This guide describes how to setup OpenStack Auditing with Hermes.
Hermes depends on an existing OpenStack installation that is responsible for generating audit events from OpenStack using Keystone Middleware. Each OpenStack component you wish to use will require configuration via Keystone Middleware with the correct cadf mappings file.
This will send CADF formatted audit events to the oslo messaging bus which is held via RabbitMQ. From there we will take over with the Hermes infrastructure consisting of
- Logstash for transforming events by adding metadata concerning ProjectID and DomainID
- ElasticSearch for holding the data as the main datastore
- Hermes as the Audit API for accessing these events from your OpenStack Dashboard.
Optionally this can also include
- Kibana for ease of viewing data.
Via Makefile:
maketo just compile and run the binaries from thebuild/directorymake && make installto install to/usrmake && make install PREFIX=/some/pathto install to/some/pathmake dockerto build the Docker image (set image name and tag with theDOCKER_IMAGEandDOCKER_TAGvariables)
Hermes can be used via our Converged Cloud Dashboard Elektra via "Auditing" or directly with the http API.
The Hermes binary is server only. For a client CLI tool please refer to the hermesctl project.
The easiest way to deploy Hermes is as a service in Kubernetes.
Feel free to use our Hermes helm chart which contains Hermes deployment, and an ELK deployment for transforming CADF events generated by Keystone Middleware, and moving them from the current RabbitMQ deployments OpenStack uses to the ElasticSearch storage that Hermes uses.
Please refer to the configuration guide for details.
Running the hermes binary will start the Server listening on http://localhost:8788
Documentation for Keystone Middleware's Audit describes how to enable the audit capabilities in CADF Format for various OpenStack services.
Using the oslo.messaging bus, we configure the middleware to send audit events to an audit specific rabbitmq. This keeps the load on the main oslo.messaging bus to a minimum so that auditing doesn't impact other core OpenStack services.
We then implement a Logstash instance to act as a transformation step between RabbitMQ and loading into ElasticSearch.
Common transforms are dropping events that don't provide value as Auditing events, and adding CADF mappings to events that do not currently have an audit map in keystone middleware due to their lack of consistent event details. Ex: Designate Events
From there the data is loaded into ElasticSearch where we have a rolling index that is created from a template to hold audit details via daily index.
Hermes is used as the API to query this ElasticSearch to provide API events to the OpenStack Dashboard.
SAP Converged Cloud Dashboard Elektra
Hermes has prometheus integration located at the /metrics endpoint. Custom metrics included are
| Name | Description |
|---|---|
| hermes_request_duration_seconds | Duration of a Hermes request |
| hermes_requests_inflight | Number of inflight HTTP requests served by Hermes |
| hermes_response_size_bytes | Size of the Hermes response (e.g. to retrieve events) |
| hermes_storage_errors_count | Number of technical errors occurred when accessing underlying storage |