I’m afraid you’d probably have to start digging in the code to find out how the
map file is interpreted. My assumption was that the one provided in pycadf
source was reasonable. For what it’s worth, I did get it working. I’m not
sure what exactly got the data flowing, but I’m getting audit data such as this
now:
{
"_index": "events_2015-07-18",
"_type": "audit.http.response",
"_id": "7b11e3ee-c09f-4dae-a399-7497bc20c5fb",
"_version": 1,
"_score": null,
"_source": {
"raw": { },
"timestamp": "2015-07-18T20:19:04.463039",
"traits": {
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event";
<http://schemas.dmtf.org/cloud/audit/1.0/event>,
"eventTime": "2015-07-18T20:19:04.413835+0000",
"initiator_host_address": "172.24.4.100",
"initiator_typeURI": "service/security/account/user",
"service": "neutron-server",
"target_name": "neutron",
"eventType": "activity",
"reason_code": "200",
"target_id": "openstack:neutron",
"observer_id": "target",
"initiator_id": "openstack:e70fcebd828349ca8f1393e62ac87756",
"target_typeURI": "service/network/security-groups",
"initiator_name": "admin",
"request_id": "req-76a9887a-dea2-4823-afaa-002154968667",
"action": "read/list",
"outcome": "success",
"id": "openstack:6e110ffe-2632-4c1d-8377-73c6aac1e3fc",
"requestPath":
"/v2.0/security-groups.json?id=d050564f-c452-40dd-8592-3df111bc3a5d"
}
}
}
Regards,
John
John Stanford
VP of Development
Solinea, Inc.
+1 (415) 685-3967
> On Jul 18, 2015, at 0:56:30, Kevin Benton <[email protected]> wrote:
>
> I'm not familiar with that keystone middleware audit filter. How is that map
> file supposed to work? The entries don't seem to make sense to me, some are
> just plural mappings while others are completely different or map to None.
>
> On Fri, Jul 17, 2015 at 5:29 PM, John Stanford <[email protected]> wrote:
> Hi,
>
> Sorry about the resend, but subjects are good...
>
> I’ve been trying to get the API audit data flowing based on this document:
>
> http://docs.openstack.org/developer/keystonemiddleware/audit.html
>
> So far, I’ve been able to get nova, cinder, and glance to do the right thing,
> but neutron doesn’t seem to want to play. I am getting some events through
> to ceilometer. For example, when I create a port, I get a start and end
> event similar to this:
>
> {
> "_index": "events_2015-07-17",
> "_type": "port.create.end",
> "_id": "e1dbf819-3e77-4357-b8db-83a359ef7cd9",
> "raw": { },
> "timestamp": "2015-07-17T23:10:37.846477",
> "traits": {
> "user_id": "e70fcebd828349ca8f1393e62ac87756",
> "service": "network.myhost.com",
> "resource_id": "09c1388a-59fe-49e9-bb17-fb353fd8dd3a",
> "tenant_id": "970f2364df174040862210c9185c80ce",
> "request_id": "req-3e2722e6-1903-477c-9523-2e4926caa6fb",
> "project_id": "970f2364df174040862210c9185c80ce"
> }
>
> For other services, I’ll see a CADF formatted http.request.audit event.
>
> Here are the edits I’ve made to /etc/neutron/api-paste.ini file:
>
> # added the audit filter to the keystone pipeline after authtoken
> [composite:neutronapi_v2_0]
> use = call:neutron.auth:pipeline_factory
> noauth = request_id catch_errors extensions neutronapiapp_v2_0
> keystone = request_id catch_errors authtoken keystonecontext audit extensions
> neutronapiapp_v2_0
>
>
> # added the audit filter
> [filter:audit]
> paste.filter_factory = keystonemiddleware.audit:filter_factory
> audit_map_file = /etc/neutron/neutron_api_audit_map.conf
>
> The map file is snagged from here:
>
> https://github.com/openstack/pycadf/blob/master/etc/pycadf/neutron_api_audit_map.conf
>
> Any suggestions, war stories, requests for more detail, etc. are greatly
> appreciated.
>
>
> Thanks,
> John
> @jxstanford
>
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : [email protected]
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>
> --
> Kevin Benton
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
