Current logging in Keystone does not enable operators to determine what is happening
Bug #1539140 reported by
Henry Nash
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
Our current logging is meant to provide different levels so that operators can enable a suitable level (e.g. INFO) without going full DEBUG (which operators consider potentially risky). INFO doesn't, however, give you anything consistent.
Keystone should follow the OpenStack standard: https:/
Examples of things we might like to have at INFO level:
- How is this keystone doing?
- % of requests success/failed
- % of failures at the backend (e.g. to SQL/LDAP etc.)
- % of requests that return validation error (e.g. indicative of an attack/bad clients)
| description: | updated |
| description: | updated |
| description: | updated |
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote | #1 |
| tags: | added: user-experience |
Revision history for this message
| Morgan Fainberg (mdrnstm) wrote | #2 |
| Changed in keystone: | |
| status: | New → Incomplete |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in keystone: | |
| status: | Incomplete → Expired |
To post a comment you must log in.
Since keystone is run in a webserver (apache in most cases), a lot of this information is already available, but needs log processing to work. The failures to the backend (SQL/LDAP) is the biggest place we can improve and the validation errors can be emitted.
I am against trying to track % of failures, that is a log processing tool's job, and we are running across multiple processes that will occasionally be cycled, keeping that data coherent is difficult on a good day and there are tools (ELK, Splunk, Hadoop) that can all be leveraged to bundle all these lines up into something that is much more readable/usable.
Unfortunately we will be the odd-one-out in that we will be logging things twice -- Once at the apache layer (aka access.log) and once that is the actual log from keystone. Both of these are useful as they indicate different things in different ways.
So in short:
Not % of requests [that isn't part of the linked logging standard].
If we make it so that the "Security Exception" is more verbose to the log (it needs to be opaque when rendered to the end-user) we can make keystone much more useful logging wise for operators immediately. Most of the security exception stripping is only important rendering to the end user.