Re: I: R: Re: Log connections from security groups - bosh lite

CF Runtime

We had similar problems on Bosh Lite. Because of the way containers are
made, this feature won't work on a Bosh Lite environment.

Zak & Joseph
CF Runtime Team

On Sun, Jun 14, 2015 at 11:25 PM, Michael Grifalconi <
michael.grifalconi(a)> wrote:

Hello all,

as I had no response, and I wasn't able to progress, I'm bumping this
email from last week

Thank you!

Best regards,

-------- Messaggio originale --------
Da: *"Michael Grifalconi" *<michael.grifalconi(a)>
Data: 08/giu/15 9:31:55 m.
Oggetto: R: Re: [cf-dev] Log connections from security groups - bosh lite
A: Discussions about Cloud Foundry projects and the system overall. <

Hello, I post some more info:

- Kernel logging is enabled because inside the DEA, i can see:

*cat /etc/rsyslog.conf*
*$IncludeConfig /etc/rsyslog.d/*.conf*

*cat /etc/rsyslog.d/enable-kernel-logging.conf*

*$ModLoad imklog*

- after pushing an app, I see on the DEA the correct rules:

-A warden-i-18nvgifiemi -p tcp -m tcp --dport 80 -g
-A warden-i-18nvgifiemi-log -p tcp -m conntrack --ctstate
INVALID,NEW,UNTRACKED -j LOG --log-prefix "warden-i-18nvgifiemi "

- but on */var/log/messages* I only get:

*Jun 8 07:03:26 localhost kernel: [ 3256.433021] IPv6:
ADDRCONF(NETDEV_CHANGE): w-18nvgifiemg-0: link becomes ready*

- the php application pushed:

*xx(a)boshClient:~/myPhpApp$ cat index.php*
* <head>*
* <title>PHP Test</title>*
* </head>*

* <body>*
* <?php*
* echo '<p>Hello PHP from the server
* echo $_SERVER['SERVER_ADDR'];*
* echo '<p>hi from hostname:</p>';*
* $curl = curl_init();*
*curl_setopt($curl, CURLOPT_URL, 'http://xxxxxxx <http://xxxxxxx>');*
*$result = curl_exec($curl);*
* echo gethostname();*
* ?>*
* </body>*


- When I browse this application page, I see the page from the
webserver on xxxx called from curl, but I don't get ant log.

- *bosh stemcells*

*| Name | Version | CID

*| bosh-warden-boshlite-ubuntu-trusty-go_agent | 2776* |
c5ac6590-13ec-4ba2-6fa9-e78cf553c4e6 |*


- *xx(a)boshClient:~$ cf security-groups*

*Getting security groups as admin*

* Name Organization Space*
*#0 public_networks*
*#1 dns*
*#2 logging myOrg myDevSpace*

- *xx(a)boshClient:~$ cf security-group logging*

*Getting info for security group logging as admin*

*Name logging*
* [*
* {*
* "destination": " <>",*
* "log": true,*
* "ports": "80",*
* "protocol": "tcp"*
* }*
* ]*

* Organization Space*
*#0 myOrg myDevSpace*

- *tried with protocol: all and :tcp and the port where my local
apache server on LAN is listening.*

Any suggestion is appreciated!


Il 06/06/15 09:25, *Dieu Cao * <dcao(a)> ha scritto:

Yes, I do recall that the feature did not work on bosh-lite but that was
when kernel logging was disabled on the trusty stemcell.

Michael, could you send the json for the application security group you've
applied to the space you're looking at?

CF Runtime PM

On Fri, Jun 5, 2015 at 5:48 PM, James Bayer <jbayer(a)> wrote:

i seem to remember something about app security group logging having an
issue with bosh-lite that isn't present when you have a DEA in a VM. i
remember something about that. i'll see if dieu remembers.

On Fri, Jun 5, 2015 at 1:06 PM, Michael <
michael.grifalconi(a)> wrote:


as you suggested, I looked deeper in this matter, and I can see that on
the DEA VM:

I get the right iptables rules, but I still can not see the logs on

[Im using bosh-lite, latest stemcell, CF version 207]

Do you know what should I do to allow this information to be logged?


Thank you!

Best regards,


Per destinare il 5x1000 all'Universita' degli Studi di Milano: indicare
nella dichiarazione dei redditi il codice fiscale 80012650158.

cf-dev mailing list

Thank you,

James Bayer

cf-dev mailing list

cf-dev mailing list

Join { to automatically receive all group messages.