc5, 0xa1, 0xa7, 0x61, 0x92, 0x78, 0xd6, 0xb6, 0x4b, 0xd6, 0x58, 0xbb, 0x4d, 0xbd, 0xf6, 0xec,
-	0xa8, 0xba, 0xec, 0xee, 0xd5, 0xb6, 0x4c, 0xae, 0xa4, 0x91, 0x38, 0x4b, 0x7b, 0x50, 0x62, 0x1e,
-	0x1b, 0x22, 0x31, 0x47, 0x7e, 0x5e, 0x19, 0xe8, 0xe7, 0x6f, 0xc1, 0xb8, 0x1b, 0xd7, 0x99, 0xc1,
-	0x2c, 0xa8, 0xe3, 0x78, 0x6a, 0xd8, 0xe3, 0x48, 0x4a, 0xd5, 0x64, 0x42, 0x98, 0xc0, 0x02, 0x9c,
-	0xd6, 0x61, 0xbe, 0x5f, 0x04, 0x94, 0x71, 0x12, 0x99, 0x7c, 0x02, 0xd9, 0x17, 0x4f, 0x7a, 0x69,
-	0xb0, 0xce, 0xaf, 0x27, 0x95, 0xe9, 0xe3, 0x0d, 0xcf, 0xe2, 0xb3, 0x3a, 0x91, 0x0f, 0x13, 0x82,
-	0x5b, 0xad, 0x16, 0xb5, 0x95, 0x55, 0x3a, 0xce, 0x9e, 0xbc, 0x8d, 0x0d, 0xea, 0x6b, 0x84, 0x6a,
-	0xec, 0x01, 0x5b, 0x29, 0xee, 0xd4, 0x6c, 0x36, 0x05, 0xc5, 0x19, 0x0d, 0xe8, 0x5d, 0x03, 0xa6,
-	0x65, 0x15, 0x96, 0x26, 0xd1, 0xe3, 0xa6, 0xa7, 0xee, 0x5c, 0x2d, 0xce, 0x49, 0x48, 0x66, 0x1f,
-	0x79, 0x0c, 0xee, 0xd3, 0x66, 0xfe, 0xd5, 0x80, 0x99, 0xbe, 0x13, 0xe9, 0x9d, 0xc6, 0x58, 0xdf,
-	0x85, 0xb2, 0x2c, 0x27, 0xa2, 0x2c, 0xba, 0x7a, 0xac, 0xb3, 0x4e, 0x0a, 0x99, 0xa4, 0xf4, 0x91,
-	0xb0, 0x00, 0x87, 0x4a, 0xcc, 0x05, 0x98, 0xcc, 0x0c, 0x0c, 0x0e, 0x9f, 0xa2, 0x99, 0x1f, 0x94,
-	0x61, 0x3a, 0x92, 0x1b, 0x6c, 0xf6, 0xba, 0x5d, 0x8b, 0x9f, 0x46, 0xe1, 0xff, 0x03, 0x03, 0xce,
-	0xa6, 0x1d, 0x93, 0xc6, 0x5b, 0x54, 0x3f, 0xd6, 0x16, 0x85, 0xbe, 0x71, 0x5e, 0xeb, 0x3e, 0xbb,
-	0x91, 0x55, 0x81, 0xf3, 0x3a, 0xd1, 0x6f, 0x0d, 0x78, 0x30, 0xd4, 0xa2, 0x5f, 0xfb, 0xe4, 0x38,
-	0xb4, 0xa3, 0x9e, 0x84, 0x51, 0x9f, 0xd7, 0x46, 0x3d, 0xb8, 0x74, 0x1b, 0x7d, 0xf8, 0xb6, 0xd6,
-	0xa0, 0x5f, 0x1a, 0x70, 0x6f, 0x48, 0x90, 0xb7, 0xb3, 0x74, 0x62, 0x76, 0x5e, 0xd0, 0x76, 0xde,
-	0xbb, 0x74, 0x90, 0x22, 0x7c, 0xb0, 0x7e, 0xd9, 0xc2, 0x74, 0xa3, 0x26, 0x5b, 0x55, 0x4b, 0x47,
-	0x30, 0xa6, 0xbf, 0x4b, 0x4f, 0xca, 0x9c, 0x18, 0x87, 0x13, 0x3d, 0xe6, 0xeb, 0x70, 0x4f, 0xd3,
-	0x6a, 0x53, 0x4f, 0x55, 0xcd, 0xab, 0x44, 0xbc, 0xe8, 0xcb, 0x3f, 0x41, 0x38, 0xaa, 0x69, 0x87,
-	0x6e, 0x5f, 0x4c, 0x8f, 0x6a, 0xda, 0x04, 0x2b, 0x8c, 0xec, 0xfe, 0x5d, 0xda, 0xa5, 0x42, 0x57,
-	0xf5, 0x71, 0x38, 0xad, 0x49, 0x20, 0x0e, 0x71, 0xa6, 0x05, 0x13, 0xe9, 0x0e, 0xfe, 0x6e, 0xcc,
-	0xa4, 0xff, 0x51, 0x80, 0x68, 0xda, 0x86, 0x1e, 0x4f, 0xb5, 0xee, 0xa1, 0x8a, 0xd9, 0xc3, 0xdb,
-	0x76, 0xb4, 0xa1, 0x87, 0x06, 0x85, 0x43, 0xe2, 0xb4, 0x27, 0xa8, 0x5b, 0x0d, 0x3f, 0xa7, 0xaa,
-	0x36, 0x3c, 0xf1, 0x22, 0xdf, 0x14, 0x9c, 0x7a, 0xed, 0x70, 0x5c, 0x92, 0x1a, 0x31, 0x7c, 0x01,
-	0x46, 0x89, 0xa7, 0xe6, 0x11, 0xaa, 0x40, 0x2a, 0x87, 0x13, 0xc1, 0x95, 0x10, 0x84, 0x23, 0x9c,
-	0x6c, 0x89, 0xa9, 0xdd, 0xf5, 0x65, 0x91, 0xaa, 0x8a, 0xc8, 0x72, 0xd8, 0x12, 0x37, 0x96, 0xd7,
-	0x9b, 0xaa, 0x70, 0x8d, 0xb1, 0x11, 0xe5, 0x72, 0x34, 0x05, 0x4d, 0x51, 0x4a, 0x18, 0x8e, 0xb1,
-	0x8a, 0xb2, 0xad, 0x65, 0x8e, 0xa4, 0x28, 0x57, 0x63, 0x99, 0x1a, 0x8b, 0xae, 0xe8, 0x57, 0x62,
-	0xba, 0x89, 0x51, 0x25, 0x47, 0x25, 0xf7, 0x56, 0x2b, 0x9a, 0x53, 0x65, 0x28, 0x4d, 0x02, 0xd3,
-	0xf9, 0x7e, 0xe0, 0x6e, 0x9c, 0xeb, 0xfb, 0x25, 0x38, 0xbf, 0xd9, 0xf3, 0xe5, 0x8e, 0x86, 0x6f,
-	0xd8, 0x97, 0x99, 0xeb, 0xea, 0x12, 0xf7, 0xee, 0xdf, 0xae, 0xaf, 0x41, 0x85, 0xdc, 0xf0, 0x29,
-	0x27, 0xce, 0x52, 0xe4, 0x18, 0x5f, 0xba, 0x33, 0x15, 0x5b, 0xb4, 0x4b, 0x92, 0xa5, 0xad, 0x44,
-	0x42, 0x70, 0x22, 0x4f, 0xee, 0x45, 0x40, 0x3d, 0x9b, 0x48, 0x52, 0xdd, 0x60, 0xc4, 0x0c, 0x9b,
-	0x11, 0x02, 0x27, 0x34, 0xb2, 0x89, 0x6b, 0xc5, 0xdf, 0x24, 0x28, 0x67, 0x39, 0x42, 0x13, 0x97,
-	0xff, 0xb6, 0x21, 0xd9, 0x81, 0x04, 0x86, 0x53, 0x7a, 0xd0, 0x4f, 0x0c, 0x98, 0xb2, 0xb2, 0x9f,
-	0x15, 0x84, 0x33, 0xf8, 0xf5, 0xa3, 0xa9, 0x1e, 0xf0, 0x89, 0x44, 0xfd, 0x3e, 0x6d, 0xc7, 0x54,
-	0xee, 0xfb, 0x82, 0x9c, 0x72, 0xf3, 0x53, 0x03, 0x1e, 0x18, 0xe0, 0x11, 0xa7, 0x30, 0x78, 0x71,
-	0xb3, 0x83, 0x97, 0xa1, 0xeb, 0x90, 0x01, 0x96, 0x0f, 0x18, 0xc1, 0xfc, 0xbc, 0x00, 0x0f, 0x0d,
-	0xe0, 0x38, 0xf2, 0x30, 0xe6, 0x69, 0x98, 0x8c, 0xfe, 0xa7, 0xc3, 0x30, 0xa9, 0x7a, 0xd3, 0x48,
-	0x9c, 0xa5, 0x8d, 0x54, 0xa9, 0x9b, 0xa5, 0xd8, 0xaf, 0x2a, 0xbc, 0x5d, 0x22, 0x0a, 0xe9, 0xe1,
-	0x36, 0xeb, 0xfa, 0x2e, 0x11, 0x24, 0xec, 0x90, 0xc7, 0x12, 0x0f, 0x5f, 0x8e, 0x10, 0x38, 0xa1,
-	0x91, 0xd9, 0x84, 0x70, 0xce, 0xb8, 0xf2, 0xb0, 0xd4, 0x2c, 0x79, 0x45, 0x02, 0x71, 0x88, 0x33,
-	0xff, 0x65, 0xc0, 0x85, 0x01, 0x9b, 0x72, 0x6a, 0xe5, 0xe8, 0x4e, 0xb6, 0x1c, 0x7d, 0xe9, 0x84,
-	0xdc, 0xe0, 0xb0, 0xc2, 0xb4, 0xbe, 0xf5, 0xe1, 0xcd, 0xb9, 0x33, 0x1f, 0xdd, 0x9c, 0x3b, 0xf3,
-	0xf1, 0xcd, 0xb9, 0x33, 0xef, 0xee, 0xcf, 0x19, 0x1f, 0xee, 0xcf, 0x19, 0x1f, 0xed, 0xcf, 0x19,
-	0x1f, 0xef, 0xcf, 0x19, 0x7f, 0xde, 0x9f, 0x33, 0x7e, 0xf6, 0x97, 0xb9, 0x33, 0xaf, 0x56, 0x87,
-	0xfb, 0x04, 0xfb, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x4b, 0x20, 0xa3, 0x88, 0xb3, 0x2d, 0x00,
-	0x00,
+	// 2787 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x1a, 0x4b, 0x73, 0x1c, 0x47,
+	0xd9, 0xb3, 0x0f, 0x49, 0xfb, 0xad, 0x24, 0xcb, 0xad, 0x24, 0x16, 0x49, 0x2c, 0x39, 0x13, 0x48,
+	0x19, 0x2a, 0xec, 0x46, 0x22, 0x89, 0x4d, 0x5e, 0xa0, 0x95, 0x65, 0x65, 0x89, 0xa4, 0x6c, 0x5a,
+	0x4a, 0xa5, 0x2a, 0x21, 0x21, 0xa3, 0x99, 0xde, 0xdd, 0xc1, 0xb3, 0xd3, 0x93, 0x9e, 0x1e, 0xc5,
+	0xca, 0x81, 0x0a, 0x45, 0x38, 0x84, 0x57, 0x28, 0x2e, 0x14, 0x37, 0x6e, 0x5c, 0xf8, 0x05, 0xb9,
+	0x71, 0xcb, 0x31, 0x14, 0x45, 0x91, 0x93, 0x0a, 0x8b, 0x22, 0x54, 0x0e, 0x70, 0xe0, 0x86, 0xb9,
+	0x50, 0xdd, 0xd3, 0xf3, 0xdc, 0x5d, 0xcb, 0x2b, 0xc9, 0xa2, 0x0a, 0x72, 0xda, 0x9d, 0xef, 0xdd,
+	0xdd, 0xdf, 0xd7, 0xdf, 0x63, 0x06, 0x9e, 0x33, 0x5c, 0xce, 0x88, 0x51, 0xb3, 0x69, 0x3d, 0xfc,
+	0x57, 0xf7, 0xae, 0x77, 0xea, 0x86, 0x67, 0xfb, 0x75, 0x93, 0xba, 0x9c, 0x51, 0xc7, 0x73, 0x0c,
+	0x97, 0xd4, 0x77, 0x17, 0x77, 0x08, 0x37, 0x96, 0xea, 0x1d, 0xe2, 0x12, 0x66, 0x70, 0x62, 0xd5,
+	0x3c, 0x46, 0x39, 0x45, 0xb5, 0x90, 0xeb, 0x3b, 0x36, 0x55, 0xff, 0x6a, 0xde, 0xf5, 0x4e, 0x4d,
+	0xf0, 0xd7, 0xd2, 0xfc, 0x35, 0xc5, 0x7f, 0xff, 0x95, 0xe1, 0xfa, 0x7c, 0x6e, 0x70, 0xbf, 0xbe,
+	0xbb, 0x68, 0x38, 0x5e, 0xd7, 0x58, 0xcc, 0x6b, 0xba, 0xff, 0xab, 0x1d, 0x9b, 0x77, 0x83, 0x9d,
+	0x9a, 0x49, 0x7b, 0xf5, 0x0e, 0xed, 0xd0, 0xba, 0x04, 0xef, 0x04, 0x6d, 0xf9, 0x24, 0x1f, 0xe4,
+	0x3f, 0x45, 0xfe, 0xf8, 0xf5, 0x2b, 0xbe, 0xd4, 0xe2, 0xd9, 0x3d, 0xc3, 0xec, 0xda, 0x2e, 0x61,
+	0x7b, 0x89, 0xae, 0x1e, 0xe1, 0x46, 0x7d, 0xb7, 0x5f, 0x49, 0x7d, 0x18, 0x17, 0x0b, 0x5c, 0x6e,
+	0xf7, 0x48, 0x1f, 0xc3, 0x93, 0x87, 0x31, 0xf8, 0x66, 0x97, 0xf4, 0x8c, 0x3e, 0xbe, 0xaf, 0x0d,
+	0xe3, 0x0b, 0xb8, 0xed, 0xd4, 0x6d, 0x97, 0xfb, 0x9c, 0xe5, 0x99, 0xf4, 0xbf, 0x69, 0x30, 0xb9,
+	0x6c, 0x59, 0x8c, 0xf8, 0xfe, 0x1a, 0xa3, 0x81, 0x87, 0xde, 0x84, 0x09, 0xb1, 0x12, 0xcb, 0xe0,
+	0xc6, 0x9c, 0x76, 0x51, 0xbb, 0x54, 0x5d, 0x7a, 0xac, 0x16, 0x0a, 0xae, 0xa5, 0x05, 0x27, 0x67,
+	0x22, 0xa8, 0x6b, 0xbb, 0x8b, 0xb5, 0x17, 0x77, 0xbe, 0x4b, 0x4c, 0xbe, 0x41, 0xb8, 0xd1, 0x40,
+	0x1f, 0xed, 0x2f, 0x9c, 0x39, 0xd8, 0x5f, 0x80, 0x04, 0x86, 0x63, 0xa9, 0x28, 0x80, 0xc9, 0x8e,
+	0x50, 0xb5, 0x41, 0x7a, 0x3b, 0x84, 0xf9, 0x73, 0x85, 0x8b, 0xc5, 0x4b, 0xd5, 0xa5, 0xa7, 0x47,
+	0x3c, 0xf6, 0xda, 0x5a, 0x22, 0xa3, 0x71, 0x8f, 0x52, 0x38, 0x99, 0x02, 0xfa, 0x38, 0xa3, 0x46,
+	0xff, 0x83, 0x06, 0x33, 0xe9, 0x95, 0xae, 0xdb, 0x3e, 0x47, 0xdf, 0xee, 0x5b, 0x6d, 0xed, 0xce,
+	0x56, 0x2b, 0xb8, 0xe5, 0x5a, 0x67, 0x94, 0xea, 0x89, 0x08, 0x92, 0x5a, 0xa9, 0x01, 0x65, 0x9b,
+	0x93, 0x5e, 0xb4, 0xc4, 0x67, 0x46, 0x5d, 0x62, 0xda, 0xdc, 0xc6, 0x94, 0x52, 0x54, 0x6e, 0x0a,
+	0x91, 0x38, 0x94, 0xac, 0xbf, 0x5f, 0x84, 0x73, 0x69, 0xb2, 0x96, 0xc1, 0xcd, 0xee, 0x29, 0x1c,
+	0xe2, 0x7b, 0x1a, 0x9c, 0x33, 0x2c, 0x8b, 0x58, 0x6b, 0x27, 0x7c, 0x94, 0x5f, 0x50, 0x6a, 0xc5,
+	0xaa, 0xb2, 0xd2, 0x71, 0xbf, 0x42, 0xf4, 0x23, 0x0d, 0x66, 0x19, 0xe9, 0xd1, 0xdd, 0x9c, 0x21,
+	0xc5, 0xe3, 0x1b, 0xf2, 0x80, 0x32, 0x64, 0x16, 0xf7, 0xcb, 0xc7, 0x83, 0x94, 0xea, 0x9f, 0x69,
+	0x30, 0xbd, 0xec, 0x79, 0x8e, 0x4d, 0xac, 0x6d, 0xfa, 0x3f, 0x1e, 0x4d, 0x7f, 0xd2, 0x00, 0x65,
+	0xd7, 0x7a, 0x0a, 0xf1, 0x64, 0x66, 0xe3, 0xe9, 0xb9, 0x91, 0xe3, 0x29, 0x63, 0xf0, 0x90, 0x88,
+	0xfa, 0x71, 0x11, 0x66, 0xb3, 0x84, 0x9f, 0xc7, 0xd4, 0x7f, 0x2f, 0xa6, 0xde, 0x82, 0xd9, 0x86,
+	0xe1, 0xdb, 0xe6, 0x72, 0xc0, 0xbb, 0xc4, 0xe5, 0xb6, 0x69, 0x70, 0x9b, 0xba, 0xe8, 0x51, 0x98,
+	0x08, 0x7c, 0xc2, 0x5c, 0xa3, 0x47, 0xe4, 0x61, 0x54, 0x12, 0xbf, 0x79, 0x59, 0xc1, 0x71, 0x4c,
+	0x21, 0xa8, 0x3d, 0xc3, 0xf7, 0xdf, 0xa6, 0xcc, 0x9a, 0x2b, 0x64, 0xa9, 0x5b, 0x0a, 0x8e, 0x63,
+	0x0a, 0x7d, 0x11, 0x66, 0x1a, 0x81, 0x6b, 0x39, 0xe4, 0x9a, 0xed, 0x90, 0x2d, 0xc2, 0x76, 0x09,
+	0x43, 0x17, 0xa0, 0x18, 0x30, 0x47, 0xa9, 0xaa, 0x2a, 0xe6, 0xe2, 0xcb, 0x78, 0x1d, 0x0b, 0xb8,
+	0xfe, 0x41, 0x01, 0x2e, 0x84, 0x3c, 0x21, 0xbd, 0xb0, 0x76, 0x85, 0xba, 0x6d, 0xbb, 0x13, 0xb0,
+	0xd0, 0xe0, 0x27, 0xa0, 0xba, 0x43, 0x0c, 0x46, 0xd8, 0x36, 0xbd, 0x4e, 0x5c, 0x25, 0x68, 0x56,
+	0x09, 0xaa, 0x36, 0x12, 0x14, 0x4e, 0xd3, 0xa1, 0x47, 0x60, 0xcc, 0xf0, 0xec, 0x17, 0xc8, 0x9e,
+	0xb2, 0x7b, 0x5a, 0x71, 0x8c, 0x2d, 0xb7, 0x9a, 0x2f, 0x90, 0x3d, 0xac, 0xb0, 0xe8, 0x67, 0x1a,
+	0xcc, 0xee, 0xf4, 0xef, 0xd3, 0x5c, 0x51, 0x3a, 0xea, 0xca, 0xa8, 0x67, 0x36, 0x60, 0xcb, 0x1b,
+	0xe7, 0xc5, 0xb9, 0x0d, 0x40, 0xe0, 0x41, 0x8a, 0xf5, 0x5f, 0x97, 0x60, 0x76, 0xc5, 0x09, 0x7c,
+	0x4e, 0x58, 0xc6, 0xb9, 0xee, 0x7e, 0x14, 0x7d, 0x5f, 0x83, 0x19, 0xd2, 0x6e, 0x13, 0x93, 0xdb,
+	0xbb, 0xe4, 0x04, 0x83, 0x68, 0x4e, 0x69, 0x9d, 0x59, 0xcd, 0x09, 0xc7, 0x7d, 0xea, 0xd0, 0xf7,
+	0xe0, 0x5c, 0x0c, 0x6b, 0xb6, 0x1a, 0x0e, 0x35, 0xaf, 0x47, 0xf1, 0xf3, 0xc4, 0xa8, 0x36, 0x34,
+	0x5b, 0x9b, 0x84, 0x27, 0x21, 0xbc, 0x9a, 0x97, 0x8b, 0xfb, 0x55, 0xa1, 0x2b, 0x30, 0xc9, 0x29,
+	0x37, 0x9c, 0x68, 0xf9, 0xa5, 0x8b, 0xda, 0xa5, 0x62, 0x72, 0xaf, 0x6f, 0xa7, 0x70, 0x38, 0x43,
+	0x89, 0x96, 0x00, 0xe4, 0x73, 0xcb, 0xe8, 0x10, 0x7f, 0xae, 0x2c, 0xf9, 0xe2, 0xfd, 0xde, 0x8e,
+	0x31, 0x38, 0x45, 0x25, 0x7c, 0xdb, 0x0c, 0x18, 0x23, 0x2e, 0x17, 0xcf, 0x73, 0x63, 0x92, 0x29,
+	0xf6, 0xed, 0x95, 0x04, 0x85, 0xd3, 0x74, 0xfa, 0xa7, 0x1a, 0x54, 0x57, 0x3b, 0xff, 0x07, 0x95,
+	0xe7, 0xef, 0x35, 0x38, 0x9b, 0x5a, 0xe8, 0x29, 0x24, 0xca, 0x37, 0xb3, 0x89, 0x72, 0xe4, 0x15,
+	0xa6, 0xac, 0x1d, 0x92, 0x25, 0x7f, 0x52, 0x84, 0x99, 0x14, 0x55, 0x98, 0x22, 0x2d, 0x00, 0x1a,
+	0xef, 0xfb, 0x89, 0x9e, 0x61, 0x4a, 0xee, 0xe7, 0x69, 0x72, 0x40, 0x9a, 0x74, 0xe0, 0xfc, 0xea,
+	0x0d, 0x2e, 0xd2, 0x9d, 0xb3, 0xea, 0x72, 0x9b, 0xef, 0x61, 0xd2, 0x26, 0x8c, 0xb8, 0x26, 0x41,
+	0x17, 0xa1, 0x94, 0x4a, 0x93, 0x93, 0x4a, 0x74, 0x69, 0x53, 0xa4, 0x48, 0x89, 0x41, 0x75, 0xa8,
+	0x88, 0x5f, 0xdf, 0x33, 0x4c, 0xa2, 0xf2, 0xcc, 0x39, 0x45, 0x56, 0xd9, 0x8c, 0x10, 0x38, 0xa1,
+	0xd1, 0xff, 0xad, 0xc1, 0x8c, 0x54, 0xbf, 0xec, 0xfb, 0xd4, 0xb4, 0xc3, 0x0c, 0x77, 0x2a, 0xf5,
+	0xd1, 0x8c, 0xa1, 0x34, 0xaa, 0xf5, 0x1f, 0xb9, 0x14, 0x94, 0xdc, 0xf1, 0x26, 0x25, 0x97, 0xfb,
+	0x72, 0x4e, 0x3e, 0xee, 0xd3, 0xa8, 0x7f, 0x58, 0x82, 0x6a, 0x6a, 0xf3, 0xd1, 0x2b, 0x50, 0xf4,
+	0xa8, 0xa5, 0xd6, 0x3c, 0x72, 0x8f, 0xd7, 0xa2, 0x56, 0x62, 0xc6, 0xb8, 0xa8, 0x2a, 0x04, 0x44,
+	0x48, 0x44, 0x3f, 0xd0, 0x60, 0x9a, 0x64, 0x4e, 0x55, 0x9e, 0x4e, 0x75, 0x69, 0x6d, 0xe4, 0x78,
+	0x1e, 0xec, 0x1b, 0x0d, 0x74, 0xb0, 0xbf, 0x30, 0x9d, 0x43, 0xe6, 0x54, 0xa2, 0x47, 0xa0, 0x68,
+	0x7b, 0xa1, 0x5b, 0x4f, 0x36, 0xee, 0x11, 0x06, 0x36, 0x5b, 0xfe, 0xad, 0xfd, 0x85, 0x4a, 0xb3,
+	0xa5, 0x1a, 0x4f, 0x2c, 0x08, 0xd0, 0x1b, 0x50, 0xf6, 0x28, 0xe3, 0x22, 0xd9, 0x88, 0x13, 0xf9,
+	0xfa, 0xa8, 0x36, 0x0a, 0x4f, 0xb3, 0x5a, 0x94, 0xf1, 0xe4, 0xc6, 0x11, 0x4f, 0x3e, 0x0e, 0xc5,
+	0xa2, 0xd7, 0xa0, 0xe4, 0x52, 0x8b, 0xc8, 0x9c, 0x54, 0x5d, 0x7a, 0x76, 0x64, 0xf1, 0xd4, 0x22,
+	0xc9, 0xc2, 0x27, 0x64, 0x08, 0x08, 0x90, 0x14, 0x8a, 0x3a, 0x30, 0xee, 0x13, 0xb6, 0x6b, 0x9b,
+	0x61, 0xfa, 0xaa, 0x2e, 0x7d, 0x73, 0x54, 0xf9, 0x5b, 0x21, 0x7b, 0xa2, 0xa2, 0x7a, 0xb0, 0xbf,
+	0x30, 0x1e, 0x41, 0x23, 0xe9, 0xfa, 0x6f, 0x34, 0x98, 0xce, 0xfa, 0x5e, 0x36, 0xfc, 0xb4, 0xc3,
+	0xc3, 0x2f, 0x8e, 0xe8, 0xc2, 0xd0, 0x88, 0x6e, 0x40, 0x31, 0xb0, 0x2d, 0x59, 0xfd, 0x55, 0x1a,
+	0x8f, 0xc5, 0xe5, 0x6a, 0xf3, 0xea, 0xad, 0xfd, 0x85, 0x87, 0x86, 0x8d, 0x89, 0xf8, 0x9e, 0x47,
+	0xfc, 0xda, 0xcb, 0xcd, 0xab, 0x58, 0x30, 0xeb, 0xef, 0xc0, 0xe4, 0xf3, 0xdb, 0xdb, 0xad, 0x16,
+	0xa3, 0x9c, 0x9a, 0xd4, 0x11, 0x5a, 0xbb, 0xd4, 0xe7, 0xf9, 0x7b, 0xe4, 0x79, 0xea, 0x73, 0x2c,
+	0x31, 0xa2, 0x58, 0xed, 0x11, 0xde, 0xa5, 0x56, 0xbe, 0x58, 0xdd, 0x90, 0x50, 0xac, 0xb0, 0x42,
+	0x92, 0x67, 0xf0, 0xae, 0x32, 0x2f, 0x96, 0xd4, 0x32, 0x78, 0x17, 0x4b, 0x8c, 0xfe, 0x3b, 0x0d,
+	0xc6, 0x55, 0x31, 0x83, 0x5e, 0x81, 0x92, 0x69, 0x5b, 0x4c, 0xc5, 0xd7, 0x11, 0xcb, 0xa7, 0x58,
+	0xc9, 0x4a, 0xf3, 0x2a, 0xc6, 0x52, 0x20, 0x7a, 0x1d, 0xc6, 0xc8, 0x0d, 0x93, 0x78, 0x5c, 0xdd,
+	0x21, 0x47, 0x14, 0x1d, 0xaf, 0x72, 0x55, 0x0a, 0xc3, 0x4a, 0xa8, 0xde, 0x86, 0xb2, 0x24, 0x40,
+	0x0f, 0x43, 0xc1, 0xf6, 0xa4, 0xf9, 0x93, 0x8d, 0xd9, 0x83, 0xfd, 0x85, 0x42, 0xb3, 0x95, 0x0d,
+	0x9f, 0x82, 0xed, 0x89, 0x8a, 0xcd, 0x63, 0xa4, 0x6d, 0xdf, 0x58, 0x27, 0x6e, 0x87, 0x77, 0xe5,
+	0x0e, 0x96, 0x93, 0xea, 0xa2, 0x95, 0xc2, 0xe1, 0x0c, 0xa5, 0xde, 0x05, 0x58, 0xbf, 0x1c, 0x9f,
+	0xd2, 0xab, 0x50, 0xea, 0x72, 0xee, 0x1d, 0xf5, 0x36, 0x4a, 0x9f, 0x78, 0x18, 0x24, 0x02, 0x82,
+	0xa5, 0x4c, 0xfd, 0x57, 0x1a, 0xa0, 0x8d, 0xc0, 0x11, 0x35, 0xbe, 0xcf, 0xa5, 0x13, 0x37, 0xdd,
+	0x36, 0x45, 0x0f, 0x43, 0x59, 0x96, 0x3b, 0xca, 0x33, 0xe2, 0xe8, 0x0d, 0xdd, 0x3c, 0xc4, 0xa1,
+	0x37, 0xa0, 0xe4, 0x51, 0xeb, 0xc8, 0x93, 0xb0, 0xcc, 0x2d, 0x99, 0x78, 0x0c, 0xb5, 0x7c, 0x2c,
+	0xe5, 0xea, 0xef, 0x6b, 0x50, 0x89, 0x6f, 0x10, 0xe9, 0x61, 0x94, 0x85, 0xbe, 0x5a, 0x4e, 0xd3,
+	0x33, 0x8e, 0x25, 0xe6, 0x0e, 0x62, 0xe8, 0x0a, 0x4c, 0x78, 0x6a, 0x27, 0x94, 0xa7, 0x3e, 0x18,
+	0x37, 0x8d, 0x0a, 0x7e, 0x2b, 0xf5, 0x1f, 0xc7, 0xd4, 0xfa, 0xdf, 0x8b, 0x30, 0xb5, 0x49, 0xf8,
+	0xdb, 0x94, 0x5d, 0x6f, 0x51, 0xc7, 0x36, 0xf7, 0x4e, 0x21, 0x37, 0xb6, 0xa1, 0xcc, 0x02, 0x87,
+	0x44, 0x1b, 0xbc, 0x3c, 0xf2, 0xf5, 0x98, 0xb6, 0x17, 0x07, 0x0e, 0x49, 0xce, 0x51, 0x3c, 0xf9,
+	0x38, 0x14, 0x8f, 0x9e, 0x85, 0xb3, 0x46, 0x66, 0x38, 0x12, 0x66, 0x86, 0x8a, 0xf4, 0xec, 0xb3,
+	0xd9, 0xb9, 0x89, 0x8f, 0xf3, 0xb4, 0xe8, 0x92, 0xd8, 0x54, 0x9b, 0x32, 0x91, 0xcb, 0x44, 0x53,
+	0xa2, 0x35, 0x26, 0xc3, 0x0d, 0x0d, 0x61, 0x38, 0xc6, 0xa2, 0xc7, 0x61, 0x92, 0xdb, 0x84, 0x45,
+	0x18, 0x79, 0xed, 0x97, 0x1b, 0x33, 0xb2, 0x7d, 0x49, 0xc1, 0x71, 0x86, 0x0a, 0xf9, 0x50, 0xf1,
+	0x69, 0xc0, 0xe4, 0x3d, 0xac, 0x6e, 0xf2, 0x6b, 0xc7, 0xdb, 0x8a, 0xd8, 0xeb, 0xa6, 0xc4, 0x7d,
+	0xbc, 0x15, 0x09, 0xc7, 0x89, 0x1e, 0xfd, 0x8f, 0x1a, 0x9c, 0xcb, 0x30, 0x9d, 0x42, 0x85, 0xbf,
+	0x93, 0xad, 0xf0, 0x9f, 0x3d, 0xd6, 0x22, 0x87, 0xd4, 0xf8, 0xff, 0xd4, 0xe0, 0x7c, 0x86, 0x4e,
+	0x24, 0xcc, 0x2d, 0x6e, 0xf0, 0xc0, 0x47, 0x8f, 0xc2, 0x84, 0x48, 0x9c, 0x9b, 0x03, 0x06, 0x30,
+	0x9b, 0x0a, 0x8e, 0x63, 0x0a, 0xd1, 0x55, 0xaa, 0x17, 0x0f, 0x36, 0x75, 0x65, 0xcc, 0xa5, 0xba,
+	0xca, 0xb5, 0x18, 0x83, 0x53, 0x54, 0xe8, 0x5b, 0x80, 0x18, 0x31, 0x1c, 0xfb, 0x1d, 0xf9, 0x78,
+	0xcd, 0xb0, 0x9d, 0x80, 0x11, 0x19, 0x89, 0x13, 0x8d, 0xfb, 0x15, 0x2f, 0xc2, 0x7d, 0x14, 0x78,
+	0x00, 0x17, 0xfa, 0x32, 0x8c, 0xf7, 0x88, 0xef, 0x8b, 0xee, 0xb4, 0x24, 0x8d, 0x3d, 0xab, 0x04,
+	0x8c, 0x6f, 0x84, 0x60, 0x1c, 0xe1, 0xe5, 0x40, 0x3d, 0xb3, 0xe8, 0x16, 0x21, 0x0c, 0x5d, 0x86,
+	0x29, 0x23, 0x35, 0x65, 0xf7, 0xe7, 0x34, 0xe9, 0xf4, 0xe7, 0x0e, 0xf6, 0x17, 0xa6, 0xd2, 0xe3,
+	0x77, 0x1f, 0x67, 0xe9, 0x10, 0x81, 0x09, 0xdb, 0x53, 0x03, 0x80, 0xf0, 0xa8, 0x2e, 0x8f, 0x9e,
+	0x66, 0x24, 0x7f, 0xb2, 0xc1, 0x71, 0xe7, 0x1f, 0x8b, 0x46, 0x0b, 0x50, 0x6e, 0xbf, 0x65, 0xb9,
+	0x51, 0x30, 0x56, 0xc4, 0x59, 0x5e, 0x7b, 0xe9, 0xea, 0xa6, 0x8f, 0x43, 0x38, 0xe2, 0xa2, 0xaf,
+	0x57, 0xd5, 0x48, 0x54, 0xa2, 0x1d, 0xbf, 0xc6, 0x49, 0x4d, 0x06, 0x22, 0xd9, 0x38, 0xa5, 0x47,
+	0xdc, 0x16, 0x8e, 0xb1, 0x43, 0x9c, 0xa6, 0x45, 0x44, 0x31, 0x69, 0xcb, 0x91, 0x42, 0xf1, 0xd2,
+	0x54, 0x78, 0x5b, 0xac, 0x67, 0x51, 0x38, 0x4f, 0xab, 0x7f, 0xaa, 0xc1, 0x7d, 0x83, 0xa3, 0x11,
+	0x3d, 0x01, 0x25, 0x51, 0xaf, 0x28, 0xdf, 0x7b, 0x28, 0xba, 0xbf, 0xb7, 0xf7, 0x3c, 0x72, 0x6b,
+	0x7f, 0x21, 0x7b, 0x82, 0x02, 0x88, 0x25, 0xf9, 0xc8, 0xad, 0x4e, 0x9c, 0x27, 0x8a, 0x87, 0xd5,
+	0x5a, 0xa5, 0xe3, 0xd4, 0x5a, 0xef, 0x8d, 0xe7, 0x9c, 0x4e, 0xdc, 0xb9, 0xe8, 0x19, 0xa8, 0x58,
+	0x36, 0x23, 0xa6, 0x0c, 0x9a, 0x70, 0xa1, 0xf3, 0x91, 0xb1, 0x57, 0x23, 0xc4, 0xad, 0xf4, 0x03,
+	0x4e, 0x18, 0x90, 0x09, 0xa5, 0x36, 0xa3, 0x3d, 0xd5, 0x32, 0x1c, 0x2f, 0x21, 0x88, 0x18, 0x48,
+	0x16, 0x7f, 0x8d, 0xd1, 0x1e, 0x96, 0xc2, 0xd1, 0xeb, 0x50, 0xe0, 0x54, 0x4d, 0x19, 0x4f, 0x40,
+	0x05, 0x28, 0x15, 0x85, 0x6d, 0x8a, 0x0b, 0x9c, 0x8a, 0xe8, 0xf1, 0xb3, 0x3e, 0x7b, 0xf9, 0x88,
+	0x3e, 0x9b, 0x44, 0x4f, 0xec, 0xa8, 0xb1, 0x68, 0x39, 0x1f, 0xce, 0xe5, 0x99, 0x24, 0xd5, 0xf7,
+	0x65, 0xa6, 0x57, 0x60, 0xcc, 0x08, 0xcf, 0x64, 0x4c, 0x9e, 0xc9, 0x37, 0xe4, 0x3c, 0x36, 0x3a,
+	0x8c, 0xc5, 0xdb, 0xbc, 0xfd, 0x66, 0x56, 0xfc, 0x2e, 0xba, 0x26, 0x4e, 0x38, 0x64, 0xc2, 0x4a,
+	0x1c, 0x7a, 0x1a, 0xa6, 0x88, 0x6b, 0xec, 0x38, 0x64, 0x9d, 0x76, 0x3a, 0xb6, 0xdb, 0x99, 0x1b,
+	0x97, 0x97, 0xdd, 0xbd, 0xca, 0x96, 0xa9, 0xd5, 0x34, 0x12, 0x67, 0x69, 0x07, 0x25, 0xe6, 0x89,
+	0x11, 0x12, 0x73, 0xe4, 0xe7, 0x95, 0xa1, 0x7e, 0xfe, 0x16, 0x54, 0x9d, 0xb8, 0xce, 0xf4, 0xe7,
+	0x40, 0x1e, 0xc7, 0x53, 0xa3, 0x1e, 0x47, 0x52, 0xaa, 0x26, 0x13, 0xc2, 0x04, 0xe6, 0xe3, 0xb4,
+	0x0e, 0xe4, 0x02, 0x38, 0xb4, 0xb3, 0x45, 0x38, 0x17, 0xbb, 0x51, 0x95, 0x5e, 0x36, 0x72, 0xa7,
+	0x2f, 0x36, 0x7a, 0x3d, 0x96, 0xd2, 0x98, 0x16, 0xd7, 0x55, 0xf2, 0x8c, 0x53, 0x1a, 0xf4, 0x0f,
+	0x8a, 0x80, 0x32, 0x4e, 0x29, 0x92, 0x9d, 0x2f, 0xfa, 0xf0, 0x29, 0x37, 0x0d, 0x56, 0xf9, 0xfc,
+	0xa4, 0x2a, 0x8b, 0xf8, 0x80, 0xb3, 0xf8, 0xac, 0x4e, 0xe4, 0xc1, 0x24, 0x67, 0x46, 0xbb, 0x6d,
+	0x9b, 0xd2, 0x2a, 0x15, 0xd7, 0x4f, 0xde, 0xc6, 0x06, 0xf9, 0xf5, 0x43, 0x2d, 0xf6, 0xb8, 0xed,
+	0x14, 0x77, 0x6a, 0x16, 0x9c, 0x82, 0xe2, 0x8c, 0x06, 0xf4, 0xae, 0x06, 0x33, 0xa2, 0xea, 0x4b,
+	0x93, 0xa8, 0xf1, 0xd6, 0x53, 0x77, 0xae, 0x16, 0xe7, 0x24, 0x24, 0xb3, 0x96, 0x3c, 0x06, 0xf7,
+	0x69, 0xd3, 0xff, 0xaa, 0xc1, 0x6c, 0xdf, 0x89, 0x04, 0xa7, 0xf1, 0x1a, 0xc1, 0x81, 0xb2, 0x28,
+	0x5f, 0xa2, 0xac, 0xbd, 0x76, 0xac, 0xb3, 0x4e, 0x0a, 0xa7, 0xa4, 0xd4, 0x12, 0x30, 0x1f, 0x87,
+	0x4a, 0xf4, 0x45, 0x98, 0xca, 0x0c, 0x28, 0x0e, 0x9f, 0xda, 0xe9, 0x1f, 0x96, 0x61, 0x26, 0x92,
+	0xeb, 0x6f, 0x05, 0xbd, 0x9e, 0xc1, 0x4e, 0xa3, 0xd1, 0xf8, 0xa1, 0x06, 0x67, 0xd3, 0x8e, 0x69,
+	0xc7, 0x5b, 0xd4, 0x38, 0xd6, 0x16, 0x85, 0xbe, 0x71, 0x5e, 0xe9, 0x3e, 0xbb, 0x99, 0x55, 0x81,
+	0xf3, 0x3a, 0xd1, 0x6f, 0x35, 0x78, 0x30, 0xd4, 0xa2, 0x5e, 0x33, 0xe5, 0x38, 0x94, 0xa3, 0x9e,
+	0x84, 0x51, 0x5f, 0x54, 0x46, 0x3d, 0xb8, 0x7c, 0x1b, 0x7d, 0xf8, 0xb6, 0xd6, 0xa0, 0x5f, 0x6a,
+	0x70, 0x6f, 0x48, 0x90, 0xb7, 0xb3, 0x74, 0x62, 0x76, 0x5e, 0x50, 0x76, 0xde, 0xbb, 0x3c, 0x48,
+	0x11, 0x1e, 0xac, 0x5f, 0xb4, 0x4c, 0xbd, 0xa8, 0xa9, 0x97, 0xd5, 0xd9, 0x11, 0x8c, 0xe9, 0x9f,
+	0x0a, 0x24, 0x65, 0x55, 0x8c, 0xc3, 0x89, 0x1e, 0xfd, 0x75, 0xb8, 0xa7, 0x65, 0x74, 0x6c, 0x57,
+	0x56, 0xe9, 0x6b, 0x84, 0xbf, 0xe8, 0x89, 0x3f, 0x7e, 0x38, 0x1a, 0xea, 0x84, 0x6e, 0x5f, 0x4c,
+	0x8f, 0x86, 0x3a, 0x04, 0x4b, 0x0c, 0x7a, 0x18, 0xca, 0x8e, 0xdd, 0xb3, 0xb9, 0xea, 0x22, 0xe2,
+	0x70, 0x5a, 0x17, 0x40, 0x1c, 0xe2, 0x74, 0x03, 0x26, 0xd3, 0x13, 0x83, 0xbb, 0x31, 0x03, 0x7f,
+	0x0e, 0xa6, 0xb3, 0x99, 0x45, 0x54, 0x11, 0x0e, 0xed, 0xc8, 0xa2, 0x36, 0xdf, 0x12, 0xad, 0x2b,
+	0x38, 0x8e, 0x29, 0xf4, 0x7f, 0x14, 0x20, 0x9a, 0x0e, 0xa2, 0xc7, 0x53, 0xa3, 0x86, 0x90, 0x73,
+	0xee, 0xf0, 0x31, 0x03, 0xda, 0x54, 0x43, 0x8e, 0xc2, 0x21, 0x71, 0x1e, 0x70, 0xdb, 0xa9, 0x85,
+	0x9f, 0x7f, 0xd5, 0x9a, 0x2e, 0x7f, 0x91, 0x6d, 0x71, 0x26, 0x32, 0xe1, 0x44, 0x6e, 0x24, 0xf2,
+	0x25, 0x18, 0x27, 0xae, 0x9c, 0x9f, 0xc8, 0x82, 0xae, 0x1c, 0x4e, 0x30, 0x57, 0x43, 0x10, 0x8e,
+	0x70, 0xa2, 0x85, 0xb7, 0xcd, 0x9e, 0x27, 0x8a, 0x6a, 0x59, 0xf4, 0x96, 0xc3, 0x16, 0xbe, 0xb9,
+	0xb2, 0xd1, 0x92, 0x85, 0x76, 0x8c, 0x8d, 0x28, 0x57, 0xa2, 0xa9, 0x6d, 0x8a, 0x52, 0xc0, 0x70,
+	0x8c, 0x95, 0x94, 0x1d, 0x25, 0x73, 0x2c, 0x45, 0xb9, 0x16, 0xcb, 0x54, 0x58, 0x74, 0x45, 0xbd,
+	0xc2, 0x53, 0x4d, 0x97, 0x2c, 0x91, 0x2a, 0xb9, 0xb7, 0x70, 0xd1, 0x5c, 0x2d, 0x43, 0xa9, 0x13,
+	0x98, 0xc9, 0xf7, 0x2f, 0x77, 0xc3, 0x2f, 0x3e, 0x28, 0xc1, 0xf9, 0xad, 0xc0, 0x13, 0x3b, 0x1a,
+	0x7e, 0x11, 0xb0, 0x42, 0x1d, 0x47, 0x95, 0xe4, 0x77, 0xff, 0x76, 0x7e, 0x0d, 0x2a, 0xe4, 0x86,
+	0x67, 0x33, 0x62, 0x2d, 0x47, 0x8e, 0xf1, 0x95, 0x3b, 0x53, 0xb1, 0x6d, 0xf7, 0x48, 0xb2, 0xb4,
+	0xd5, 0x48, 0x08, 0x4e, 0xe4, 0x89, 0xbd, 0xf0, 0x6d, 0xd7, 0x24, 0x82, 0x54, 0x35, 0x44, 0x31,
+	0xc3, 0x56, 0x84, 0xc0, 0x09, 0x8d, 0x68, 0x3a, 0xdb, 0xf1, 0x37, 0x14, 0xd2, 0x59, 0x8e, 0xd0,
+	0x74, 0xe6, 0xbf, 0xc5, 0x48, 0x76, 0x20, 0x81, 0xe1, 0x94, 0x1e, 0xf4, 0x53, 0x0d, 0xa6, 0x8d,
+	0xec, 0x67, 0x10, 0xe1, 0x3b, 0x83, 0x8d, 0xa3, 0xa9, 0x1e, 0xf2, 0x49, 0x47, 0xe3, 0x3e, 0x65,
+	0xc7, 0x74, 0xee, 0x7b, 0x88, 0x9c, 0x72, 0xfd, 0x33, 0x0d, 0x1e, 0x18, 0xe2, 0x11, 0xa7, 0x30,
+	0x28, 0x72, 0xb2, 0x83, 0xa2, 0x91, 0xeb, 0x98, 0x21, 0x96, 0x0f, 0x19, 0x19, 0xfd, 0xa2, 0x00,
+	0x0f, 0x0d, 0xe1, 0x38, 0xf2, 0xf0, 0xe8, 0x69, 0x98, 0x8a, 0xfe, 0xa7, 0xc3, 0x30, 0xa9, 0x9a,
+	0xd3, 0x48, 0x9c, 0xa5, 0x8d, 0x54, 0xc9, 0x9b, 0xa5, 0xd8, 0xaf, 0x2a, 0xbc, 0x5d, 0x22, 0x0a,
+	0xe1, 0xe1, 0x26, 0xed, 0x79, 0x0e, 0xe1, 0x24, 0xec, 0xe8, 0x27, 0x12, 0x0f, 0x5f, 0x89, 0x10,
+	0x38, 0xa1, 0x11, 0xd9, 0x88, 0x30, 0x46, 0x99, 0xf4, 0xb0, 0xd4, 0xec, 0x7b, 0x55, 0x00, 0x71,
+	0x88, 0xd3, 0xff, 0xa5, 0xc1, 0x85, 0x21, 0x9b, 0x72, 0x6a, 0xe5, 0xec, 0x6e, 0xb6, 0x9c, 0x7d,
+	0xe9, 0x84, 0xdc, 0xe0, 0xb0, 0xc2, 0xb6, 0xb1, 0xfd, 0xd1, 0xcd, 0xf9, 0x33, 0x1f, 0xdf, 0x9c,
+	0x3f, 0xf3, 0xc9, 0xcd, 0xf9, 0x33, 0xef, 0x1e, 0xcc, 0x6b, 0x1f, 0x1d, 0xcc, 0x6b, 0x1f, 0x1f,
+	0xcc, 0x6b, 0x9f, 0x1c, 0xcc, 0x6b, 0x7f, 0x3e, 0x98, 0xd7, 0x7e, 0xfe, 0x97, 0xf9, 0x33, 0xaf,
+	0xd6, 0x46, 0xfb, 0x64, 0xfc, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x6f, 0x62, 0xb9, 0x47, 0x63,
+	0x2e, 0x00, 0x00,
 }
 
 func (m *AddressGroup) Marshal() (dAtA []byte, err error) {
@@ -2812,6 +2844,18 @@ func (m *NetworkPolicyRule) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	if m.LogSetting != nil {
+		{
+			size, err := m.LogSetting.MarshalToSizedBuffer(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = encodeVarintGenerated(dAtA, i, uint64(size))
+		}
+		i--
+		dAtA[i] = 0x5a
+	}
 	if len(m.L7Protocols) > 0 {
 		for iNdEx := len(m.L7Protocols) - 1; iNdEx >= 0; iNdEx-- {
 			{
@@ -3183,6 +3227,34 @@ func (m *PodReference) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }
 
+func (m *RuleLogSetting) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBuffer(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *RuleLogSetting) MarshalTo(dAtA []byte) (int, error) {
+	size := m.Size()
+	return m.MarshalToSizedBuffer(dAtA[:size])
+}
+
+func (m *RuleLogSetting) MarshalToSizedBuffer(dAtA []byte) (int, error) {
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	i -= len(m.LogLabel)
+	copy(dAtA[i:], m.LogLabel)
+	i = encodeVarintGenerated(dAtA, i, uint64(len(m.LogLabel)))
+	i--
+	dAtA[i] = 0xa
+	return len(dAtA) - i, nil
+}
+
 func (m *Service) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -4075,6 +4147,10 @@ func (m *NetworkPolicyRule) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if m.LogSetting != nil {
+		l = m.LogSetting.Size()
+		n += 1 + l + sovGenerated(uint64(l))
+	}
 	return n
 }
 
@@ -4184,6 +4260,17 @@ func (m *PodReference) Size() (n int) {
 	return n
 }
 
+func (m *RuleLogSetting) Size() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	l = len(m.LogLabel)
+	n += 1 + l + sovGenerated(uint64(l))
+	return n
+}
+
 func (m *Service) Size() (n int) {
 	if m == nil {
 		return 0
@@ -4772,6 +4859,7 @@ func (this *NetworkPolicyRule) String() string {
 		`AppliedToGroups:` + fmt.Sprintf("%v", this.AppliedToGroups) + `,`,
 		`Name:` + fmt.Sprintf("%v", this.Name) + `,`,
 		`L7Protocols:` + repeatedStringForL7Protocols + `,`,
+		`LogSetting:` + strings.Replace(this.LogSetting.String(), "RuleLogSetting", "RuleLogSetting", 1) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -4875,6 +4963,16 @@ func (this *PodReference) String() string {
 	}, "")
 	return s
 }
+func (this *RuleLogSetting) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&RuleLogSetting{`,
+		`LogLabel:` + fmt.Sprintf("%v", this.LogLabel) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func (this *Service) String() string {
 	if this == nil {
 		return "nil"
@@ -9271,6 +9369,42 @@ func (m *NetworkPolicyRule) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 11:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LogSetting", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.LogSetting == nil {
+				m.LogSetting = &RuleLogSetting{}
+			}
+			if err := m.LogSetting.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -10062,6 +10196,88 @@ func (m *PodReference) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *RuleLogSetting) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: RuleLogSetting: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: RuleLogSetting: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field LogLabel", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.LogLabel = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *Service) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
diff --git a/pkg/apis/controlplane/v1beta2/generated.proto b/pkg/apis/controlplane/v1beta2/generated.proto
index 8eafa24c1f3..e4728b4b04d 100644
--- a/pkg/apis/controlplane/v1beta2/generated.proto
+++ b/pkg/apis/controlplane/v1beta2/generated.proto
@@ -1,4 +1,4 @@
-// Copyright 2022 Antrea Authors
+// Copyright 2023 Antrea Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -361,6 +361,9 @@ message NetworkPolicyRule {
 
   // L7Protocols is a list of application layer protocols which should be matched.
   repeated L7Protocol l7Protocols = 10;
+
+  // LogSetting specifies logging behaviors of the rules when matched.
+  optional RuleLogSetting logSetting = 11;
 }
 
 // NetworkPolicyStats contains the information and traffic stats of a NetworkPolicy.
@@ -421,6 +424,12 @@ message PodReference {
   optional string namespace = 2;
 }
 
+// RuleLogSetting describes logging behaviors. Currently supports log labels.
+message RuleLogSetting {
+  // LogLabel is a keyword included in the NetworkPolicy logs if this rule is matched and has log enabled.
+  optional string logLabel = 1;
+}
+
 // Service describes a port to allow traffic on.
 message Service {
   // The protocol (TCP, UDP, SCTP, or ICMP) which traffic must match. If not specified, this
diff --git a/pkg/apis/controlplane/v1beta2/types.go b/pkg/apis/controlplane/v1beta2/types.go
index 9c1e8685c72..bb51dfacb7a 100644
--- a/pkg/apis/controlplane/v1beta2/types.go
+++ b/pkg/apis/controlplane/v1beta2/types.go
@@ -258,6 +258,8 @@ type NetworkPolicyRule struct {
 	Name string `json:"name,omitempty" protobuf:"bytes,9,opt,name=name"`
 	// L7Protocols is a list of application layer protocols which should be matched.
 	L7Protocols []L7Protocol `json:"l7Protocols,omitempty" protobuf:"bytes,10,rep,name=l7Protocols"`
+	// LogSetting specifies logging behaviors of the rules when matched.
+	LogSetting *RuleLogSetting `json:"logSetting,omitempty" protobuf:"bytes,11,opt,name=logSetting"`
 }
 
 // Protocol defines network protocols supported for things like container ports.
@@ -349,6 +351,12 @@ type IPBlock struct {
 	Except []IPNet `json:"except,omitempty" protobuf:"bytes,2,rep,name=except"`
 }
 
+// RuleLogSetting describes logging behaviors. Currently supports log labels.
+type RuleLogSetting struct {
+	// LogLabel is a keyword included in the NetworkPolicy logs if this rule is matched and has log enabled.
+	LogLabel string `json:"logLabel,omitempty" protobuf:"bytes,1,opt,name=logLabel"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // NetworkPolicyList is a list of NetworkPolicy objects.
diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go
index bcbe355f9c8..904b639acb1 100644
--- a/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go
+++ b/pkg/apis/controlplane/v1beta2/zz_generated.conversion.go
@@ -389,6 +389,16 @@ func RegisterConversions(s *runtime.Scheme) error {
 	}); err != nil {
 		return err
 	}
+	if err := s.AddGeneratedConversionFunc((*RuleLogSetting)(nil), (*controlplane.RuleLogSetting)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_v1beta2_RuleLogSetting_To_controlplane_RuleLogSetting(a.(*RuleLogSetting), b.(*controlplane.RuleLogSetting), scope)
+	}); err != nil {
+		return err
+	}
+	if err := s.AddGeneratedConversionFunc((*controlplane.RuleLogSetting)(nil), (*RuleLogSetting)(nil), func(a, b interface{}, scope conversion.Scope) error {
+		return Convert_controlplane_RuleLogSetting_To_v1beta2_RuleLogSetting(a.(*controlplane.RuleLogSetting), b.(*RuleLogSetting), scope)
+	}); err != nil {
+		return err
+	}
 	if err := s.AddGeneratedConversionFunc((*Service)(nil), (*controlplane.Service)(nil), func(a, b interface{}, scope conversion.Scope) error {
 		return Convert_v1beta2_Service_To_controlplane_Service(a.(*Service), b.(*controlplane.Service), scope)
 	}); err != nil {
@@ -1440,6 +1450,7 @@ func autoConvert_v1beta2_NetworkPolicyRule_To_controlplane_NetworkPolicyRule(in
 	out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups))
 	out.Name = in.Name
 	out.L7Protocols = *(*[]controlplane.L7Protocol)(unsafe.Pointer(&in.L7Protocols))
+	out.LogSetting = (*controlplane.RuleLogSetting)(unsafe.Pointer(in.LogSetting))
 	return nil
 }
 
@@ -1463,6 +1474,7 @@ func autoConvert_controlplane_NetworkPolicyRule_To_v1beta2_NetworkPolicyRule(in
 	out.EnableLogging = in.EnableLogging
 	out.AppliedToGroups = *(*[]string)(unsafe.Pointer(&in.AppliedToGroups))
 	out.L7Protocols = *(*[]L7Protocol)(unsafe.Pointer(&in.L7Protocols))
+	out.LogSetting = (*RuleLogSetting)(unsafe.Pointer(in.LogSetting))
 	return nil
 }
 
@@ -1638,6 +1650,26 @@ func Convert_controlplane_PodReference_To_v1beta2_PodReference(in *controlplane.
 	return autoConvert_controlplane_PodReference_To_v1beta2_PodReference(in, out, s)
 }
 
+func autoConvert_v1beta2_RuleLogSetting_To_controlplane_RuleLogSetting(in *RuleLogSetting, out *controlplane.RuleLogSetting, s conversion.Scope) error {
+	out.LogLabel = in.LogLabel
+	return nil
+}
+
+// Convert_v1beta2_RuleLogSetting_To_controlplane_RuleLogSetting is an autogenerated conversion function.
+func Convert_v1beta2_RuleLogSetting_To_controlplane_RuleLogSetting(in *RuleLogSetting, out *controlplane.RuleLogSetting, s conversion.Scope) error {
+	return autoConvert_v1beta2_RuleLogSetting_To_controlplane_RuleLogSetting(in, out, s)
+}
+
+func autoConvert_controlplane_RuleLogSetting_To_v1beta2_RuleLogSetting(in *controlplane.RuleLogSetting, out *RuleLogSetting, s conversion.Scope) error {
+	out.LogLabel = in.LogLabel
+	return nil
+}
+
+// Convert_controlplane_RuleLogSetting_To_v1beta2_RuleLogSetting is an autogenerated conversion function.
+func Convert_controlplane_RuleLogSetting_To_v1beta2_RuleLogSetting(in *controlplane.RuleLogSetting, out *RuleLogSetting, s conversion.Scope) error {
+	return autoConvert_controlplane_RuleLogSetting_To_v1beta2_RuleLogSetting(in, out, s)
+}
+
 func autoConvert_v1beta2_Service_To_controlplane_Service(in *Service, out *controlplane.Service, s conversion.Scope) error {
 	out.Protocol = (*controlplane.Protocol)(unsafe.Pointer(in.Protocol))
 	out.Port = (*intstr.IntOrString)(unsafe.Pointer(in.Port))
diff --git a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go
index 4738b0b870e..214c050a5e1 100644
--- a/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go
+++ b/pkg/apis/controlplane/v1beta2/zz_generated.deepcopy.go
@@ -881,6 +881,11 @@ func (in *NetworkPolicyRule) DeepCopyInto(out *NetworkPolicyRule) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.LogSetting != nil {
+		in, out := &in.LogSetting, &out.LogSetting
+		*out = new(RuleLogSetting)
+		**out = **in
+	}
 	return
 }
 
@@ -1059,6 +1064,22 @@ func (in *PodReference) DeepCopy() *PodReference {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleLogSetting) DeepCopyInto(out *RuleLogSetting) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleLogSetting.
+func (in *RuleLogSetting) DeepCopy() *RuleLogSetting {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleLogSetting)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Service) DeepCopyInto(out *Service) {
 	*out = *in
diff --git a/pkg/apis/controlplane/zz_generated.deepcopy.go b/pkg/apis/controlplane/zz_generated.deepcopy.go
index 05082480e97..263315922c6 100644
--- a/pkg/apis/controlplane/zz_generated.deepcopy.go
+++ b/pkg/apis/controlplane/zz_generated.deepcopy.go
@@ -881,6 +881,11 @@ func (in *NetworkPolicyRule) DeepCopyInto(out *NetworkPolicyRule) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.LogSetting != nil {
+		in, out := &in.LogSetting, &out.LogSetting
+		*out = new(RuleLogSetting)
+		**out = **in
+	}
 	return
 }
 
@@ -1059,6 +1064,22 @@ func (in *PodReference) DeepCopy() *PodReference {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleLogSetting) DeepCopyInto(out *RuleLogSetting) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleLogSetting.
+func (in *RuleLogSetting) DeepCopy() *RuleLogSetting {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleLogSetting)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Service) DeepCopyInto(out *Service) {
 	*out = *in
diff --git a/pkg/apis/crd/v1alpha1/types.go b/pkg/apis/crd/v1alpha1/types.go
index e21af92ed98..e7fc4a0fb2b 100644
--- a/pkg/apis/crd/v1alpha1/types.go
+++ b/pkg/apis/crd/v1alpha1/types.go
@@ -430,8 +430,13 @@ type Rule struct {
 	Name string `json:"name,omitempty"`
 	// EnableLogging is used to indicate if agent should generate logs
 	// when rules are matched. Should be default to false.
+	// This field can't be used with LogSetting, will be deprecated.
 	// +optional
 	EnableLogging bool `json:"enableLogging"`
+	// LogSetting is used to specify logging behaviors of the rules when matched.
+	// This field can't be used with EnableLogging.
+	// +optional
+	LogSetting *RuleLogSetting `json:"logSetting,omitempty"`
 	// Select workloads on which this rule will be applied to. Cannot be set in
 	// conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo.
 	// +optional
@@ -920,3 +925,12 @@ type HTTPProtocol struct {
 	// Path represents the URI path to match (Ex. "/index.html", "/admin").
 	Path string `json:"path,omitempty"`
 }
+
+// RuleLogSetting describes logging behaviors. Currently supports log labels.
+type RuleLogSetting struct {
+	// LogEnabled indicates if logs should be generated when rules are matched.
+	LogEnabled bool `json:"enabled"`
+	// LogLabel is a keyword included in the NetworkPolicy logs if this rule is matched and has log enabled.
+	// +optional
+	LogLabel string `json:"logLabel,omitempty"`
+}
diff --git a/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
index 064ade764eb..f0aa481cfe1 100644
--- a/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/crd/v1alpha1/zz_generated.deepcopy.go
@@ -929,6 +929,11 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 		*out = make([]PeerService, len(*in))
 		copy(*out, *in)
 	}
+	if in.LogSetting != nil {
+		in, out := &in.LogSetting, &out.LogSetting
+		*out = new(RuleLogSetting)
+		**out = **in
+	}
 	if in.AppliedTo != nil {
 		in, out := &in.AppliedTo, &out.AppliedTo
 		*out = make([]AppliedTo, len(*in))
@@ -949,6 +954,22 @@ func (in *Rule) DeepCopy() *Rule {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleLogSetting) DeepCopyInto(out *RuleLogSetting) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleLogSetting.
+func (in *RuleLogSetting) DeepCopy() *RuleLogSetting {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleLogSetting)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Source) DeepCopyInto(out *Source) {
 	*out = *in
diff --git a/pkg/apiserver/openapi/zz_generated.openapi.go b/pkg/apiserver/openapi/zz_generated.openapi.go
index 2661ea4ba76..610dfaf468d 100644
--- a/pkg/apiserver/openapi/zz_generated.openapi.go
+++ b/pkg/apiserver/openapi/zz_generated.openapi.go
@@ -65,6 +65,7 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA
 		"antrea.io/antrea/pkg/apis/controlplane/v1beta2.NodeStatsSummary":                  schema_pkg_apis_controlplane_v1beta2_NodeStatsSummary(ref),
 		"antrea.io/antrea/pkg/apis/controlplane/v1beta2.PaginationGetOptions":              schema_pkg_apis_controlplane_v1beta2_PaginationGetOptions(ref),
 		"antrea.io/antrea/pkg/apis/controlplane/v1beta2.PodReference":                      schema_pkg_apis_controlplane_v1beta2_PodReference(ref),
+		"antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleLogSetting":                    schema_pkg_apis_controlplane_v1beta2_RuleLogSetting(ref),
 		"antrea.io/antrea/pkg/apis/controlplane/v1beta2.Service":                           schema_pkg_apis_controlplane_v1beta2_Service(ref),
 		"antrea.io/antrea/pkg/apis/controlplane/v1beta2.ServiceReference":                  schema_pkg_apis_controlplane_v1beta2_ServiceReference(ref),
 		"antrea.io/antrea/pkg/apis/controlplane/v1beta2.SupportBundleCollection":           schema_pkg_apis_controlplane_v1beta2_SupportBundleCollection(ref),
@@ -1751,12 +1752,18 @@ func schema_pkg_apis_controlplane_v1beta2_NetworkPolicyRule(ref common.Reference
 							},
 						},
 					},
+					"logSetting": {
+						SchemaProps: spec.SchemaProps{
+							Description: "LogSetting specifies logging behaviors of the rules when matched.",
+							Ref:         ref("antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleLogSetting"),
+						},
+					},
 				},
 				Required: []string{"enableLogging"},
 			},
 		},
 		Dependencies: []string{
-			"antrea.io/antrea/pkg/apis/controlplane/v1beta2.L7Protocol", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyPeer", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Service"},
+			"antrea.io/antrea/pkg/apis/controlplane/v1beta2.L7Protocol", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.NetworkPolicyPeer", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.RuleLogSetting", "antrea.io/antrea/pkg/apis/controlplane/v1beta2.Service"},
 	}
 }
 
@@ -2031,6 +2038,26 @@ func schema_pkg_apis_controlplane_v1beta2_PodReference(ref common.ReferenceCallb
 	}
 }
 
+func schema_pkg_apis_controlplane_v1beta2_RuleLogSetting(ref common.ReferenceCallback) common.OpenAPIDefinition {
+	return common.OpenAPIDefinition{
+		Schema: spec.Schema{
+			SchemaProps: spec.SchemaProps{
+				Description: "RuleLogSetting describes logging behaviors. Currently supports log labels.",
+				Type:        []string{"object"},
+				Properties: map[string]spec.Schema{
+					"logLabel": {
+						SchemaProps: spec.SchemaProps{
+							Description: "LogLabel is a keyword included in the NetworkPolicy logs if this rule is matched and has log enabled.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
 func schema_pkg_apis_controlplane_v1beta2_Service(ref common.ReferenceCallback) common.OpenAPIDefinition {
 	return common.OpenAPIDefinition{
 		Schema: spec.Schema{
diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy.go b/pkg/controller/networkpolicy/antreanetworkpolicy.go
index 8a026633b5f..41783d8e952 100644
--- a/pkg/controller/networkpolicy/antreanetworkpolicy.go
+++ b/pkg/controller/networkpolicy/antreanetworkpolicy.go
@@ -116,6 +116,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net
 			EnableLogging:   ingressRule.EnableLogging,
 			AppliedToGroups: getAppliedToGroupNames(atgs),
 			L7Protocols:     toAntreaL7ProtocolsForCRD(ingressRule.L7Protocols),
+			LogSetting:      toAntreaLogSettingForCRD(ingressRule.LogSetting),
 		})
 	}
 	// Compute NetworkPolicyRule for Egress Rule.
@@ -147,6 +148,7 @@ func (n *NetworkPolicyController) processAntreaNetworkPolicy(np *crdv1alpha1.Net
 			EnableLogging:   egressRule.EnableLogging,
 			AppliedToGroups: getAppliedToGroupNames(atgs),
 			L7Protocols:     toAntreaL7ProtocolsForCRD(egressRule.L7Protocols),
+			LogSetting:      toAntreaLogSettingForCRD(egressRule.LogSetting),
 		})
 	}
 	tierPriority := n.getTierPriority(np.Spec.Tier)
diff --git a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go
index 032b8ed7303..7c44bd16035 100644
--- a/pkg/controller/networkpolicy/antreanetworkpolicy_test.go
+++ b/pkg/controller/networkpolicy/antreanetworkpolicy_test.go
@@ -673,6 +673,72 @@ func TestProcessAntreaNetworkPolicy(t *testing.T) {
 			expectedAppliedToGroups: 1,
 			expectedAddressGroups:   1,
 		},
+		{
+			name: "with-log-label",
+			inputPolicy: &crdv1alpha1.NetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{Namespace: "ns9", Name: "npI", UID: "uidI"},
+				Spec: crdv1alpha1.NetworkPolicySpec{
+					AppliedTo: []crdv1alpha1.AppliedTo{
+						{PodSelector: &selectorA},
+					},
+					Priority: p10,
+					Ingress: []crdv1alpha1.Rule{
+						{
+							Ports: []crdv1alpha1.NetworkPolicyPort{
+								{
+									Port: &int80,
+								},
+							},
+							From: []crdv1alpha1.NetworkPolicyPeer{
+								{
+									PodSelector:       &selectorB,
+									NamespaceSelector: &selectorC,
+								},
+							},
+							Action: &allowAction,
+							LogSetting: &crdv1alpha1.RuleLogSetting{
+								LogEnabled: true,
+								LogLabel:   "test-log-label",
+							},
+						},
+					},
+				},
+			},
+			expectedPolicy: &antreatypes.NetworkPolicy{
+				UID:  "uidI",
+				Name: "uidI",
+				SourceRef: &controlplane.NetworkPolicyReference{
+					Type:      controlplane.AntreaNetworkPolicy,
+					Namespace: "ns9",
+					Name:      "npI",
+					UID:       "uidI",
+				},
+				Priority:     &p10,
+				TierPriority: &DefaultTierPriority,
+				Rules: []controlplane.NetworkPolicyRule{
+					{
+						Direction: controlplane.DirectionIn,
+						From: controlplane.NetworkPolicyPeer{
+							AddressGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorB, &selectorC, nil, nil).NormalizedName)},
+						},
+						Services: []controlplane.Service{
+							{
+								Protocol: &protocolTCP,
+								Port:     &int80,
+							},
+						},
+						Priority: 0,
+						Action:   &allowAction,
+						LogSetting: &controlplane.RuleLogSetting{
+							LogLabel: "test-log-label",
+						},
+					},
+				},
+				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("ns9", &selectorA, nil, nil, nil).NormalizedName)},
+			},
+			expectedAppliedToGroups: 1,
+			expectedAddressGroups:   1,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy.go b/pkg/controller/networkpolicy/clusternetworkpolicy.go
index e249d3feed5..b0a346d9836 100644
--- a/pkg/controller/networkpolicy/clusternetworkpolicy.go
+++ b/pkg/controller/networkpolicy/clusternetworkpolicy.go
@@ -377,6 +377,7 @@ func (n *NetworkPolicyController) processClusterNetworkPolicy(cnp *crdv1alpha1.C
 					EnableLogging:   cnpRule.EnableLogging,
 					AppliedToGroups: getAppliedToGroupNames(ruleAppliedTos),
 					L7Protocols:     toAntreaL7ProtocolsForCRD(cnpRule.L7Protocols),
+					LogSetting:      toAntreaLogSettingForCRD(cnpRule.LogSetting),
 				}
 				if dir == controlplane.DirectionIn {
 					rule.From = *peer
diff --git a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go
index d47e155c9c1..76657fb80c2 100644
--- a/pkg/controller/networkpolicy/clusternetworkpolicy_test.go
+++ b/pkg/controller/networkpolicy/clusternetworkpolicy_test.go
@@ -1625,6 +1625,71 @@ func TestProcessClusterNetworkPolicy(t *testing.T) {
 			expectedAppliedToGroups: 1,
 			expectedAddressGroups:   0,
 		},
+		{
+			name: "with-log-label",
+			inputPolicy: &crdv1alpha1.ClusterNetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{Name: "cnpN", UID: "uidN"},
+				Spec: crdv1alpha1.ClusterNetworkPolicySpec{
+					AppliedTo: []crdv1alpha1.AppliedTo{
+						{PodSelector: &selectorA},
+					},
+					Priority: p10,
+					Ingress: []crdv1alpha1.Rule{
+						{
+							Ports: []crdv1alpha1.NetworkPolicyPort{
+								{
+									Port: &int80,
+								},
+							},
+							From: []crdv1alpha1.NetworkPolicyPeer{
+								{
+									PodSelector:       &selectorB,
+									NamespaceSelector: &selectorC,
+								},
+							},
+							Action: &allowAction,
+							LogSetting: &crdv1alpha1.RuleLogSetting{
+								LogEnabled: true,
+								LogLabel:   "test-log-label",
+							},
+						},
+					},
+				},
+			},
+			expectedPolicy: &antreatypes.NetworkPolicy{
+				UID:  "uidN",
+				Name: "uidN",
+				SourceRef: &controlplane.NetworkPolicyReference{
+					Type: controlplane.AntreaClusterNetworkPolicy,
+					Name: "cnpN",
+					UID:  "uidN",
+				},
+				Priority:     &p10,
+				TierPriority: &DefaultTierPriority,
+				Rules: []controlplane.NetworkPolicyRule{
+					{
+						Direction: controlplane.DirectionIn,
+						From: controlplane.NetworkPolicyPeer{
+							AddressGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorB, &selectorC, nil, nil).NormalizedName)},
+						},
+						Services: []controlplane.Service{
+							{
+								Protocol: &protocolTCP,
+								Port:     &int80,
+							},
+						},
+						Priority: 0,
+						Action:   &allowAction,
+						LogSetting: &controlplane.RuleLogSetting{
+							LogLabel: "test-log-label",
+						},
+					},
+				},
+				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("", &selectorA, nil, nil, nil).NormalizedName)},
+			},
+			expectedAppliedToGroups: 1,
+			expectedAddressGroups:   1,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/controller/networkpolicy/crd_utils.go b/pkg/controller/networkpolicy/crd_utils.go
index 51eacd5db6f..908100093b1 100644
--- a/pkg/controller/networkpolicy/crd_utils.go
+++ b/pkg/controller/networkpolicy/crd_utils.go
@@ -122,6 +122,15 @@ func toAntreaL7ProtocolsForCRD(l7Protocols []v1alpha1.L7Protocol) []controlplane
 	return antreaL7Protocols
 }
 
+func toAntreaLogSettingForCRD(logSetting *v1alpha1.RuleLogSetting) *controlplane.RuleLogSetting {
+	if logSetting != nil && logSetting.LogEnabled {
+		return &controlplane.RuleLogSetting{
+			LogLabel: logSetting.LogLabel,
+		}
+	}
+	return nil
+}
+
 // toAntreaIPBlockForCRD converts a v1alpha1.IPBlock to an Antrea IPBlock.
 func toAntreaIPBlockForCRD(ipBlock *v1alpha1.IPBlock) (*controlplane.IPBlock, error) {
 	// Convert the allowed IPBlock to networkpolicy.IPNet.
diff --git a/pkg/controller/networkpolicy/crd_utils_test.go b/pkg/controller/networkpolicy/crd_utils_test.go
index 9391e899c69..6a4cc9eea6b 100644
--- a/pkg/controller/networkpolicy/crd_utils_test.go
+++ b/pkg/controller/networkpolicy/crd_utils_test.go
@@ -226,6 +226,35 @@ func TestToAntreaL7ProtocolsForCRD(t *testing.T) {
 	}
 }
 
+func TestToAntreaLogSettingForCRD(t *testing.T) {
+	tables := []struct {
+		name       string
+		logSetting *crdv1alpha1.RuleLogSetting
+		expValue   *controlplane.RuleLogSetting
+	}{
+		{
+			name: "Set logSetting not enabled",
+			logSetting: &crdv1alpha1.RuleLogSetting{
+				LogEnabled: false,
+			},
+		},
+		{
+			name: "Set logSetting log label",
+			logSetting: &crdv1alpha1.RuleLogSetting{
+				LogEnabled: true,
+				LogLabel:   "test-log-label",
+			},
+			expValue: &controlplane.RuleLogSetting{
+				LogLabel: "test-log-label",
+			},
+		},
+	}
+	for _, table := range tables {
+		gotValue := toAntreaLogSettingForCRD(table.logSetting)
+		assert.Equal(t, table.expValue, gotValue)
+	}
+}
+
 func TestToAntreaIPBlockForCRD(t *testing.T) {
 	expIPNet := controlplane.IPNet{
 		IP:           ipStrToIPAddress("10.0.0.0"),
diff --git a/pkg/controller/networkpolicy/networkpolicy_controller.go b/pkg/controller/networkpolicy/networkpolicy_controller.go
index 629016f3aed..71e32309fe1 100644
--- a/pkg/controller/networkpolicy/networkpolicy_controller.go
+++ b/pkg/controller/networkpolicy/networkpolicy_controller.go
@@ -650,10 +650,10 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP
 	appliedToGroups = mergeAppliedToGroups(appliedToGroups, newAppliedToGroup)
 	rules := make([]controlplane.NetworkPolicyRule, 0, len(np.Spec.Ingress)+len(np.Spec.Egress))
 	// Retrieve Namespace logging annotation.
-	enableLogging := false
+	logSetting := &secv1alpha1.RuleLogSetting{}
 	namespace, err := n.namespaceLister.Get(np.Namespace)
 	if err == nil {
-		enableLogging, _ = strconv.ParseBool(namespace.Annotations[EnableNPLoggingAnnotationKey])
+		logSetting.LogEnabled, _ = strconv.ParseBool(namespace.Annotations[EnableNPLoggingAnnotationKey])
 	}
 	var ingressRuleExists, egressRuleExists bool
 	// Compute NetworkPolicyRule for Ingress Rule.
@@ -663,12 +663,12 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP
 		peer, newAddressGroups := n.toAntreaPeer(ingressRule.From, np, controlplane.DirectionIn, namedPortExists)
 		addressGroups = mergeAddressGroups(addressGroups, newAddressGroups...)
 		rules = append(rules, controlplane.NetworkPolicyRule{
-			Direction:     controlplane.DirectionIn,
-			From:          *peer,
-			Services:      services,
-			Priority:      defaultRulePriority,
-			Action:        &defaultAction,
-			EnableLogging: enableLogging,
+			Direction:  controlplane.DirectionIn,
+			From:       *peer,
+			Services:   services,
+			Priority:   defaultRulePriority,
+			Action:     &defaultAction,
+			LogSetting: toAntreaLogSettingForCRD(logSetting),
 		})
 	}
 	// Compute NetworkPolicyRule for Egress Rule.
@@ -678,12 +678,12 @@ func (n *NetworkPolicyController) processNetworkPolicy(np *networkingv1.NetworkP
 		peer, newAddressGroups := n.toAntreaPeer(egressRule.To, np, controlplane.DirectionOut, namedPortExists)
 		addressGroups = mergeAddressGroups(addressGroups, newAddressGroups...)
 		rules = append(rules, controlplane.NetworkPolicyRule{
-			Direction:     controlplane.DirectionOut,
-			To:            *peer,
-			Services:      services,
-			Priority:      defaultRulePriority,
-			Action:        &defaultAction,
-			EnableLogging: enableLogging,
+			Direction:  controlplane.DirectionOut,
+			To:         *peer,
+			Services:   services,
+			Priority:   defaultRulePriority,
+			Action:     &defaultAction,
+			LogSetting: toAntreaLogSettingForCRD(logSetting),
 		})
 	}
 
diff --git a/pkg/controller/networkpolicy/networkpolicy_controller_test.go b/pkg/controller/networkpolicy/networkpolicy_controller_test.go
index a5ac1b77c4c..6e861e7b301 100644
--- a/pkg/controller/networkpolicy/networkpolicy_controller_test.go
+++ b/pkg/controller/networkpolicy/networkpolicy_controller_test.go
@@ -1820,12 +1820,11 @@ func TestProcessNetworkPolicy(t *testing.T) {
 					UID:       "uidA",
 				},
 				Rules: []controlplane.NetworkPolicyRule{{
-					Direction:     controlplane.DirectionIn,
-					From:          matchAllPeer,
-					Services:      nil,
-					Priority:      defaultRulePriority,
-					Action:        &defaultAction,
-					EnableLogging: false,
+					Direction: controlplane.DirectionIn,
+					From:      matchAllPeer,
+					Services:  nil,
+					Priority:  defaultRulePriority,
+					Action:    &defaultAction,
 				}},
 				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("nsA", &metav1.LabelSelector{}, nil, nil, nil).NormalizedName)},
 			},
@@ -1986,9 +1985,8 @@ func TestProcessNetworkPolicy(t *testing.T) {
 								Port:     &int80,
 							},
 						},
-						Priority:      defaultRulePriority,
-						Action:        &defaultAction,
-						EnableLogging: false,
+						Priority: defaultRulePriority,
+						Action:   &defaultAction,
 					},
 					{
 						Direction: controlplane.DirectionOut,
@@ -2001,9 +1999,8 @@ func TestProcessNetworkPolicy(t *testing.T) {
 								Port:     &int81,
 							},
 						},
-						Priority:      defaultRulePriority,
-						Action:        &defaultAction,
-						EnableLogging: false,
+						Priority: defaultRulePriority,
+						Action:   &defaultAction,
 					},
 				},
 				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorA, nil, nil, nil).NormalizedName)},
@@ -2066,9 +2063,8 @@ func TestProcessNetworkPolicy(t *testing.T) {
 								Port:     &int80,
 							},
 						},
-						Priority:      defaultRulePriority,
-						Action:        &defaultAction,
-						EnableLogging: false,
+						Priority: defaultRulePriority,
+						Action:   &defaultAction,
 					},
 					{
 						Direction: controlplane.DirectionIn,
@@ -2081,9 +2077,8 @@ func TestProcessNetworkPolicy(t *testing.T) {
 								Port:     &int81,
 							},
 						},
-						Priority:      defaultRulePriority,
-						Action:        &defaultAction,
-						EnableLogging: false,
+						Priority: defaultRulePriority,
+						Action:   &defaultAction,
 					},
 				},
 				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("nsA", &selectorA, nil, nil, nil).NormalizedName)},
@@ -2174,12 +2169,12 @@ func TestProcessNetworkPolicy(t *testing.T) {
 					UID:       "uidA",
 				},
 				Rules: []controlplane.NetworkPolicyRule{{
-					Direction:     controlplane.DirectionIn,
-					From:          matchAllPeer,
-					Services:      nil,
-					Priority:      defaultRulePriority,
-					Action:        &defaultAction,
-					EnableLogging: true,
+					Direction:  controlplane.DirectionIn,
+					From:       matchAllPeer,
+					Services:   nil,
+					Priority:   defaultRulePriority,
+					Action:     &defaultAction,
+					LogSetting: &controlplane.RuleLogSetting{},
 				}},
 				AppliedToGroups: []string{getNormalizedUID(antreatypes.NewGroupSelector("nsA", &metav1.LabelSelector{}, nil, nil, nil).NormalizedName)},
 			},
diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go
index a76a4188de7..3ab2f6717f8 100644
--- a/pkg/controller/networkpolicy/validate.go
+++ b/pkg/controller/networkpolicy/validate.go
@@ -453,6 +453,10 @@ func (v *antreaPolicyValidator) createValidate(curObj interface{}, userInfo auth
 	if !allowed {
 		return reason, allowed
 	}
+	reason, allowed = v.validateLogSetting(ingress, egress)
+	if !allowed {
+		return reason, allowed
+	}
 	if err := v.validatePort(ingress, egress); err != nil {
 		return err.Error(), false
 	}
@@ -801,6 +805,16 @@ func (v *antreaPolicyValidator) validateL7Protocols(ingressRules, egressRules []
 	return "", true
 }
 
+// validateLogSetting validates the enableLogging field and logSetting field do not conflict.
+func (v *antreaPolicyValidator) validateLogSetting(ingressRules, egressRules []crdv1alpha1.Rule) (string, bool) {
+	for _, r := range append(ingressRules, egressRules...) {
+		if r.EnableLogging && r.LogSetting != nil {
+			return "enableLogging and logSetting can not be set at the same time", false
+		}
+	}
+	return "", true
+}
+
 // validateFQDNSelectors validates the toFQDN field set in Antrea-native policy egress rules are valid.
 func (v *antreaPolicyValidator) validateFQDNSelectors(egressRules []crdv1alpha1.Rule) (string, bool) {
 	for _, r := range egressRules {
@@ -859,6 +873,10 @@ func (v *antreaPolicyValidator) updateValidate(curObj, oldObj interface{}, userI
 	if !allowed {
 		return reason, allowed
 	}
+	reason, allowed = v.validateLogSetting(ingress, egress)
+	if !allowed {
+		return reason, allowed
+	}
 	if err := v.validatePort(ingress, egress); err != nil {
 		return err.Error(), false
 	}
diff --git a/pkg/controller/networkpolicy/validate_test.go b/pkg/controller/networkpolicy/validate_test.go
index dcddd52f23c..d6f578ec632 100644
--- a/pkg/controller/networkpolicy/validate_test.go
+++ b/pkg/controller/networkpolicy/validate_test.go
@@ -1436,6 +1436,32 @@ func TestValidateAntreaPolicy(t *testing.T) {
 			},
 			expectedReason: "layer 7 protocols can only be used when L7NetworkPolicy is enabled",
 		},
+		{
+			name: "logSetting used with enableLogging",
+			policy: &crdv1alpha1.ClusterNetworkPolicy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "egress-rule-logging",
+				},
+				Spec: crdv1alpha1.ClusterNetworkPolicySpec{
+					AppliedTo: []crdv1alpha1.AppliedTo{
+						{
+							NamespaceSelector: &metav1.LabelSelector{},
+						},
+					},
+					Egress: []crdv1alpha1.Rule{
+						{
+							Action:        &allowAction,
+							EnableLogging: true,
+							LogSetting: &crdv1alpha1.RuleLogSetting{
+								LogEnabled: true,
+								LogLabel:   "test-log-label",
+							},
+						},
+					},
+				},
+			},
+			expectedReason: "enableLogging and logSetting can not be set at the same time",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
index d2921216c98..c65c6e0cbed 100644
--- a/test/e2e/antreapolicy_test.go
+++ b/test/e2e/antreapolicy_test.go
@@ -2558,13 +2558,14 @@ func testANPMultipleAppliedTo(t *testing.T, data *TestData, singleRule bool) {
 func testAuditLoggingBasic(t *testing.T, data *TestData) {
 	npRef := "test-log-acnp-deny"
 	ruleName := "DropToZ"
+	logLabel := "testLogLabel"
 	builder := &ClusterNetworkPolicySpecBuilder{}
 	builder = builder.SetName(npRef).
 		SetPriority(1.0).
 		SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": namespaces["x"]}}})
 	builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"ns": namespaces["z"]},
 		nil, nil, false, nil, crdv1alpha1.RuleActionDrop, "", ruleName, nil)
-	builder.AddEgressLogging()
+	builder.AddEgressLogging(logLabel)
 
 	acnp, err := k8sUtils.CreateOrUpdateACNP(builder.Get())
 	failOnError(err, t)
diff --git a/test/e2e/utils/anp_spec_builder.go b/test/e2e/utils/anp_spec_builder.go
index 42645991e43..3229147afe7 100644
--- a/test/e2e/utils/anp_spec_builder.go
+++ b/test/e2e/utils/anp_spec_builder.go
@@ -206,9 +206,12 @@ func (b *AntreaNetworkPolicySpecBuilder) AddToServicesRule(svcRefs []crdv1alpha1
 	return b
 }
 
-func (b *AntreaNetworkPolicySpecBuilder) AddEgressLogging() *AntreaNetworkPolicySpecBuilder {
+func (b *AntreaNetworkPolicySpecBuilder) AddEgressLogging(logLabel string) *AntreaNetworkPolicySpecBuilder {
 	for i, e := range b.Spec.Egress {
-		e.EnableLogging = true
+		e.LogSetting = &crdv1alpha1.RuleLogSetting{
+			LogEnabled: true,
+			LogLabel:   logLabel,
+		}
 		b.Spec.Egress[i] = e
 	}
 	return b
diff --git a/test/e2e/utils/cnp_spec_builder.go b/test/e2e/utils/cnp_spec_builder.go
index 761e2f9e0c4..e3797b4ab33 100644
--- a/test/e2e/utils/cnp_spec_builder.go
+++ b/test/e2e/utils/cnp_spec_builder.go
@@ -299,9 +299,12 @@ func (b *ClusterNetworkPolicySpecBuilder) WithEgressDNS() *ClusterNetworkPolicyS
 	return b
 }
 
-func (b *ClusterNetworkPolicySpecBuilder) AddEgressLogging() *ClusterNetworkPolicySpecBuilder {
+func (b *ClusterNetworkPolicySpecBuilder) AddEgressLogging(logLabel string) *ClusterNetworkPolicySpecBuilder {
 	for i, e := range b.Spec.Egress {
-		e.EnableLogging = true
+		e.LogSetting = &crdv1alpha1.RuleLogSetting{
+			LogEnabled: true,
+			LogLabel:   logLabel,
+		}
 		b.Spec.Egress[i] = e
 	}
 	return b