AKS -Action Log

I’m working on some network policies in AKS. I noticed that we currently can’t do a default deny using a global network policy because the name selector doesn’t work until you are version v3.11 and AKS currently installs v3.8.9. Another thing we are doing is trying to log all hits to the rules using “-Action Log” and unable to retrieve the logs. Its really a simple question I’m curious if I’m running into another version issue of when the action for log was added to calico or if its always been there? This would save me a bunch of time trying to get the logs. I’ve been using this deployment but the pods never appear to grab the logs from the host.

I hope I’m not taking crazy pills and v3.8.9 just doesn’t have the log function. I’m all for diving through release notes just wondering if someone knows off the top of their head? Also is there a location for historical release notes ?

Thanks!

definitely shows Log as a valid action.

In the following example, incoming TCP traffic to an application is denied, and each connection attempt is logged to syslog.

Are you looking in syslog for the logs? They won’t appear in the pod logs…

I’m not sure what you mean by “name selector”; do you mean “namespaceSelector”? I’m not 100% sure, but I thought that global network policies matches all namespaces before the namespaceSelector was added.

Log has always been there, but the log is issued from iptables itself so it goes to syslog/kernel log/dmnsg/etc depending on your distro and kernel.

If you’re looking for a solid way to figure out which rules are being hit, you may want to check our Calico Enterprise; it has a GUI that does exactly that.

Thanks for the reply. Yes I was referring to namespaceSelector, and this was the discussion about AKS using an old version.

I was able to gain ssh access to the node and discovered that it was writing to /var/log/syslog.1 so I modified the deployment and see the calico-packet logs. Does anyone know of any documentation for the syslog fields? It doesn’t appear to have a field for allow or deny in the log. I can guess most of the fields, it just my security team is going to care more about if it was an allow or a deny. These will eventually make it to a log analytics workspace then to splunk for searching.

Dec 22 18:26:49 nodename kernel: [686879.577344] calico-packet: IN=eth0 OUT=azv204d22f3118 MAC=00:22:48:44:62:15:c0:d6:82:94:e6:49:08:00 SRC=172.16.208.33 DST=172.16.208.28 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=25858 DF PROTO=TCP SPT=33374 DPT=8443 WINDOW=64240 RES=0x00 SYN URGP=0

Thanks for any help

The log action only tells you one thing “the packet hit the log rule”. It doesn’t tell you whether the packet was dropped or allowed in the end. Calico Enterprise is the way to go if you have a security team who need flow logs of denied/allowed packets; its one of its core features.