[Openstack-operators] Keystone audit logs with haproxy

Jesse Pretorius jesse.pretorius at gmail.com
Fri Nov 27 10:02:25 UTC 2015


On 25 November 2015 at 05:40, Ajay Kalambur (akalambu) <akalambu at cisco.com>
wrote:

> Hi
> Have a deployment where keystone sits behind a ha proxy node. Now
> authentication requests are made to a vip. Problem is when there is an
> authentication failure we cannot track the remote ip that failed login as
> all authentication failures show the VIP ip since ha proxy fwds the request
> to a backend keystone server
>
> How do we use a load balancer like ha proxy and also track the remote
> failed ip for authentication failures
> We get all authentication failures showing up with remote ip as vip ip
>

It's probably best to enable the forwardfor option [1] and ensure that your
Keystone logs record that information. This is relatively trivial if
Keystone is using Apache/wsgi, but I can't recall whether the eventlet
server logs the info.

[1]
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20forwardfor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151127/5a66a9fd/attachment.html>


More information about the OpenStack-operators mailing list