Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Security Logging Object

 

You can define a security logging object (SLO) to log sessions that match a specific policy rule or security group. An SLO also enables selective session logging. This reduces the amount of data sent from vRouter agent to Contrail Analytics.

You can attach an SLO to a:

  • Virtual network

  • Virtual machine interface

These topics provide information on how you can define an SLO, attach an SLO to a virtual network and virtual machine interface, associate a policy rule or security group to SLO, and edit the name of an existing SLO.

Defining an SLO

Follow these steps to define an SLO by using the Contrail Command user interface (UI).

These steps also describe how you can associate a network policy rule or security group to an SLO.

  1. Navigate to Security>Security Logging Object.

    The Security Logging Object page is displayed.

  2. Click Create to define a new security logging object.
  3. Enter the following information in the Create Security Logging Object page.

    1. Enter a name for the SLO in the Name field.
    2. Enter the number of sessions logged in the Rate field.

      Rate indicates the number of sessions logged. The first session in every R (rate) number of sessions matching the SLO is logged. When the rate is set to 1, all sessions are logged.

    3. Select Up from the Admin State list to indicate the admin state of the security logging object.
    4. Select the network policy you want to attach to the SLO from the Network Policies list.

      This enables logging of sessions for all virtual network interfaces that the selected network policy is attached to.

    5. Select the security groups you want to attach to the SLO from the Security Group list.

      This enables logging of sessions for all virtual machine interfaces that the selected security group is attached to.

    6. You can also define a new SLO rule for a network policy and security group from the Rules section of the Create Security Logging Object page.

      To define an SLO rule for a network policy,

      1. Select Network Policy from the Type list.
      2. Select the network policy you want this SLO rule to be applied to, from the Network Policy list.
      3. Enter the number of sessions you want logged in the Rate field.
      4. To add another rule, click +Add.

    To define an SLO rule for a security group,

    1. Select Security Group from the Type list.
    2. Select the security group you want this SLO rule to be applied to, from the Security Groups list.
    3. Enter the number of sessions you want logged in the Rate field.
    4. To add another rule, click +Add.
  4. Click Create to create the SLO.

    The Security Logging Object page is displayed.

Attaching an SLO to a Virtual Network and Virtual Machine Interface

After you have defined an SLO, you can attach the SLO to a virtual network and a virtual machine interface.

Follow these steps to attach an SLO to a virtual machine and a virtual machine interface.

Attaching an SLO to a Virtual Network

You can attach an SLO to a virtual network while creating the virtual network or after you have created the virtual network˙.

For steps to attach an SLO while creating a virtual network, see Create Virtual Network.

Follow these steps to attach an SLO to an existing virtual network.

  1. Navigate to Overlay>Virtual Networks.

    The All networks page is displayed.

  2. Select the virtual network you want to edit by click the Edit icon at the end of the row.

    The Edit Virtual Network page is displayed.

  3. Click the Advanced section.
  4. Select the SLO from the Security Logging Object list.
  5. Click Save to save configuration.

Attaching an SLO to a Virtual Machine Interface

You can attach an SLO to a virtual machine interface while creating a virtual port or after you have created the virtual port.

Attaching an SLO to a Virtual Machine Interface while creating a Virtual Port

Follow these steps to attach an SLO to a virtual machine interface while creating a virtual port.

  1. Navigate to Overlay>Virtual Ports.

    The Virtual Ports page is displayed.

  2. Click Create to create a virtual port.

    The Create Virtual Port page is displayed.

  3. Enter a name for the virtual port in the Port Name field.
  4. Select a network from the Network list that you want to associate with the virtual port.
  5. Select a security group from the Security Group list that you want to apply to the virtual port.
  6. Select floating IPs from the Floating IPs list that you want to associate with the virtual port.
  7. To add an SLO, click the Advanced Options section and select an SLO from the Security Logging Object(s) list.
  8. Click Create to create the virtual port.

Attaching an SLO to an existing Virtual Machine Interface

Follow these steps to attach an SLO to an existing virtual machine.

  1. Navigate to Overlay>Virtual Ports.

    The Virtual Ports page is displayed.

  2. Select the virtual port by selecting the check box next to the name of the virtual port, and click the Edit icon.

    The Edit Virtual Port page is displayed.

  3. To add an SLO, click the Advanced Options section and select an SLO from the Security Logging Object(s) list.
  4. Click Save to save configuration.

Editing an Existing SLO

Follow these steps to edit the name of an existing SLO.

  1. Navigate to Security>Security Logging Object.

    The Security Logging Object page is displayed.

  2. To edit an existing SLO, click the Edit icon at the end of the row.
  3. Update the necessary information.
  4. Click Save to save configuration.