Enable CADF notifications in other OpenStack services

Enable CADF notifications in other OpenStack services

To enable notification in the CADF format for other OpenStack services, define the audit filter in the api-paste.ini configuration file of an OpenStack service and include the audit filter into WSGI pipeline.

For example, to enable CADF notifications in the Compute service, follow the steps below:

  1. Add the definition of the audit filter to /etc/nova/api-paste.ini:

    paste.filter_factory = keystonemiddleware.audit:filter_factory
    audit_map_file = /etc/nova/api_audit_map.conf
  2. Download api_audit_map.conf for Nova from the PyCADF repository:

    cd /etc/nova/
    wget https://raw.githubusercontent.com/openstack/pycadf/master/etc/pycadf/nova_api_audit_map.conf -O api_audit_map.conf
  3. Add the audit filter into the Compute WSGI pipeline. For example:

    use = call:nova.api.auth:pipeline_factory_v21
    noauth2 = cors compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21
    keystone = cors compute_req_id faultwrap sizelimit authtoken keystonecontext audit osapi_compute_app_v21
  4. (Optional) Specify the service name and requests to be ignored by the filter:

    service_name = test # opt to set HTTP_X_SERVICE_NAME environ variable
    ignore_req_list = GET,POST # opt to ignore specific requests
  5. Add the notification condition into the default section of nova.conf:

  6. Set a notification driver in nova.conf by specifying one of the possible values: messaging, messagingv2, routing, log, test, noop for the driver option in the oslo_messaging_notifications section:

    driver = messagingv2


    You can specify multiple notification drivers, for example, messagingv2 and log to send a notification to both: RabbitMQ and a local service log.

  7. (Optional) Set an AMQP topic and custom transport URL. For example:


    By default, notifications are sent to the notifications.info queue in RabbitMQ. You do not need to specify transport_url and topics in this case.

    transport_url = rabbit://{{ rabbitmq.user }}:{{ rabbitmq.password }}@{{ address('rabbitmq', rabbitmq.port) }}
    topics = nova_notifications
  8. Restart the Compute WSGI server:

    service nova-api restart
  9. Verify if the Compute service sends notifications in the CADF format.

    • If the notification driver is set to log, examine /var/log/nova/nova-api.log.

    • If the notification driver is set to messaging or messagingv2, see the RabbitMQ messages in the notifications.info queue set by default or in the queue with the name specified in the topic option.

    • Use Ceilometer CLI to show the event of certain type:

      ceilometer event-list --query event_type=<EVENT_TYPE>

Example of a JSON-formatted CADF notification:

 "_context_auth_token": "gAAAAABYifp1XvXY0S8yD8yav7hmqWRmFgy4gUwx1ryyEKxrrD7mIGpTOIItG71sOlhbUM9yzhDDSGe4ZBBQk554SU0qrhvINdAP1Jv6hEBwf1J27VWLIWLU5FVnBN1lv0vL26z2Vt3LKac_oYbvwpFByP_4lveza-cHk9fr2fnN0FPFvgPumiqqC0tyQG_ylYtdhSW5aepN",
  "_context_domain": null,
  "_context_instance_lock_checked": false,
  "_context_is_admin": true,
  "_context_project_domain": null,
  "_context_project_id": "298ace13a3bf4674a8af28286569f2d7",
  "_context_project_name": "admin",
  "_context_quota_class": null,
  "_context_read_deleted": "no",
  "_context_read_only": false,
  "_context_remote_address": "",
  "_context_request_id": "req-f6b96abc-89ed-4a5c-afec-eacc05070568",
  "_context_resource_uuid": null,
  "_context_roles": [
  "_context_service_catalog": [
     "endpoints": [
        "adminURL": "",
        "internalURL": "",
        "publicURL": "https://public.fuel.local:8776/v2/298ace13a3bf4674a8af28286569f2d7",
        "region": "RegionOne"
    "name": "cinderv2",
    "type": "volumev2"
    "endpoints": [
        "adminURL": "",
        "internalURL": "",
        "publicURL": "https://public.fuel.local:8776/v1/298ace13a3bf4674a8af28286569f2d7",
        "region": "RegionOne"
    "name": "cinder",
    "type": "volume"
  "_context_show_deleted": false,
  "_context_tenant": "298ace13a3bf4674a8af28286569f2d7",
  "_context_timestamp": "2017-01-26T14:11:10.768205",
  "_context_user": "42ca947ab83c4b86b843fccd36826a21",
  "_context_user_domain": null,
  "_context_user_id": "42ca947ab83c4b86b843fccd36826a21",
  "_context_user_identity": "42ca947ab83c4b86b843fccd36826a21
  298ace13a3bf4674a8af28286569f2d7 - - -",
  "_context_user_name": "admin",
  "_unique_id": "8d688a79bf7b418380d2ad7b8f133b89",
  "event_type": "compute.instance.update",
  "message_id": "805ad852-1807-469b-a06e-b428b6916e87",
  "payload": {
    "access_ip_v4": null,
    "access_ip_v6": null,
    "architecture": null,
    "audit_period_beginning": "2017-01-01T00:00:00.000000",
    "audit_period_ending": "2017-01-26T14:11:11.078799",
    "availability_zone": "nova",
    "bandwidth": {},
    "cell_name": "",
    "created_at": "2017-01-26 13:26:53+00:00",
    "deleted_at": "",
    "disk_gb": 0,
    "display_name": "111",
    "ephemeral_gb": 0,
    "host": "node-7.domain.tld",
    "hostname": "111",
    "image_meta": {
    "base_image_ref": "22cf0b00-c01a-4158-b5f6-d5ee67f9db0f",
    "container_format": "bare",
    "disk_format": "qcow2",
    "min_disk": "0",
    "min_ram": "64"
    "image_ref_url": "",
    "instance_flavor_id": "f786e6cf-3af9-4169-a95f-1478cfedcc8d",
    "instance_id": "40ab92ca-1c69-445e-b592-fe0b46d0ad9d",
    "instance_type": "m1.micro",
    "instance_type_id": 16,
    "kernel_id": "",
    "launched_at": "2017-01-26T13:30:40.000000",
    "memory_mb": 64,
    "metadata": {},
    "new_task_state": "deleting",
    "node": "node-7.domain.tld",
    "old_state": "active",
    "old_task_state": "deleting",
    "os_type": null,
    "progress": "",
    "ramdisk_id": "",
    "reservation_id": "r-f9fg0oxe",
    "root_gb": 0,
    "state": "active",
    "state_description": "deleting",
    "tenant_id": "298ace13a3bf4674a8af28286569f2d7",
    "terminated_at": "",
    "user_id": "42ca947ab83c4b86b843fccd36826a21",
    "vcpus": 1
  "priority": "INFO",
  "publisher_id": "compute.node-6.domain.tld",
  "timestamp": "2017-01-26 14:11:11.106855"