Open Stack

I’m afraid you’d probably have to start digging in the code to find out how the map file is interpreted.  My assumption was that the one provided in pycadf source was reasonable.  For what it’s worth, I did get it working.  I’m not sure what exactly got the data flowing, but I’m getting audit data such as this now:


{
"_index": "events_2015-07-18",
"_type": "audit.http.response",
"_id": "7b11e3ee-c09f-4dae-a399-7497bc20c5fb",
"_version": 1,
"_score": null,
"_source": {
"raw": { },
"timestamp": "2015-07-18T20:19:04.463039",
"traits": {
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event" <http://schemas.dmtf.org/cloud/audit/1.0/event>,
"eventTime": "2015-07-18T20:19:04.413835+0000",
"initiator_host_address": "172.24.4.100",
"initiator_typeURI": "service/security/account/user",
"service": "neutron-server",
"target_name": "neutron",
"eventType": "activity",
"reason_code": "200",
"target_id": "openstack:neutron",
"observer_id": "target",
"initiator_id": "openstack:e70fcebd828349ca8f1393e62ac87756",
"target_typeURI": "service/network/security-groups",
"initiator_name": "admin",
"request_id": "req-76a9887a-dea2-4823-afaa-002154968667",
"action": "read/list",
"outcome": "success",
"id": "openstack:6e110ffe-2632-4c1d-8377-73c6aac1e3fc",
"requestPath": "/v2.0/security-groups.json?id=d050564f-c452-40dd-8592-3df111bc3a5d"
}
}
}

Regards,
John	


John Stanford										
VP of Development
Solinea, Inc.
 +1 (415) 685-3967



> On Jul 18, 2015, at 0:56:30, Kevin Benton <blak111 at gmail.com> wrote:
> 
> I'm not familiar with that keystone middleware audit filter. How is that map file supposed to work? The entries don't seem to make sense to me, some are just plural mappings while others are completely different or map to None.
> 
> On Fri, Jul 17, 2015 at 5:29 PM, John Stanford <john at solinea.com> wrote:
> Hi,
> 
> Sorry about the resend, but subjects are good...
> 
> I’ve been trying to get the API audit data flowing based on this document:
> 
> http://docs.openstack.org/developer/keystonemiddleware/audit.html
> 
> So far, I’ve been able to get nova, cinder, and glance to do the right thing,
> but neutron doesn’t seem to want to play. I am getting some events through
> to ceilometer.  For example, when I create a port, I get a start and end
> event similar to this:
> 
> {
>    "_index": "events_2015-07-17",
>    "_type": "port.create.end",
>    "_id": "e1dbf819-3e77-4357-b8db-83a359ef7cd9",
>    "raw": { },
>    "timestamp": "2015-07-17T23:10:37.846477",
>    "traits": {
>         "user_id": "e70fcebd828349ca8f1393e62ac87756",
>         "service": "network.myhost.com",
>         "resource_id": "09c1388a-59fe-49e9-bb17-fb353fd8dd3a",
>         "tenant_id": "970f2364df174040862210c9185c80ce",
>         "request_id": "req-3e2722e6-1903-477c-9523-2e4926caa6fb",
>         "project_id": "970f2364df174040862210c9185c80ce"
> }
> 
> For other services, I’ll see a CADF formatted http.request.audit event.
> 
> Here are the edits I’ve made to /etc/neutron/api-paste.ini file:
> 
> # added the audit filter to the keystone pipeline after authtoken
> [composite:neutronapi_v2_0]
> use = call:neutron.auth:pipeline_factory
> noauth = request_id catch_errors extensions neutronapiapp_v2_0
> keystone = request_id catch_errors authtoken keystonecontext audit extensions neutronapiapp_v2_0
> 
> 
> # added the audit filter
> [filter:audit]
> paste.filter_factory = keystonemiddleware.audit:filter_factory
> audit_map_file = /etc/neutron/neutron_api_audit_map.conf
> 
> The map file is snagged from here:
> 
> https://github.com/openstack/pycadf/blob/master/etc/pycadf/neutron_api_audit_map.conf
> 
> Any suggestions, war stories, requests for more detail, etc. are greatly appreciated.
> 
> 
> Thanks,
> John
> @jxstanford
> 
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> 
> -- 
> Kevin Benton