Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Security Logging Object

 

Starting with Contrail Networking Release 2011.L1, you can define a security logging object (SLO) to log sessions that match a specific policy rule or security group. An SLO also enables selective session logging. This reduces the amount of data sent from vRouter agent to Contrail analytics.

An SLO can be attached at three levels:

  • Globally

  • Virtual network

  • Virtual machine interface

These topics provide information on how you can define an SLO, attach an SLO to a virtual network and virtual machine interface, associate a policy rule or security group to SLO, and edit the name of an existing SLO.

Defining an SLO

Follow these steps to define an SLO by using the Contrail Command user interface (UI).

These steps also describe how you can associate a network policy rule or security group to an SLO.

  1. Navigate to Security > Security Logging Object.

    The Security Logging Object page is displayed.

  2. Click Create to define a new security logging object.

    The Create Security Logging Object page is displayed.

    Figure 1: Create Security Logging Object
    Create Security Logging Object
  3. Enter the following information in the Create Security Logging Object page.

    Table 1: Create Security Logging Object Fields

    Field

    Description

    Name

    Enter a name for the SLO.

    Rate

    Enter the number of sessions logged in the Rate field.

    Rate indicates the number of sessions logged. The first session in every R (rate) number of sessions matching the SLO is logged. When the rate is set to 1, all sessions are logged.

    Admin State

    Select Up from the list to indicate the admin state of the security logging object.

    Network Policies

    Select the network policy you want to attach to the SLO from the list.

    This enables logging of sessions for all virtual network interfaces that the selected network policy is attached to.

    Security Groups

    Select the security groups you want to attach to the SLO from the Security Group list.

    This enables logging of sessions for all virtual machine interfaces that the selected security group is attached to.

    Rules

    +Add

    To add a rule, click +Add.

    Type

    • Security Group—Select to define an SLO rule for a security group.

    • Network Policy—Select to define an SLO rule for a network policy.

    Security Groups

    Select the security group you want this SLO rule to be applied to.

    Network Policy

    Select the network policy you want this SLO rule to be applied to.

  4. Click the Tags tab to edit tags for the SLO.
    Figure 2: Create Security Logging Object > Tags Tab
    Create Security Logging Object > Tags Tab

    Enter the following information in the Tags page.

    Table 2: Create Security Logging Object > Tags Fields

    Field

    Description

    Tier

    Select a tier from the list that the SLO will monitor.

    Deployment

    Select how the SLO is deployed.

    Application

    Select from a list of policies created by the user that applies per application. There are global scoped policies, which can be applied globally for all projects, and project scoped policies, which are applied to specific projects.

    Site

    Select a site to monitor with the SLO.

    Labels

    Select from the list of labels or create your own.

    Custom

    Define custom tags for a Kubernetes environment.

  5. Click the Permissions tab to edit Owner Permissions and Global Share Permissions for the SLO.
    Figure 3: Create Security Logging Object > Permissions Tab
    Create Security Logging Object
> Permissions Tab
  6. Click Create to create the SLO.

Attaching an SLO to a Virtual Network and Virtual Machine Interface

After you have defined an SLO, you can attach the SLO to a virtual network and a virtual machine interface.

Follow these steps to attach an SLO to a virtual machine and a virtual machine interface.

Attaching an SLO to a Virtual Network

You can attach an SLO to a virtual network while creating the virtual network or after you have created the virtual network.

For steps to attach an SLO while creating a virtual network, see Create Virtual Network.

Follow these steps to attach an SLO to an existing virtual network.

  1. Navigate to Overlay > Virtual Networks.

    The All networks page is displayed.

  2. Select the virtual network you want to edit by clicking the Edit icon at the end of the row.

    The Edit Virtual Network page is displayed.

  3. Click the Advanced section.
  4. Select the SLO from the Security Logging Object list.
  5. Click Save to save configuration.

Attaching an SLO to a Virtual Machine Interface

You can attach an SLO to a virtual machine interface while creating a virtual port or after you have created the virtual port.

Attaching an SLO to a Virtual Machine Interface while Creating a Virtual Port

Follow these steps to attach an SLO to a virtual machine interface while creating a virtual port.

  1. Navigate to Overlay > Virtual Ports.

    The Virtual Ports page is displayed.

  2. Click Create to create a virtual port.

    The Create Virtual Port page is displayed.

    Figure 4: Create Virtual Port
    Create Virtual Port
  3. Enter the following information in the Create Virtual Port page.

    Table 3: Create Virtual Port Fields

    Field

    Description

    Port Name

    Enter a name for the virtual port.

    Network

    Select a network that you want to associate with the virtual port.

    Security Group

    Select a security group that you want to apply to the virtual port.

    Floating IPs

    Select floating IPs that you want to associate with the virtual port.

  4. Click the Tags tab to edit tags for the SLO.

    Table 4: Create Virtual Port > Tags Fields

    Field

    Description

    Application

    Select from a list of policies created by the user that applies per application. There are global scoped policies, which can be applied globally for all projects, and project scoped policies, which are applied to specific projects.

    Deployment

    Indicate how the SLO is deployed.

    Site

    Select or add a site the SLO will monitor.

    Tier

    Select a tier from the list or enter a tier.

    Labels

    Select from the list of labels or create your own.

    FWaaS

    Select or add a Firewall-as-a-Service to the port for the SLO.

    Custom

    Define custom tags for a Kubernetes environment.

  5. Click the Permissions tab to edit Owner Permissions and Global Share Permissions for the SLO.
  6. Click Create to update the configuration and create the virtual port.

Attaching an SLO to an existing Virtual Machine Interface

Follow these steps to attach an SLO to an existing virtual machine.

  1. Navigate to Overlay > Virtual Ports.

    The Virtual Ports page is displayed.

  2. Select the virtual port by selecting the check box next to the name of the virtual port, and click the Edit icon.

    The Edit Virtual Port page is displayed.

  3. To add an SLO, click the Advanced Options section and select an SLO from the Security Logging Object(s) list.
  4. Click Save to save configuration.

Editing an Existing SLO

Follow these steps to edit an existing SLO.

  1. Navigate to Security > Security Logging Object.

    The Security Logging Object page is displayed.

  2. To select the SLO you want to edit, select the check box next to the name of the SLO. Then click the Edit icon at the end of the row.
    Figure 5: Edit Security Logging Object
    Edit Security Logging Object
  3. Update the necessary information.
  4. Click Save to save configuration.
Release History Table
Release
Description
Starting with Contrail Networking Release 2011.L1, you can define a security logging object (SLO) to log sessions that match a specific policy rule or security group. An SLO also enables selective session logging. This reduces the amount of data sent from vRouter agent to Contrail analytics.