To enable the CADF format notifications in the Identity service:
Set the notification_format
option to cadf
in the default section of keystone.conf
:
[DEFAULT]
notification_format = cadf
Set a notification driver by specifying one of the possible values:
messaging
, messagingv2
, routing
, log
, test
, noop
for the driver
option in the oslo_messaging_notifications
section:
[oslo_messaging_notifications]
driver = messagingv2
Note
You can also use the notification_driver
parameter in the
default section, which has been deprecated, to specify
a destination for notifications.
Note
You can specify multiple notification drivers. For example,
messagingv2
and log
to send a notification to the RabbitMQ,
as well as to print to a local Keystone log.
(Optional) Set an AMQP topic and custom transport URL.
Note
By default, notifications are sent to the notifications.info
queue in RabbitMQ. You do not need to specify transport_url
and topics
in this case.
For example:
[oslo_messaging_notifications]
transport_url = rabbit://{{ rabbitmq.user }}:{{ rabbitmq.password }}@{{ address('rabbitmq', rabbitmq.port) }}
topics = keystone_notifications
(Optional) You can unsubscribe from specific type of notifications by using
notification_opt .. code-block:: ini_out
option in the default section.
For example, to opt-out noisy notifications with successful
authentication, specify:
[DEFAULT]
notification_opt_out = identity.authenticate.success
Restart the Apache service for changes to take effect:
service apache2 restart
Verify if the Identity service sends notifications in the CADF format.
See the Keystone log /var/log/keystone/keystone-public.log
if the
notification driver is set to log
.
For example:
2017-01-26 09:19:01.307 27791 INFO
oslo.messaging.notification.identity.authenticate
[req-bf5a6c59-7f0f-4436-84c1-
6dde1699f9cc - - - - -] {"event_type": "identity.authenticate",
"timestamp": "2017-01-26 09:19:01.241364", "payload": {"typeURI":
"http://schemas.dmtf.org/cloud/audit/1.0/event",
"initiator": {"typeURI": "service/security/account/user",
"host": {"agent": "keystoneauth1/2.3.0 python-requests/2.9.1
CPython/2.7.6", "address": "192.168.0.2"}, "user_id":
"42ca947ab83c4b86b843fccd36826a21",
"id": "42ca947ab83c4b86b843fccd36826a21"}, "target":
{"typeURI": "service/security/account/user", "id":
"17b4cc7f-0ddb-51c7-8a55-aba8304f943c"}, "observer":
{"typeURI": "service/security", "id":
"e14fa14a-fb58-55e3-b38a-0cff3f9bd6f1"},
"eventType": "activity", "eventTime": "2017-01-26T09:19:01.139486+0000",
"action": "authenticate", "outcome": "failure", "id":
"d286943b-ce61-5e98-80b4-24aa5c92980a"},
"priority": "INFO", "publisher_id": "identity.node-6.domain.tld",
"message_id": "4879d940-505d-4dbf-9005-bafafd150f0c"}
If the notification driver is set to messaging
or messagingv2
,
see the RabbitMQ messages in the notifications.info
queue set by
default or in the queue with the name specified in the topic
option.
For example:
{"oslo.message": "{\"priority\": \"INFO\", \"_unique_id\": \
"950c821344064574bb401fb7bb58457f\", \"event_type\":
\"identity.authenticate\", \"timestamp\": \"2017-01-25 15:29:37.003472\",
\"publisher_id\": \"identity.node-6.domain.tld\", \"payload\":
{\"typeURI\": \"http://schemas.dmtf.org/cloud/audit/1.0/event\",
\"initiator\": {\"typeURI\": \"service/security/account/user\",
\"host\": {\"agent\": \"keystoneauth1/2.3.0 python-requests/2.9.1
CPython/2.7.6\", \"address\": \"192.168.0.2\"}, \"user_id\":
\"42ca947ab83c4b86b843fccd36826a21\", \"id\":
\"42ca947ab83c4b86b843fccd36826a21\"},
\"target\": {\"typeURI\": \"service/security/account/user\",
\"id\": \"d82204a0-d2a9-5034-affa-591d15a9391b\"}, \"observer\":
{\"typeURI\": \"service/security\", \"id\":
\"da9440a8-71ed-5a61-b747-9fc06164c2ee\"},
\"eventType\": \"activity\", \"eventTime\":
\"2017-01-25T15:29:36.316527+0000\",
\"action\": \"authenticate\", \"outcome\": \"failure\", \"id\":
\"c5cf0d09-d7e4-5526-bf22-fd20868ed7fd\"}, \"message_id\":
\"3540d458-b03b-4c92-80bb-477e449112e5\"}", "oslo.version": "2.0"}
Use Ceilometer CLI to show the event of certain type:
ceilometer event-list --query event_type=<EVENT_TYPE>
The example of the CADF Keystone notification formatted as a JSON document:
{
"_unique_id": "950c821344064574bb401fb7bb58457f",
"event_type": "identity.authenticate",
"message_id": "3540d458-b03b-4c92-80bb-477e449112e5",
"payload": {
"action": "authenticate",
"eventTime": "2017-01-25T15:29:36.316527+0000",
"eventType": "activity",
"id": "c5cf0d09-d7e4-5526-bf22-fd20868ed7fd",
"initiator": {
"host": {
"address": "192.168.0.2",
"agent": "keystoneauth1/2.3.0 python-requests/2.9.1 CPython/2.7.6"
},
"id": "42ca947ab83c4b86b843fccd36826a21",
"typeURI": "service/security/account/user",
"user_id": "42ca947ab83c4b86b843fccd36826a21"
},
"observer": {
"id": "da9440a8-71ed-5a61-b747-9fc06164c2ee",
"typeURI": "service/security"
},
"outcome": "failure",
"target": {
"id": "d82204a0-d2a9-5034-affa-591d15a9391b",
"typeURI": "service/security/account/user"
},
"typeURI": "http://schemas.dmtf.org/cloud/audit/1.0/event"
},
"priority": "INFO",
"publisher_id": "identity.node-6.domain.tld",
"timestamp": "2017-01-25 15:29:37.003472"
}
See also