On Tue, Sep 28, 2021 at 11:17 AM Brendan Doyle <[email protected]> wrote: > > Also the ovn-controller proc is running with file log level info, which > I would have taken that only > ovn logs greater than info would have been logged: > > ovn-controller unix:/run/openvswitch/db.sock -vconsole:emer -vsyslog:err > -vfile:info > > On 28/09/2021 15:04, Brendan Doyle wrote: > > Folks, > > > > > > I can't find anything in docs on how this is supposed to work, but I > > would have assumed > > that if I set the ACL severity to 'alert; then I would only get a log, > > if a pkt were dropped. > > > > So for example i have an ACL rule: > > > > to-lport 27000 (outport == @pg_vcn3_net1_sl3 && ip4.src == > > 192.16.1.0/24 && udp.dst == 111) allow-related > > log(name=fss-14,severity=alert) > > > > > > I don't want to see logs for pkts that match this, but I do: > > > > > > ovn-controller.log:2021-09-28T13:32:25.759Z|00023|acl_log(ovn_pinctrl0)|INFO|name="fss-14", > > verdict=allow, severity=alert: > > udp,vlan_tci=0x0000,dl_src=40:44:00:00:00:a0,dl_dst=40:44:00:00:05:00,nw_src=192.16.1.6,nw_dst=192.16.1.106,nw_tos=0,nw_ecn=0,nw_ttl=63,tp_src=825,tp_dst=111 > > > > > > Is this the expected behavior?
Yes. This is the expected behavior. Basically if an ACL is matched, then it is logged if 'log' flag is set. https://github.com/ovn-org/ovn/blob/master/lib/acl-log.c#L79 Please see https://www.ovn.org/support/dist-docs/ovn-nb.5.html and look for logging in ACL table section ----- Logging: These columns control whether and how OVN logs packets that match an ACL. log: boolean If set to true, packets that match the ACL will trigger a log message on the transport node or nodes that perform ACL process‐ ing. Logging may be combined with any action. If set to false, the remaining columns in this group have no significance. name: optional string, at most 63 characters long This name, if it is provided, is included in log records. It provides the administrator and the cloud management system a way to associate a log record with a particular ACL. severity: optional string, one of alert, debug, info, notice, or warn‐ ing The severity of the ACL. The severity levels match those of sys‐ log, in decreasing level of severity: alert, warning, notice, info, or debug. When the column is empty, the default is info. meter: optional string The name of a meter to rate-limit log messages for the ACL. The string must match the name column of a row in the Meter table. By default, log messages are not rate-limited. In order to ensure that the same Meter rate limits multiple ACL logs sepa‐ rately, set the fair column. ---- And I don't think the log level of ACL is to match the log level set on ovn-controller logging. Thanks Numan > > > > And if so is the option to avoid ovn-controller.log filling up to > > either not log allowed matches or to rate limit them > > > > Thanks > > > > > > Brendan > > > > > > _______________________________________________ > > discuss mailing list > > [email protected] > > https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!ACWV5N9M2RV99hQ!YD0EnKUmIwzV5ohd5PE93cJYjgF8LSeK8Qx5W4gG6mCbAsWsEKZQj3qx4XHPnd-OJZw$ > > > _______________________________________________ > discuss mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
