After patching the setup with fix for bug 1797317, during session logging test below points observed:
1. Looks like old flag “log_flow” is still used/referenced to log the sessions because when I set “log_flow=1”(apart from slo_destination=file)extra logs(see 2nd log below) are seen as below:
INFO - [SYS_INFO]: SessionData: [ vmi = default-domain:ctest-SecurityLogging-77901689:287ea704-75b9-4e56-bcad-210a6a11531d vn = default-domain:ctest-SecurityLogging-77901689:ctest-vn-06809291 ] security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:ctest-SecurityLogging-77901689:ctest-vn-23556997 is_client_session = 1 is_si = 0 vrouter_ip = 10.10.10.8 local_ip = 138.7.139.3 service_port = 0 protocol = 1 logged_forward_bytes = 98 logged_forward_pkts = 1 logged_reverse_bytes = 84 ip = 45.159.187.3 port = 8068 forward_flow_info= [ logged_bytes = 98 logged_pkts = 1 flow_uuid = f161a6d4-2c95-427a-aaae-d3724c706e1b tcp_flags = 0 setup_time = 1539689679214767 action = pass sg_rule_uuid = 8da6cbcd-91e1-4585-893b-9b1a13cc5257 nw_ace_uuid = 1b924ca7-0ca1-4886-89c1-8af60b15b67a underlay_source_port = 53414 ] reverse_flow_info= [ logged_bytes = 84 logged_pkts = 1 flow_uuid = 865627a2-084a-4f8e-9067-0aaf4b8c6a42 tcp_flags = 0 setup_time = 1539689679214767 action = pass sg_rule_uuid = 8da6cbcd-91e1-4585-893b-9b1a13cc5257 nw_ace_uuid = 1b924ca7-0ca1-4886-89c1-8af60b15b67a underlay_source_port = 65224 ] vm = 9932613e-cbd9-4fa1-9bea-2fe1a94cf1ac other_vrouter_ip = 10.10.10.9 underlay_proto = 2 ]
2018-10-16 Tue 17:04:39:995.849 IST nodem8 [Thread 140123954079488, Pid 16060]: [SYS_INFO]: SessionEndpointObject: session_data= [ [ [ vmi = default-domain:ctest-SecurityLogging-77901689:287ea704-75b9-4e56-bcad-210a6a11531d vn = default-domain:ctest-SecurityLogging-77901689:ctest-vn-06809291 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:ctest-SecurityLogging-77901689:ctest-vn-23556997 is_client_session = 1 is_si = 0 vrouter_ip = 10.10.10.8 sess_agg_info= [ [ [ local_ip = 138.7.139.3 service_port = 0 protocol = 1 ] [ sessionMap= [ [ ] ] ], ] ] ], ] ]
2. The Format of the message is changed and there is no sess_agg_info now.
Old format of the log was same as 2nd log above.
3. logged_reverse_pkts field is missing in log. Earlier same issue was seen for syslog.
https://bugs.launchpad.net/juniperopenstack/+bug/1753381
Expected session log(ignore the format):
[ vmi = default-domain:ctest-SecurityLogging-62453854:4b97fc45-dd8e-437f-9f84-967a1e6388d3 vn = default-domain:ctest-SecurityLogging-62453854:ctest-vn-23374218 security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:ctest-SecurityLogging-62453854:ctest-vn-72151247 is_client_session = 1 is_si = 0 vrouter_ip = 10.10.10.8 sess_agg_info= \[ \[ \[ local_ip = 194.124.216.3 service_port = 0 protocol = 1 ] \[ logged_forward_bytes = \d+ logged_forward_pkts = \d+ logged_reverse_bytes = \d+ logged_reverse_pkts = \d+ sessionMap= \[ \[ \[ ip = 76.27.77.3 port = \d+ ] \[ forward_flow_info= \[ logged_bytes = \d+ logged_pkts = \d+ flow_uuid = [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} tcp_flags = 0 setup_time = \d+ action = pass sg_rule_uuid = 62452913-c895-4f02-a152-e4887090e3b4 nw_ace_uuid = c8717e49-fb90-436d-8fe8-d7d9e24d39b5 underlay_source_port = \d+ ] reverse_flow_info= \[ logged_bytes = \d+ logged_pkts = \d+ flow_uuid = [0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} tcp_flags = 0 setup_time = \d+ action = pass sg_rule_uuid = 62452913-c895-4f02-a152-e4887090e3b4 nw_ace_uuid = c8717e49-fb90-436d-8fe8-d7d9e24d39b5 underlay_source_port = \d+ ] vm = 576abcb9-087a-45da-bcbb-2dd960c80bca other_vrouter_ip = 10.10.10.9 underlay_proto = 2 ], ] ] ], ] ] ]"
session log seen in agent file:
[ vmi = default-domain:ctest-SecurityLogging-62453854:4b97fc45-dd8e-437f-9f84-967a1e6388d3 vn = default-domain:ctest-SecurityLogging-62453854:ctest-vn-23374218 ] security_policy_rule = 00000000-0000-0000-0000-000000000001 remote_vn = default-domain:ctest-SecurityLogging-62453854:ctest-vn-72151247 is_client_session = 1 is_si = 0 vrouter_ip = 10.10.10.8 local_ip = 194.124.216.3 service_port = 0 protocol = 1 logged_forward_bytes = 98 logged_forward_pkts = 1 logged_reverse_bytes = 84 ip = 76.27.77.3 port = 1672 forward_flow_info= [ logged_bytes = 98 logged_pkts = 1 flow_uuid = b232e21f-88a5-40f2-a7dc-aedb198c2b87 tcp_flags = 0 setup_time = 1539693126283710 action = pass sg_rule_uuid = 62452913-c895-4f02-a152-e4887090e3b4 nw_ace_uuid = c8717e49-fb90-436d-8fe8-d7d9e24d39b5 underlay_source_port = 59521 ] reverse_flow_info= [ logged_bytes = 84 logged_pkts = 1 flow_uuid = ab21ef37-89f8-4db0-a664-a3a6fc378daa tcp_flags = 0 setup_time = 1539693126283710 action = pass sg_rule_uuid = 62452913-c895-4f02-a152-e4887090e3b4 nw_ace_uuid = c8717e49-fb90-436d-8fe8-d7d9e24d39b5 underlay_source_port = 57159 ] vm = 576abcb9-087a-45da-bcbb-2dd960c80bca other_vrouter_ip = 10.10.10.9 underlay_proto = 2 ]
As per Arvind:
log_flow - deprecated
use_syslog - deprecated
log_local- log_local was meant to see all sandesh msgs locally not just flow msgs. I think we have to retain the flag, however the sandesh library has to be changed
To ignore it for flow messages (as it can result in session messages appearing twice otherwise).