[Openstack-operators] Managing security incidents: how to find the guilty VM ?

Antonio Messina antonio.s.messina at gmail.com
Thu Aug 6 16:15:40 UTC 2015

On Thu, Aug 6, 2015 at 5:25 PM, Andy Hill <hillad at gmail.com> wrote:
> Archival and consumption of notifications emitted from Nova / Neutron is one
> approach.

AFAIK, this only works with floating IPs. When using SNAT, you really have to
check the kernel connection tracking table, otherwise you will not be
able to know which VM (and therefore user) is responsible for the


antonio.s.messina at gmail.com
antonio.messina at uzh.ch                     +41 (0)44 635 42 22
S3IT: Service and Support for Science IT   http://www.s3it.uzh.ch/
University of Zurich
Winterthurerstrasse 190
CH-8057 Zurich Switzerland

More information about the OpenStack-operators mailing list