Security Logging Object (SLO)
Requirement
1. Security events including traffic session ACCEPTs and DROPs due to enforcement of policy and security groups have to be logged to Analytics. Configuration control is required to selectively enable logging for sessions matching specified policy rules or security groups.
2. Currently, flows are logged independently. To reduce the amount of data sent from vRouter Agent to Analytics, the logging will henceforth be done on a session basis combining the data for both the forward and reverse flows in a single message.
3. Even with reduced information flowing into analytics, the flows should be debuggable at all entry and exit points (no information loss)
Each session record will have three parts
1. Record key
2. Forward and Reverse Flow logging data
3. Forward and Reverse Flow sampling data
The flow sampling algorithm continues as is with the change that session records are sent to Analytics when a flow is selected by the sampling algorithm. The flow sampling rate can be configured as is done currently (in R3.x releases) to control the export of flow data export from vRouter Agent to Analytics.
Based on provisioned configuration, the flow log records may go to local files on the compute node or are sent to Analytics. Local log files created for this are managed by rotating regularly.
In the analytics node, changes will be needed to handle the new session log data. Additionally the session log data will be indexed only against the source and destination index table to reduce the writes (currently each flow record is indexed against 5 tables). The schema for the Source and Destination index tables have to be changed, so that they can be queried against all possible cases and should not result in any information loss. The query process/ write process has to change to accommodate the new index tables and removal of the other index tables viz., flowtableprotdp
Configuration impact
A new Security-logging object (SLO) will be introduced.
¥ SLO can be created at global level or at tenant level
¥ Tenant quota for SLO
¥ SLO can be attached to
¥ Network (log hits that have matching rule in SLO for all interfaces in this network)
¥ Interface (log all hits that have matching rule in SLO, for this interface.)
¥ Enabled globally at tenant level or global level depending where the object was created.
¥ Fields of SLO
¥ List of {(security-group, rule-uuid, rate)}
¥ List of {(network-policy, rule-uuid, rate)}
¥ Rule-uuid can be *, which implies all rules from the policy or security group
¥ Rate controls how many flows are logged. The first session in every R (rate) number of sessions matching the SLO will be logged. When the rate is set to 1, all sessions are logged.
¥ Enable/disable this SLO
¥ SLO rate, which is the logging rate if rate is not specified in the rule list
¥ Knob to enable/disable security logging at global level.
Analytics-api impact:
For querying flows, an option to specify sampled session record or logged session record should be added.
Blueprint information
- Status:
- Started
- Approver:
- Hari Prasad Killi
- Priority:
- High
- Drafter:
- Hari Prasad Killi
- Direction:
- Approved
- Assignee:
- Srinivasan Venkatakrishnan
- Definition:
- Approved
- Series goal:
- Accepted for trunk
- Implementation:
- Beta Available
- Milestone target:
- r4.1.0.0-fcs
- Started by
- Hari Prasad Killi
- Completed by
Related branches
Related bugs
Sprints
Whiteboard
Work Items
Work items:
Schema changes : DONE
vRouter agent impact : DONE
-- Association of client/server sessions : DONE
-- Session End Point Message Components : DONE
Analytics impact : TODO
UI impact : DONE
Feature Test : TODO