Export CNS (Cilium) Logs via SysLog
Problem to solve
CNS users need visibility into the traffic that is passing through Cilium as well as the resulting decision (allow, log, block). Without this visibility, it is difficult to custom tune Cilium rules as there is no easy way to verify that the rule is working as designed. The current alternative of SSH'ing into each container to view the logs is inefficient for customers with lots of environments or containers, and provides the information in a format that is difficult to quickly interpret. Ultimately, customers need an easy way to determine whether or not the Cilium rules are functioning as designed and to determine what attacks are occurring against the customer's application.
Intended users
Proposal
Note: some customers may choose to send the logs to a central logging solution before forwarding them on to a SIEM. The solution needs to work for this use case as well
Assumption: Nearly all GitLab Ultimate users are running a SIEM
Assumption: The customer will be responsible for ensuring a networking route exists between the SIEM and the deployed environment
- Users will be able to configure and save global settings to have Cilium logs exported to a SIEM or Central Logging Solution
- Global settings will be configured on the Settings -> Integration page and will include the following:
- IP address or hostname
- Port
- Protocol (UDP or TCP)
- The format will be JSON format, will be sent via Syslog protocol, and will not be customizable
- The JSON will be sent on one line per message
- Global settings will be applied for all environments where Cilium is deployed
- Changes to global settings will be pushed to any environments where Cilium is already running
- Syslog messages will be sent from the K8 cluster directly to the specified IP address
Designs
Not Required Functionality
Functionality that is planned for the future but is not required to meet the requirements of this issue include the following:
- The ability to view the logs directly in GitLab will not be considered at this point
Permissions and Security
Permissions should be consistent with the GitLab permission model
Documentation
Documentation for Container Network Security does need to be updated to describe how to configure CNS SIEM settings
Availability & Testing
The following tests will be performed as appropriate:
- Unit tests
- End-to-end tests
- Test with at least one SIEM (Note: Sending via Syslog will make us compatible with 99% of the SIEMs, so testing with just one to confirm connectivity will be adequate)
What does success look like, and how can we measure that?
Success Criteria:
- Users are able to view their Cilium logs in a SIEM
Acceptance Criteria:
- Latency from the time a log is generated to when it is sent to the SIEM is not greater than one minute