Neutron Packet Logging (by quqi99)

作者：张华 发表于：2026-01-05
版权声明：可以任意转载，转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明

问题

客户想要集中存储下列日志:

• User activity on the cloud/infra servers (SSH login/out etc.) - /var/log/auth.log
• Security group firewall logs (any drop would need to emit a log) - ovn-controller.log

rsyslog test

rsyslog server side:

sudo apt install -y rsyslog sudo cp /etc/rsyslog.conf /etc/rsyslog.conf.bak sudo sed -i '/^#module(load="imudp")/s/^#//' /etc/rsyslog.conf sudo sed -i '/^#input(type="imudp" port="514")/s/^#//' /etc/rsyslog.conf sudo sed -i '/^#module(load="imtcp")/s/^#//' /etc/rsyslog.conf sudo sed -i '/^#input(type="imtcp" port="514")/s/^#//' /etc/rsyslog.conf cat <<EOF | sudo tee -a /etc/rsyslog.conf \$template RemoteLogs,"/var/log/remote/%fromhost-ip%/%\$YEAR%-%\$MONTH%-%\$DAY%.log" *.* ?RemoteLogs #& ~ EOF sudo mkdir -p /var/log/remote sudo chown -R syslog:syslog /var/log/remote sudo ufw allow 514/tcp sudo ufw allow 514/udp sudo systemctl restart rsyslog sudo netstat -tulnp | grep rsyslog #tell rsyslog how to store the log, add them before the 'GLOBAL DIRECTIVE' section $template IPLog, "/var/log/network/%fromhost-ip%.log" *.* ?IPLog #$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" #*.* ?remote-incoming-logs #$template RouterAuditLogs, "/var/log/router/%fromhost-ip%.log" #:fromhost-ip, !isequal, "127.0.0.1" ?RouterAuditLogs

rsyslog client side:

sudo apt install rsyslog -y #can also add log type in the file /etc/rsyslog.d/50-default.conf echo "*.* @192.168.99.220:514" | sudo tee -a /etc/rsyslog.conf sudo systemctl restart rsyslog #test it logger -t TEST "This is a test message from client" logger -t kern -p err "addddddddddd" #sudo tail -f /var/log/remote/192.168.99.213/2026-01-05.log

logrotate

logrotate -f /etc/logrotate.d/ovn
logrotate -d /etc/logrotate.d/ovn

#other - log rotate - eg: /etc/logrotate.d/ovn /var/log/remote/*/*.log { daily missingok rotate 30 compress delaycompress notifempty sharedscripts postrotate systemctl reload rsyslog > /dev/null 2>&1 || true endscript }

如何设置将 /var/log/auth.log 和 ovn-controller.log及它的logrotate文件设置为通过rsync上传到日志服务器呢? 例如(未测试):

# /etc/rsyslog.d/50-remote-logs.conf module(load="imfile" PollingInterval="10") input(type="imfile" File="/var/log/auth.log" Tag="auth:" Severity="info" Facility="authpriv" StateFile="state-auth" PersistStateInterval="100") input(type="imfile" File="/var/log/ovn/ovn-controller.log" Tag="ovn-controller:" Severity="info" Facility="local0" StateFile="state-ovn-controller" PersistStateInterval="100") authpriv.* @@192.168.10.100:514 local0.* @@192.168.10.100:514

openstack rsyslog

openstack各工程支持rsyslog - https://docs.openstack.org/ocata/admin-guide/compute-manage-logs.html
rsyslog server side, 日志中hostname等于COMPUTE_01写到/mnt/rsyslog/logs/compute-01.log:

$ModLoad imtcp $InputTCPServerRun 1024 :hostname, isequal, "COMPUTE_01" /mnt/rsyslog/logs/compute-01.log

rsyslog client side:

local0.error @@172.20.1.43:1024

ovn-controller rsyslog

ovn-controller也是支持rsyslog的 - https://www.ovn.org/support/dist-docs/ovn-controller.8.pdf
但是显然ovn-controller charm是不支持的, 所以无法用这种ovn native rsyslog

−−syslog−target=host:port Send syslog messages to UDP port on host, in addition to the system syslog. The host must be a numerical IP address, not a hostname. −−syslog−method=method Specify method as how syslog messages should be sent to syslog daemon. The following forms are supported: • libc, to use the libc syslog() function. Downside of using this options is that libc adds fixed prefix to every message before it is actually sent to the syslog daemon over /dev/log UNIX domain socket. • unix:file, to use a UNIX domain socket directly. It is possible to specify arbitrary message format with this option. However, rsyslogd 8.9 and older versions use hard coded parser function anyway that limits UNIX domain socket use. If you want to use arbitrary message format with older rsyslogd versions, then use UDP socket to localhost IP address instead. • udp:ip:port, to use a UDP socket. With this method it is possible to use arbitrary message format also with older rsyslogd. When sending syslog messages over UDP socket extra precaution needs to be taken into account, for example, syslog daemon needs to be configured to listen on the specified UDP port, accidental iptables rules could be interfering with local syslog traffic and there are some security considerations that apply to UDP sockets, but do not apply to UNIX domain sockets. • null, to discard all messages logged to syslog. The default is taken from the OVS_SYSLOG_METHOD environment variable; if it is unset, the default is libc.

Neutron Packet Logging

neutron支持SG log - https://docs.openstack.org/neutron/latest/admin/config-logging.html


ovs的配置:

1, neutron-api /etc/neutron/neutron.conf service_plugins = router,metering,log 2, ovn没有agent故无须配置这个, 但对于ovs需配置, 在neutron-api /etc/neutron/plugins/ml2/ml2_conf.ini与nova-compute /etc/neutron/plugins/ml2/openvswitch_agent.ini中配置: [agent] extensions = log 3, ovn没有agent故无须配置这个, 但对于ovs且需enable logging for FWaaS需配置, 在neutron-api /etc/neutron/plugins/ml2/ml2_conf.ini与nova-compute /etc/neutron/plugins/ml2/openvswitch_agent.ini中配置: [AGENT] extensions = fwaas_v2,fwaas_v2_log 4, ovn没有agent故无须配置这个, 但对于ovn需配置, 在nova-compute /etc/neutron/plugins/ml2/openvswitch_agent.ini中配置: [network_log] rate_limit = 100 burst_limit = 25 #local_output_log_base = <None>

ovn的配置:

1, neutron-api /etc/neutron/neutron.conf service_plugins = router,metering,log 2, neutron-api /etc/neutron/plugins/ml2/ml2_conf.ini [network_log] rate_limit = 150 burst_limit = 50 #ovn-nbctl list meter-band

policy的配置:

neutrona-api /etc/neutron/policy.json "get_loggable_resources": "rule:regular_user", "create_log": "rule:regular_user", "get_log": "rule:regular_user", "get_logs": "rule:regular_user", "update_log": "rule:regular_user", "delete_log": "rule:regular_user",

CLI demo

juju config neutron-api config-flags="service_plugins=metering,segments,ovn-router,log" openstack network loggable resources list openstack network log create --resource-type security_group --description "Collecting all security events" --event ALL Log_Created #openstack network log create --resource-type security_group --resource sg1 --event ALL log1 #OVN SG drops can't be enabled per security group but they can only be enabled for all security groups in once: openstack network log create --resource-type security_group --event DROP drop-logging #openstack network log create --resource-type security_group --resource sg1 --event DROP drop-logging openstack network log set --disable Log_Created openstack network log show Log_Created #In the case of --resource and --target are not specified from the request, these arguments will be assigned to ALL by default. #and ovn doesn't support --target openstack network log create my-log --resource-type security_group --resource sg1 openstack network log create my-log --resource-type firewall_group --resource fwg1 openstack network log create my-log --resource-type security_group --target portA

注意, 由于下列ovn driver的限制, OVN the security groups drops can’t be enabled per security group but they can only be enabled for all security groups in once:
Due to the internal design of the ML2/OVN driver, there is one ACL that aggregates all dropped traffic, instead of having one drop ACL per security group. Since the smallest logging unit in OVN is the ACL, that means that if we choose to log DROP traffic, we will get traffic logged from all security groups.

openstack network log create --resource-type security_group --event DROP drop-logging #openstack network log create --resource-type security_group --resource sg1 --event DROP drop-logging

日志的格式如下:

2025-06-20T08:10:32.737Z|168460|acl_log(ovn_pinctrl0)|INFO|name="neutron-e9550bd3-b246-4e3f-af93-3f21cd7289ac", verdict=drop, severity=info, direction=to-lport: ip,vlan_tci=0x0000,dl_src=00:50:56:ae:de:7f,dl_dst=01:00:5e:00:00:12,nw_src=51.148.81.194,nw_dst=224.0.0.18,nw_proto=112,nw_tos=192,nw_ecn=0,nw_ttl=255,nw_frag=no

目前遇到的2个问题

octavia units运行在lxd containers中, ovs会检测下列不正确的东西(2025-07-29T04:13:08.058Z|00036|dpif_netlink|INFO|The kernel module has a broken meter implementation.), 从而造成lxd的octavia units打开rsync后cause octavia to be unable to communicate with loadbalancers.

另外, ovn-controller.log is owned by root but service runs as syslog, 所以也会报下列错:
error accessing file ‘/var/log/ovn/ovn-controller.log’: Permission denied [v8.2112.0]

一个workaround是用下列配置create 0640 root syslog, 然后运行’sudo logrotate -f /etc/logrotate.d/ovn-common’ (debug it: sudo logrotate -d /etc/logrotate.d/ovn-common ), but after a reboot the file is recreate with root:root permission.

#vim /etc/logrotate.d/ovn-common var/log/ovn/*.log { su root root create 0640 root syslog # I added this line here daily compress sharedscripts missingok postrotate # Tell OVN daemons to reopen their log files if [ -d /var/run/ovn ]; then for ctl in /var/run/ovn/*.ctl; do ovs-appctl -t "$ctl" vlog/reopen 2>/dev/null || : done fi endscript }

Reference

[1] Linux系统基于rsyslog搭建中央日志服务器全攻略 - https://comate.baidu.com/zh/page/qoe6ga2iu69