R: Re: Log connections from security groups - bosh lite

Michael Grifalconi <michael.grifalconi@...>

Hello, I post some more info:

Kernel logging is enabled because inside the DEA, i can see:

cat /etc/rsyslog.conf
$IncludeConfig /etc/rsyslog.d/*.conf

cat /etc/rsyslog.d/enable-kernel-logging.conf

$ModLoad imklog

after pushing an app, I see on the DEA the correct rules:

-A warden-i-18nvgifiemi -p tcp -m tcp --dport 80 -g warden-i-18nvgifiemi-log
-A warden-i-18nvgifiemi-log -p tcp -m conntrack --ctstate INVALID,NEW,UNTRACKED -j LOG --log-prefix "warden-i-18nvgifiemi "

but on /var/log/messages I only get:

Jun 8 07:03:26 localhost kernel: [ 3256.433021] IPv6: ADDRCONF(NETDEV_CHANGE): w-18nvgifiemg-0: link becomes ready

the php application pushed:

xx(a)boshClient:~/myPhpApp$ cat index.php
<title>PHP Test</title>

echo '<p>Hello PHP from the server at:</p>';
echo '<p>hi from hostname:</p>';
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, 'http://xxxxxxx');
$result = curl_exec($curl);
echo gethostname();


When I browse this application page, I see the page from the webserver on xxxx called from curl, but I don't get ant log.

bosh stemcells

| Name | Version | CID |
| bosh-warden-boshlite-ubuntu-trusty-go_agent | 2776* | c5ac6590-13ec-4ba2-6fa9-e78cf553c4e6 |

xx(a)boshClient:~$ cf security-groups

Getting security groups as admin

Name Organization Space
#0 public_networks
#1 dns
#2 logging myOrg myDevSpace

xx(a)boshClient:~$ cf security-group logging

Getting info for security group logging as admin

Name logging
"destination": "",
"log": true,
"ports": "80",
"protocol": "tcp"

Organization Space
#0 myOrg myDevSpace

tried with protocol: all and :tcp and the port where my local apache server on LAN is listening.

Any suggestion is appreciated!


Il 06/06/15 09:25, Dieu Cao <dcao(a)pivotal.io> ha scritto:

Yes, I do recall that the feature did not work on bosh-lite but that was when kernel logging was disabled on the trusty stemcell.

Michael, could you send the json for the application security group you've applied to the space you're looking at?

CF Runtime PM

On Fri, Jun 5, 2015 at 5:48 PM, James Bayer <jbayer(a)pivotal.io> wrote:

i seem to remember something about app security group logging having an issue with bosh-lite that isn't present when you have a DEA in a VM. i remember something about that. i'll see if dieu remembers.

On Fri, Jun 5, 2015 at 1:06 PM, Michael <michael.grifalconi(a)studenti.unimi.it> wrote:


as you suggested, I looked deeper in this matter, and I can see that on the DEA VM:

 I get the right iptables rules, but I still can not see the logs on /var/log/messages

[Im using bosh-lite, latest stemcell, CF version 207]

Do you know what should I do to allow this information to be logged?


Thank you!

Best regards,


Per destinare il 5x1000 all'Universita' degli Studi di Milano: indicare nella dichiarazione dei redditi il codice fiscale 80012650158.


cf-dev mailing list


Thank you,

James Bayer

cf-dev mailing list

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.