Support L7 Network Policy Logging #4625
Conversation
Codecov Report
@@ Coverage Diff @@
## main #4625 +/- ##
==========================================
- Coverage 68.39% 67.19% -1.21%
==========================================
Files 400 418 +18
Lines 58298 62823 +4525
==========================================
+ Hits 39872 42212 +2340
- Misses 15656 17679 +2023
- Partials 2770 2932 +162
*This pull request uses carry forward flags. Click here to find out more.
|
| rulesData := bytes.NewBuffer(nil) | ||
| sid := 1 | ||
|
|
||
| var tagKeyword string | ||
| if enableLogging { | ||
| tagKeyword = " tag: session, 30, seconds;" |
There was a problem hiding this comment.
I didn't find doc about these keywords, could you share a link and add comment to help understand?
There was a problem hiding this comment.
Suricata lacks the documentation for "tag", which is an open ticket. Looking into the codebase, it's handled in their file detect-engine-tag. Also Snort has a similar functionality, doc.
There was a problem hiding this comment.
could you add this information to code comment? otherwise people who looks at this will have the same question.
qiyueyao
force-pushed
the
l7-logging
branch
3 times, most recently
from
09a9fc0
to
5c70bd2
Compare
qiyueyao
force-pushed
the
l7-logging
branch
3 times, most recently
from
4fe41a6
to
a9dc3f7
Compare
|
|
||
| Layer 7 traffic that matches the NetworkPolicy will be logged in an event | ||
| triggered log file (`/var/log/antrea/networkpolicy/l7engine/eve-YEAR-MONTH-DAY.json`). | ||
| The event type for this log is `alert`. If `enableLogging` is set for the rule, |
There was a problem hiding this comment.
You mean the dropped request will be logged regardless of whether enableLogging is enabled? Is it configurable?
There was a problem hiding this comment.
It will be logged regardless of enableLogging. Based on my investigation of Suricata doc, there is no workaround to configure this. It is either log all events or no log at all, only the packets can be configured with enableLogging, but they can only be logged in the same file. I also asked in the Suricata community, this doesn't seem a high priority feature request, since we have postprocess tooling.
| rulesData := bytes.NewBuffer(nil) | ||
| sid := 1 | ||
|
|
||
| var tagKeyword string | ||
| if enableLogging { | ||
| tagKeyword = " tag: session, 30, seconds;" |
There was a problem hiding this comment.
could you add this information to code comment? otherwise people who looks at this will have the same question.
Antrea-native policy now supports layer 7 NetworkPolicy. To provide more information for users, logging for this feature is introduced. Antrea-native policy is not accurate enough in reporting packet status before sending to l7 engine. Logs are fixed to reflect "Redirect" action. Audit logging UT are updated to cover more cases. L7 engine provides its own logs. Currently, Suricata is used as L7 engine. Configuration is updated to generate two log files, fast.log and eve.json Both files locates at /var/log/antrea/networkpolicy/. Documentation is updated. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
|
/test-all |
1 similar comment
|
/test-all |
Antrea-native policy now supports layer 7 NetworkPolicy. To provide more information for users, logging for this feature is introduced. Antrea-native policy is not accurate enough in reporting packet status before sending to l7 engine. Logs are fixed to reflect "Redirect" action. Audit logging UT are updated to cover more cases. L7 engine provides its own logs. Currently, Suricata is used as L7 engine. Configuration is updated to generate two log files, fast.log and eve.json Both files locates at /var/log/antrea/networkpolicy/. Documentation is updated. Signed-off-by: Qiyue Yao <yaoq@vmware.com>
Fix inaccurate Antrea Native Policy logging, where the L7NP will be logged as
RedirectnotAllow. Update UT to cover more cases.Add event log file for Suricata at
/var/log/antrea/networkpolicy/l7engine. Due to the limitation of available Suricata options, currentlyeve.loglogs all the alerts (reject&pass) regardless ofenableLogging, event_type: "alert". Meanwhile packets are only logged ifenableLogging: true, "event_type: "packet".