CN116069746A - Method, device and equipment for recording security group log - Google Patents

Method, device and equipment for recording security group log Download PDF

Info

Publication number
CN116069746A
CN116069746A CN202111274129.8A CN202111274129A CN116069746A CN 116069746 A CN116069746 A CN 116069746A CN 202111274129 A CN202111274129 A CN 202111274129A CN 116069746 A CN116069746 A CN 116069746A
Authority
CN
China
Prior art keywords
ovn
security group
log
flow table
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111274129.8A
Other languages
Chinese (zh)
Inventor
张�浩
翟孟冬
王东委
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Suzhou Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Suzhou Software Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202111274129.8A priority Critical patent/CN116069746A/en
Publication of CN116069746A publication Critical patent/CN116069746A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/18File system types
    • G06F16/1805Append-only file systems, e.g. using logs or journals to store data
    • G06F16/1815Journaling file systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device and equipment for recording a security group log, wherein the method comprises the following steps: acquiring a security group creation log request; issuing a flow table to an Open Virtual Switch (OVS) through an open virtual network software system (OVN) component according to the security group creation log request; and receiving and recording the data message fed back by the OVS according to the flow table. Through the mode, the method and the device realize that the neutron component uses OVN to realize the security group log record of the virtual machine port.

Description

Method, device and equipment for recording security group log
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for security group log recording.
Background
The security group log function is used for recording detailed information of the data message, and is convenient for system administrators, development and operation and maintenance personnel to analyze the appointed flow. In a network environment without a security group log function, traffic flows are invisible, and effective messages cannot be recorded in time to evaluate the current network environment. The security group log function records data messages on the virtual machine ports according to the types (permission, rejection and all) of the events, and the data messages are recorded in a specified log file and contain information such as time stamps, lengths, addresses, ports and the like.
The neutron component of OpenStack mainly provides two-layer and three-layer network services, and the supported bottom-layer drivers include OpenvSwitch, linux bridge, OVN (software system of open virtual network abstraction), and the like. The neutron provides a log function through log (log) plug-in units, can bind a security group, a firewall, a virtual machine port, a router port and a weblog, and the weblog can be sent to a virtual switch and a virtual router, records specified data messages and outputs the data messages to a log file.
When the OpenvSwitch is selected as a mechanism drive of a newtron component, the newtron component can realize a security group log function through a newtron-OpenvSwitch-agent, and the method can save a plurality of server resources to a certain extent, but a large number of log messages are concentrated on a message queue, so that performance bottlenecks are easy to generate, and a large amount of resource expenditure and performance pressure are also caused for a single log server. Meanwhile, the method can only be used for a specific operating system, and has poor universality.
Disclosure of Invention
In view of the foregoing, embodiments of the present invention are directed to a method, apparatus, and device for security group logging that overcome, or at least partially solve, the foregoing problems.
According to an aspect of an embodiment of the present invention, there is provided a method for security group logging, including:
acquiring a security group creation log request;
issuing a flow table to an Open Virtual Switch (OVS) through an open virtual network software system (OVN) component according to the security group creation log request;
and receiving and recording the data message fed back by the OVS according to the flow table.
According to another aspect of the embodiment of the present invention, there is provided an apparatus for security group logging, including:
the acquisition module is used for acquiring a security group creation log request;
the processing module is used for issuing a flow table to the open virtual switch OVS through the open virtual network software system OVN component according to the security group creation log request; and receiving and recording the data message fed back by the OVS according to the flow table.
According to yet another aspect of an embodiment of the present invention, there is provided a computing device including: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the method for recording the security group log.
According to yet another aspect of an embodiment of the present invention, there is provided a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of security group logging as described above.
According to the scheme provided by the embodiment of the invention, the log request is created by acquiring the security group; issuing a flow table to an Open Virtual Switch (OVS) through an open virtual network software system (OVN) component according to the security group creation log request; and receiving and recording the data message fed back by the OVS according to the flow table, providing an interface of a security group log, and realizing security group log recording of a virtual machine port by using OVN by a neutron component.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and may be implemented according to the content of the specification, so that the technical means of the embodiments of the present invention can be more clearly understood, and the following specific implementation of the embodiments of the present invention will be more apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
FIG. 1 is a flow chart of a method for security group logging provided by an embodiment of the present invention;
FIG. 2 illustrates a timing diagram of security group logging based on OVN provided by an embodiment of the present invention;
FIG. 3 shows an overall architecture diagram of security group logging provided by an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of an apparatus for security group logging according to an embodiment of the present invention;
FIG. 5 illustrates a schematic diagram of a computing device provided by an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 is a flowchart of a method for security group logging according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
step 11, acquiring a security group creation log request;
step 12, issuing a flow table to an Open Virtual Switch (OVS) through an open virtual network software system (OVN) component according to the security group creation log request;
and step 13, receiving and recording the data message fed back by the OVS according to the flow table.
In this embodiment, steps 11, 12 and 13 may be implemented by a virtual network service, neutron, component, to which a user sends a create log request, the neutron component obtaining a security group create log request; issuing a flow table to an Open Virtual Switch (OVS) through an open virtual network software system (OVN) component according to the security group creation log request; and receiving and recording the data message fed back by the OVS according to the flow table, and realizing the security group log record of the virtual machine port by using OVN by the neutron component.
In an alternative embodiment of the present invention, step 11 may include:
step 111, receiving a security group creation log request initiated by a user through a OVN log plug-in.
In this embodiment, after a request for creating a log is monitored by a neutron-server of the neutron component at 9696 ports, a security group creation log request initiated by a user is received through a OVN log plug-in, and then a request path is mapped into a preset method through POST according to a request type. When the security group log is created, the request path is/v 2.0/log/logs, and the preset method comprises the following steps: the log create_log () is created, but is not limited to as described above.
In yet another alternative embodiment of the present invention, step 12 may include:
step 121, calling OVN driver in a neutron through a OVN log plug-in to communicate with a OVN northbound database, and expanding an Access Control List (ACL);
specifically, the OVN driver in the neutron is called through the OVN log plug-in to send a request for opening the security group log to the OVN northbound database, so that the OVN northbound database expands the ACL.
Step 122, after detecting that the ACL in the OVN north database changes through the OVN north service in the OVN component, notifying OVN south database to generate a logic flow table, and sending the logic flow table to the OVN controller in the OVN component;
and 123, issuing a flow table to the OVS according to the logic flow table through a OVN controller in the OVN component.
In this embodiment, the OVN log plug will first create log information in the neutron database through the OVN log driver, and when creating log information, it will detect whether the OVN Meter supports adding the fan attribute, and if not, throw out the exception. If yes, when the security Group log is started, firstly converting the security Group log information into (OVN Port Group) OVN Port Group, and converting the security Group log information into a specific action in OVN according to the event type of the security Group log; secondly, according to the rate and burst value in the configuration file, a Meter table entry is created, and the Meter table Xiang Mo considers acl_log_meter; then, according to all security group rules in the obtained security group, expanding ACL list items of the access control list, and setting attributes such as log (meter), meter and (severity) security. Meanwhile, the LOG database converts the LOG information into a data object, creates the object, and stores the created LOG information in a warehouse. Finally, the call OVN drives to send a request for opening the security group log to the OVN northbound database, communicates with the OVN northbound database through the OVSDB protocol of the ovsdapp, provides interfaces such as Meter creation, updating, deletion, query and the like for the OVN drive layer in the OVN northbound database, and expands the ACL interface.
After the OVN northbound service in the OVN component monitors that the ACL in the OVN northbound database changes, the OVN southbound database is notified to generate a corresponding logic flow table, meanwhile, a OVN Controller (OVN Controller) in the OVN component issues a specific flow table to the OVS according to the corresponding logic flow table, the OVS also matches to a data message according to a flow table rule, and then sends the data message to the OVN Controller (OVN Controller) for recording.
In yet another alternative embodiment of the present invention, the method may further include:
step 124, when the OVN northbound database opens the security group log, converting the security group log into an OVNport group, and converting the security group log into a specific action in OVN according to the event type of the security group log; wherein the accepted event types correspond to allow, allow-related actions, the rejected event types correspond to drop, reject actions, and all event types correspond to drop, reject, allow-related actions.
In this embodiment, when the OVN northbound database opens the security group log, the security group log is first converted into an OVN port group, and then is processed by plug in (plug in)/extension)/db (database)/driver (driver), where the plug in is a specific implementation of the log plug in, including: drive load, database call, and drive call, etc., but are not limited to those shown above. extension mainly defines the interface parameters related to the log, namely, in OVN L3extension, a plug-in login needs to be loaded, so that it can be ensured that a neutron interface layer can support setting of a security Group log, in a OVN login driver, the security Group log is converted into a OVN Port Group (OVN Port Group), and a OVN Port Group data table includes: name, port list, ACL list, etc., but are not limited to, as described above, wherein OVN port group corresponds to security group, ACL corresponds to security group rule; db (database) is mainly responsible for writing the log into the database; the driver is mainly responsible for the bottom implementation of the security group log. Finally, converting the event type of the security group log into a specific action in OVN.
In yet another alternative embodiment of the present invention, the method may further include:
in step 125, a default meter item is created from the virtual network service neutron profile.
Specifically, according to the speed of recording data messages in the neutron configuration file and the number of messages in unit time, a default meter item acl_log_meter is created when a security group log is created.
In this embodiment, the speed limit is mainly used for limiting the speed of the log record, so that the memory occupied by the physical device by the log record can be reduced. The speed limit of log record is realized by adopting an OVN meter, so that the efficiency is higher and the flexibility is better.
The speed of the recorded data message in the neutron configuration file defaults to 25, the burst value is 100, the unit is the number pktps of messages per second, when a Meter item acl_log_meter of a default security group log is created, a specific Meter rule is also issued, the specific Meter rule is distinguished from a port, a floating IP and a router external gateway QoS speed limit rule, a fan attribute is added to the Meter item related to the log by default, and a plurality of ACL rules can share one Meter rule, wherein the specific Meter rule is as follows:
when the speed limiting configuration is completed, a recording function of a security Group log is started in a drive, the log function is started one by one according to all ACL rules associated with a Port Group, acl_log_meter is associated, and a log grade is designated;
when the OVN northbound database receives OVN a request for starting the security group log, an ACL table entry is updated in the database;
when the OVN northbound server monitors OVN northbound database changes, the corresponding logic flow table is generated by informing OVN the southbound database;
for outgoing ACL rules, specific priorities, matching rules, actions and the like are generated in an ls_out_acl (table=5) logic flow table;
for incoming ACL rules, specific priorities, matching rules, actions, etc. are generated in the ls_in_acl (table=7) logic flow table.
In yet another alternative embodiment of the present invention, step 13 may further include:
step 14, issuing a logic flow table to an OVS to generate specific flow table information, and then sending the specific flow table information to a OVN controller to control details of an output data message, where the flow table information includes: table15 and table45, but are not limited to, as described above.
As shown in fig. 2, the main flow of security group logging for a virtual machine port implemented by neutron using OVN includes the following parts:
a user or an administrator requests to create a log for a security group;
after a request for creating a log is monitored by a neutron-server at 9696 ports, mapping a request path into a preset method according to a request type, wherein the preset method comprises create_log ();
immediately after the OVN LOG plug in starts to process the creation of the security group LOG, LOG information is created in a neutron database, then OVN is called to drive to perform preprocessing of the created LOG, after preprocessing is completed, the driver is called to start the security group LOG, and finally the security group LOG information is returned to a user or an administrator.
The LOG DB converts the requested LOG information into a DB object and creates the object, i.e., puts the security group LOG information in storage.
When the OVN LOG Driver preprocesses the created LOG, whether the OVN Meter supports the addition of the fan attribute is detected, and if not, the exception is thrown. When the security Group log is opened, firstly, security Group log information is converted into an OVN Port Group, and then, specific actions in OVN are converted according to event types of the security Group log, then, a default Meter table entry acl_log_meter is created according to the rate and the burst value in the configuration file, and finally, the ACL table entry is updated according to all security Group rules in the obtained security Group, and log, meter, severity and other attributes are set.
The ovsdapp communicates with OVN northbound database via OVSDB protocol, provides interfaces for Meter creation, update, deletion, query, etc., to OVN drive plane, and extends ACL interfaces.
OVN Northd Service after detecting OVN that the north database ACL changes, a corresponding logic flow table is generated in the south database, the OVN Controller issues a specific flow table to the OVS according to the logic flow table, the OVS is matched to the data message according to the flow table rule, and then the data message is sent to the OVN Controller for recording.
Fig. 3 shows a security group logging overall architecture diagram provided by an embodiment of the present invention, and as shown in fig. 3, the security group logging overall architecture components and functions are as follows:
OVN Mechanism Driver: the mechanism driver loaded in the neutron component is responsible for realizing a two-layer network, and OVN is selected as a bottom driver.
OVN northbound database (OVN Northbound DB): logical network manifestations of the neutron plugin transfer are accepted and stored, including logical switches (logical switches), logical routers (logical routers), ACLs (access control lists), meters, etc.
OVN northbound server (OVN Northd Service): the change of the OVN northbound database is monitored, the logical network in the OVN northbound database is converted into an actual network form, and written into the OVN southbound database.
OVN southbound database (OVN Southbound DB): the method comprises three types of data, namely a physical network, a logic network, a binding relation and a mapping from the logic network to the physical network, wherein the physical network is used for determining the forwarding of the data message in the physical network, the logic network is used for determining the forwarding of the data message in the logic network, and the binding relation is used for determining the mapping from the logic network to the physical network.
OVN Controller (OVN Controller): OVN Agent (OVN Agent) running on the compute node, similar to OVS Agent in neutron. On the one hand, the state of the computing node is written into a physical network and binding relation data table, and on the other hand, as an OpenFlow controller, a flow table is issued to an Open Virtual Switch (OVS).
According to the security group log recording method provided by the embodiment of the invention, through the components, an open virtual network software system OVN is selected as a bottom layer mechanism drive of a neutron, and an OVN (over-the-counter) Meter and an access control list are utilized to modify the original OVN plugin, so that the original OVN plugin can be loaded with a login plugin, and specific security group log creation, updating and deleting functions are realized in the OVN drive, so that the security group log recording function of a virtual machine port is realized. The security group log will eventually generate a corresponding Meter table and access control flow table on the br-int bridge of the open virtual switch OVS. The security group log is created by calling a request of a neutronclient interface or a Restful interface (a design style and development mode interface of a network application program), and the type of the resource is designated as a security group, the resource is a name or an ID of the security group, and the type of the event is accepted, discarded or all. The virtual machine port is an option that, if not specified, includes all virtual machine ports associated with the security group.
In the above-described embodiment of the present invention, the log request is created by acquiring the security group; issuing a flow table to an Open Virtual Switch (OVS) through an open virtual network software system (OVN) component according to the security group creation log request; and receiving and recording the data message fed back by the OVS according to the flow table, providing an interface of a security group log, and effectively improving the efficiency of recording the data message. Meanwhile, the beneficial effect that the function of the security group log can be operated in other scenes is achieved. The Meter table in the OVN log driver limits the speed of the data message, so that the accuracy of speed limit can be improved; the ACL table records the data message, so that the efficiency of the log can be improved; the flow table may also offload (offfload) hardware devices, improving network performance.
Fig. 4 is a schematic structural diagram of an apparatus 40 for security group logging according to an embodiment of the present invention. As shown in fig. 4, the apparatus includes:
an acquisition module 41, configured to acquire a security group creation log request;
a processing module 42, configured to issue a flow table to the open virtual switch OVS through the open virtual network software system OVN component according to the security group creation log request; receiving and recording the data message fed back by the OVS according to the flow table
Optionally, the obtaining module 41 is further configured to receive a security group creation log request initiated by a user through the OVN log plug-in.
Optionally, the processing module 42 is further configured to communicate with the OVN northbound database by calling OVN driver in a neutron through a OVN log plug-in, and extend an access control list ACL;
after detecting that the ACL in the OVN northbound database changes through OVN northbound service in the OVN component, notifying OVN the southbound database to generate a logic flow table, and sending the logic flow table to a OVN controller in the OVN component;
and issuing a flow table to the OVS according to the logic flow table through a OVN controller in the OVN component.
Optionally, the processing module 42 is further configured to invoke OVN in the OVN component via a OVN log plug-in to drive sending a request to the OVN northbound database to open a security group log, so that the OVN northbound database extends an ACL.
Optionally, the processing module 42 is further configured to convert the security group log into OVNportgroup when the OVN northbound database opens the security group log, and convert the security group log into a specific action in OVN according to an event type of the security group log; wherein the accepted event types correspond to allow low, allow related allow-related actions, the rejected event types correspond to drop reject, reject actions, and the total event types correspond to drop reject, reject, allow low, allow related allow-related actions.
Optionally, the processing module 42 is further configured to create a default meter item according to the virtual network service neutron profile.
Optionally, the processing module 42 is further configured to create a default meter item acl_log_meter when creating a security group log according to the speed of the record data message in the neutron configuration file and the number of messages in unit time.
It should be noted that this embodiment is an embodiment of the apparatus corresponding to the above embodiment of the method, and all the implementation manners in the above embodiment of the method are applicable to the embodiment of the apparatus, so that the same technical effects can be achieved.
Embodiments of the present invention provide a non-volatile computer storage medium having stored thereon at least one executable instruction for performing the method of security group logging in any of the method embodiments described above.
FIG. 5 illustrates a schematic diagram of a computing device according to an embodiment of the present invention, and the embodiment of the present invention is not limited to a specific implementation of the computing device.
As shown in fig. 5, the computing device may include: a processor (processor), a communication interface (Communications Interface), a memory (memory), and a communication bus.
Wherein: the processor, communication interface, and memory communicate with each other via a communication bus. A communication interface for communicating with network elements of other devices, such as clients or other servers, etc. A processor for executing a program, and in particular, may perform the relevant steps in the method embodiment described above for security group logging of a computing device.
In particular, the program may include program code including computer-operating instructions.
The processor may be a central processing unit, CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included by the computing device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
And the memory is used for storing programs. The memory may comprise high-speed RAM memory or may further comprise non-volatile memory, such as at least one disk memory.
The program may be specifically adapted to cause a processor to perform the method of security group logging in any of the method embodiments described above. The specific implementation of each step in the program may refer to corresponding steps and corresponding descriptions in units in the above embodiment of the method for logging a security group, which are not described herein. It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and modules described above may refer to corresponding procedure descriptions in the foregoing method embodiments, which are not repeated herein.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It will be appreciated that the teachings of embodiments of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the embodiments of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be construed as reflecting the intention that: i.e., an embodiment of the invention that is claimed, requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features but not others included in other embodiments, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments can be used in any combination.
Various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that some or all of the functionality of some or all of the components according to embodiments of the present invention may be implemented in practice using a microprocessor or Digital Signal Processor (DSP). Embodiments of the present invention may also be implemented as a device or apparatus program (e.g., a computer program and a computer program product) for performing a portion or all of the methods described herein. Such a program embodying the embodiments of the present invention may be stored on a computer readable medium, or may have the form of one or more signals. Such signals may be downloaded from an internet website, provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. Embodiments of the invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specifically stated.

Claims (10)

1. A method of security group logging, the method comprising:
acquiring a security group creation log request;
issuing a flow table to an Open Virtual Switch (OVS) through an open virtual network software system (OVN) component according to the security group creation log request;
and receiving and recording the data message fed back by the OVS according to the flow table.
2. The method of security group logging of claim 1, wherein obtaining a security group creation log request comprises:
a user initiated security group creation log request is received through a OVN log plug-in.
3. The method of security group logging of claim 1, wherein issuing a flow table to an open virtual switch OVS through an open virtual network software system OVN component in accordance with the security group creation log request comprises:
calling OVN drivers in a neutron through a OVN log plug-in to communicate with a OVN northbound database, and expanding an Access Control List (ACL);
after detecting that the ACL in the OVN northbound database changes through OVN northbound service in the OVN component, notifying OVN the southbound database to generate a logic flow table, and sending the logic flow table to a OVN controller in the OVN component;
and issuing a flow table to the OVS according to the logic flow table through a OVN controller in the OVN component.
4. A method of security group logging according to claim 3, wherein invoking OVN drivers in the OVN component via OVN log plug-ins to communicate with OVN northbound databases, extending access control list ACLs, comprises:
invoking OVN in the OVN component via a OVN log plug-in to drive sending a request to the OVN northbound database to open a security group log, causing the OVN northbound database to extend an ACL.
5. A method of security group logging as defined in claim 3, further comprising:
when the OVN northbound database starts the security group log, converting the security group log into an OVNportgroup, and converting the security group log into a specific action in OVN according to the event type of the security group log; wherein the accepted event types correspond to allow low, allow related allow-related actions, the rejected event types correspond to drop reject, reject actions, and the total event types correspond to drop reject, reject, allow low, allow related allow-related actions.
6. A method of security group logging as defined in claim 3, further comprising:
a default meter item is created from the virtual network service neutron configuration file.
7. The method of security group logging of claim 6, wherein creating a default meter item from a virtual web service neutron profile comprises:
and creating a default meter item acl_log_meter when creating a security group log according to the speed of recording data messages in the neutron configuration file and the number of messages in unit time.
8. An apparatus for security group logging, comprising:
the acquisition module is used for acquiring a security group creation log request;
the processing module is used for issuing a flow table to the open virtual switch OVS through the open virtual network software system OVN component according to the security group creation log request; and receiving and recording the data message fed back by the OVS according to the flow table.
9. A computing device, comprising: the device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is configured to store at least one executable instruction that causes the processor to perform operations corresponding to the method of security group logging according to any one of claims 1 to 7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of security group logging of any of claims 1-7.
CN202111274129.8A 2021-10-29 2021-10-29 Method, device and equipment for recording security group log Pending CN116069746A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111274129.8A CN116069746A (en) 2021-10-29 2021-10-29 Method, device and equipment for recording security group log

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111274129.8A CN116069746A (en) 2021-10-29 2021-10-29 Method, device and equipment for recording security group log

Publications (1)

Publication Number Publication Date
CN116069746A true CN116069746A (en) 2023-05-05

Family

ID=86182362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111274129.8A Pending CN116069746A (en) 2021-10-29 2021-10-29 Method, device and equipment for recording security group log

Country Status (1)

Country Link
CN (1) CN116069746A (en)

Similar Documents

Publication Publication Date Title
WO2021017279A1 (en) Cluster security management method and apparatus based on kubernetes and network domain, and storage medium
US11522915B2 (en) Adaptable network event monitoring configuration in datacenters
US10893004B2 (en) Configurable detection of network traffic anomalies at scalable virtual traffic hubs
US11558426B2 (en) Connection tracking for container cluster
US11522835B2 (en) Context based firewall service for agentless machines
US20230179513A1 (en) Flow tracing operation in container cluster
US11706109B2 (en) Performance of traffic monitoring actions
CN110913024B (en) Cloud platform information synchronization method, system, control device and storage medium
US10616102B2 (en) Management of unreachable OpenFlow rules
US10397353B2 (en) Context enriched distributed logging services for workloads in a datacenter
JP5911448B2 (en) Migration support apparatus, migration support method, and program
AU2015266790A1 (en) Providing router information according to a programmatic interface
CN113472729A (en) Role-based access control policy automatic generation
US10033583B2 (en) Accelerating device, connection and service discovery
WO2021103657A1 (en) Network operation method, apparatus, and device and storage medium
US11210156B1 (en) Intelligent distributed tracing
CN113067824B (en) Data scheduling method, system, virtual host and computer readable storage medium
CN116069746A (en) Method, device and equipment for recording security group log
CN109710423B (en) Method and equipment for communication between virtual machines
CN111953565B (en) Method, system, device and medium for detecting bandwidth in virtualized environment
CN112714017B (en) Configuration issuing method and device
US11960943B2 (en) Event log management
US20230262146A1 (en) Analyzing network data for debugging, performance, and identifying protocol violations using parallel multi-threaded processing
CN115022122B (en) Dynamic restriction method, system and device for VXLAN (virtual extensible local area network) resources
EP4198726A1 (en) Event log management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination