neutron

Network security group logging: only DROP events being logged

Bug #1796200 reported by Vladimir Grevtsev on 2018-10-04

This bug report is a duplicate of: Bug #1782576: Logging - No SG-log data found at /var/log/syslog. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Undecided	Unassigned

Bug Description

Network security group logging not working: empty file being created w/o actual logs

On the clear Openstack (Ubuntu Xenial, Queens release) I have tried to enable a security groups logging as stated in https://docs.openstack.org/neutron/queens/admin/config-logging.html doc, and it's not working as expected.

=================

Actual behaviour: Logfile has been created in place specified in config from "neutron" user, but:
- only DROP events has been created; ACCEPT events are missing;
- ICMP traffic is not logged at all.

Expected behaviour: Logfile has been created & NSG traffic data also being logged into for bot ACCEPT and DROP events.

==========

Additional information:

a) OpenStack has been deployed from scratch using Juju and upstream bundles (with only two charms being modified locally, enabling necessary config changes for following upstream documentation mentioned above), here is actual charm link: http://paste.openstack.org/show/731530/

b) Full OpenStack configuration commands from flavors till verifying that networking itself is working: http://paste.openstack.org/show/731529/ (take a look at the EOF: I'm trying to ping my instance floating IP, I cannot, but after enabling a rule in NSG it succeeded - so traffic is actually being passed to instance and security groups are working);

c) Config files that should be modified, according to documentation:

neutron-api neutron.conf: http://paste.openstack.org/show/731531/
neutron-gateway /etc/neutron/plugins/ml2/openvswitch_agent.ini: http://paste.openstack.org/show/731534/
nova-compute /etc/neutron/plugins/ml2/openvswitch_agent.ini: http://paste.openstack.org/show/731535/

Security groups rules: http://paste.openstack.org/show/731541/
OVS firewall log without any traffic yet: http://paste.openstack.org/show/731542/

Try to reach HTTPS (which is blocked by security groups): http://paste.openstack.org/show/731543/ - all OK, is't being logged.

But, if try to login to SSH (it's enabled via NSG rules) - nothing appears in NSG log; however, corresponding rules has been applied to Open vSwitch: http://paste.openstack.org/show/731544/

Also, nothing also happens in NSG log when trying to reach instance by ICMP (regular ping, for example).

See original description

Vladimir Grevtsev (vlgrevtsev) on 2018-10-04

summary:

- Network security group logging not working: empty file being created w/o
- actual logs
+ Network security group logging not working: only DROP events being
+ logged

Vladimir Grevtsev (vlgrevtsev) on 2018-10-04

summary:

- Network security group logging not working: only DROP events being
- logged
+ Network security group logging: only DROP events being logged

Vladimir Grevtsev (vlgrevtsev) on 2018-10-04

description:	updated
description:	updated

Revision history for this message

Brian Haley (brian-haley) wrote on 2018-10-05:

This looks like a duplicate of https://bugs.launchpad.net/neutron/+bug/1782576 can you confirm? Fixes for that have been backported as well. Thanks.

Revision history for this message

Vladimir Grevtsev (vlgrevtsev) wrote on 2018-10-06:

@Brian Confirmed, this is a duplicate of https://bugs.launchpad.net/neutron/+bug/1782576 - I had my Neutron running on 12.0.3 branch, however 12.0.4 has fix included in it and all is fine.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1782576 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.