<div dir="ltr">Auditing has been discussed for the firewall extension.<div>However, it is reasonable to expect some form of auditing for security group rules as well.</div><div><br></div><div>To the best of my knowledge there has never been an explicit decision to not support logging.</div>
<div>However, my guess here is that we might be better off with an auditing service plugin integrating with security group and firewall agents rather than baking the logging feature in the security group extension.</div><div>
Please note that I'm just thinking aloud here.</div><div><br></div><div>Regards,</div><div>Salvatore</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 8 April 2014 23:17, CARVER, PAUL <span dir="ltr"><<a href="mailto:pc2929@att.com" target="_blank">pc2929@att.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal">Are there any blueprints or discussion around logging the actions of iptables rules that are generated from security groups?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Typically a firewall produces copious logs. As far as I can tell, Neutron security groups permit or deny traffic but don’t provide any record at all of what happened. Obviously iptables itself supports logging, but I haven’t seen anything
in <a href="https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py" target="_blank">
https://github.com/openstack/neutron/blob/master/neutron/agent/linux/iptables_firewall.py</a> that looks like it adds logging rules.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I’d be curious to know if this is just a case of no one having added it yet, or if there was any explicit decision to NOT support logging (either as a provider enforced standard, or as a tenant configurable per-rule setting.)<u></u><u></u></p>
</div>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>