update audit logs docs

Signed-off-by: chengzw <[email protected]>
antrea-io · Jul 4, 2023 · af901cb · af901cb
1 parent f32f796
commit af901cb
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 26 deletions.
diff --git a/docs/antrea-network-policy.md b/docs/antrea-network-policy.md
@@ -735,19 +735,19 @@ can log more information in its own logs.
 The rules are logged in the following format:
 
 ```text
-    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label>
+    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <applied-to-reference> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label>
     Deduplication:
-    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label> [<num of packets> packets in <duplicate duration>]
+    <yyyy/mm/dd> <time> <ovs-table-name> <antrea-native-policy-reference> <rule-name> <action> <openflow-priority> <applied-to-reference> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label> [<num of packets> packets in <duplicate duration>]
 
     Examples:
-    2020/11/02 22:21:21.148395 AntreaPolicyAppTierIngressRule AntreaNetworkPolicy:default/test-annp test-rule Allow 61800 10.10.1.65 35402 10.0.0.5 80 TCP 60 custom-log-label
-    2021/06/24 23:56:41.346165 AntreaPolicyEgressRule AntreaNetworkPolicy:default/test-annp test-rule Drop 44900 10.10.1.65 35402 10.0.0.5 80 TCP 60 custom-log-label [3 packets in 1.011379442s]
-    2023/03/29 02:21:25.879364 AntreaPolicyIngressRule AntreaNetworkPolicy:default/test-annp AllowFromFrontend Allow 44900 10.10.1.14 <nil> 10.10.1.15 <nil> ICMP 84 frontend-allowed
+    2023/07/04 12:45:21.804416 IngressDefaultRule AntreaNetworkPolicy:default/reject-tcp-policy DenyTCPRequest Ingress Reject 16 default/nettoolv3 10.10.1.7 53646 10.10.1.14 80 TCP 60 tcp-log-label
+    2023/07/03 23:24:36.422233 AntreaPolicyEgressRule AntreaNetworkPolicy:default/reject-icmp-policy RejectICMPRequest Egress Reject 14500 default/nettool 10.10.1.7 <nil> 10.10.2.3 <nil> ICMP 84 icmp-log-label
+    2023/07/03 23:24:37.424024 AntreaPolicyEgressRule AntreaNetworkPolicy:default/reject-icmp-policy RejectICMPRequest Egress Reject 14500 default/nettool 10.10.1.7 <nil> 10.10.2.3 <nil> ICMP 84 icmp-log-label [2 packets in 1.000855539s]
 ```
 
 Kubernetes NetworkPolicies can also be audited using Antrea logging to the same file
 (`/var/log/antrea/networkpolicy/np.log`). Add Annotation
-`networkpolicy.antrea.io/enable-logging: "true` on a Namespace to enable logging
+`networkpolicy.antrea.io/enable-logging: "true"` on a Namespace to enable logging
 for all NetworkPolicies in the Namespace. Packets of any connection that match
 a NetworkPolicy rule will be logged with a reference to the NetworkPolicy name,
 but packets dropped by the implicit "default drop" (not allowed by any NetworkPolicy)
@@ -756,13 +756,13 @@ using Antrea logging for Kubernetes NetworkPolicies, the rule name field is not
 set and defaults to `<nil>` value. The rules are logged in the following format:
 
 ```text
-    <yyyy/mm/dd> <time> <ovs-table-name> <k8s-network-policy-reference> <nil> Allow <openflow-priority> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label>
+    <yyyy/mm/dd> <time> <ovs-table-name> <k8s-network-policy-reference> <nil> Allow <openflow-priority> <applied-to-reference> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label>
     Default dropped traffic:
-    <yyyy/mm/dd> <time> <ovs-table-name> K8sNetworkPolicy <nil> Drop <nil> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label> [<num of packets> packets in <duplicate duration>]
+    <yyyy/mm/dd> <time> <ovs-table-name> K8sNetworkPolicy <nil> Drop <nil> <applied-to-reference> <source-ip> <source-port> <destination-ip> <destination-port> <protocol> <packet-length> <log-label> [<num of packets> packets in <duplicate duration>]
 
     Examples:
-    2022/07/26 06:55:56.170456 IngressRule K8sNetworkPolicy:default/test-np-log <nil> Allow 190 10.10.1.82 49518 10.10.1.84 80 TCP 60 <nil>
-    2022/07/26 06:55:57.142206 IngressDefaultRule K8sNetworkPolicy <nil> Drop <nil> 10.10.1.83 38608 10.10.1.84 80 TCP 60 <nil>
+    2023/07/04 12:31:02.801442 IngressRule K8sNetworkPolicy:default/allow-tcp-80 <nil> Ingress Allow 190 default/nettool 10.10.1.13 57050 10.10.1.7 80 TCP 60 <nil>
+    2023/07/04 12:33:26.221413 IngressDefaultRule K8sNetworkPolicy <nil> Ingress Drop <nil> default/nettool 10.10.1.13 <nil> 10.10.1.7 <nil> ICMP 84 <nil>
 ```
 
 Fluentd can be used to assist with collecting and analyzing the logs. Refer to the

diff --git a/docs/cookbooks/fluentd/README.md b/docs/cookbooks/fluentd/README.md
@@ -101,14 +101,13 @@ kubectl apply -f docs/cookbooks/fluentd/resources/fluentd.yml
 Navigate to `http://[NodeIP]: 30007` and create an index pattern with "fluentd-*".
 Go to `http://[NodeIP]: 30007/app/kibana#/discover` to see the results as below.
 
-<img src="https://downloads.antrea.io/static/10182021/audit-logging-fluentd-kibana.png" width="900" alt="Audit Logging Fluentd Kibana">
+<img src="assets/audit-logging-fluentd-kibana.png" width="900" alt="Audit Logging Fluentd Kibana">
 
 ## Email Alerting
 
 Kibana dashboard supports creating alerts with the logs in this
 [guide](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html).
-This
-[documentation](https://docs.fluentd.org/how-to-guides/splunk-like-grep-and-alert-email)
+This [documentation](https://docs.fluentd.org/how-to-guides/splunk-like-grep-and-alert-email)
 also provides a detailed guide for email alerting when using td-agent
 (the stable version of Fluentd and preconfigured).
 

diff --git a/docs/cookbooks/fluentd/assets/audit-logging-fluentd-kibana.png b/docs/cookbooks/fluentd/assets/audit-logging-fluentd-kibana.png
diff --git a/docs/cookbooks/fluentd/resources/kubernetes.conf b/docs/cookbooks/fluentd/resources/kubernetes.conf
@@ -1,6 +1,8 @@
-<match fluent.**>
-  @type null
-</match>
+<label @FLUENT_LOG>
+  <match **>
+    @type null
+  </match>
+</label>
 
 <source>
   @type tail
@@ -10,15 +12,6 @@
   tag antrea-networkpolicy
   <parse>
     @type regexp
-    expression /^(?<date>[^ ]*) (?<time>[^ ]*) (?<rule>[^ ]*) (?<anp>[^ ]*) (?<disposition>[^ ]*) (?<priority>[^ ]*) (?<srcIP>[^ ]*) (?<destIP>[^ ]*) (?<length>[^ ]*) (?<protocol>[^ ]*) (?:(?<duplication>\[.*\]))?$/
-    time_format %H:%M:%S.%L
+    expression (?<time>\d{4}\/\d{2}\/\d{2}\s\d{2}:\d{2}:\d{2}.\d{6}) (?<tableName>[^ ]*) (?<npRef>[^ ]*) (?<ruleName>[^ ]*) (?<direction>[^ ]*) (?<disposition>[^ ]*) (?<ofPriority>[^ ]*) (?<appliedToRef>[^ ]*) (?<srcIP>[^ ]*) (?<srcPort>[^ ]*) (?<destIP>[^ ]*) (?<destPort>[^ ]*) (?<protocolStr>[^ ]*) (?<pktLength>[^ ]*) (?<logLabel>[^ ]*)
   </parse>
 </source>
-
-<filter kubernetes.**>
-  @type kubernetes_metadata
-  @id filter_kube_metadata
-  kubernetes_url "#{ENV['FLUENT_FILTER_KUBERNETES_URL'] || 'https://' + ENV.fetch('KUBERNETES_SERVICE_HOST') + ':' + ENV.fetch('KUBERNETES_SERVICE_PORT') + '/api'}"
-  verify_ssl "#{ENV['KUBERNETES_VERIFY_SSL'] || true}"
-  ca_file "#{ENV['KUBERNETES_CA_FILE']}"
-</filter>