About iptables logs
iptables logs are produced by policy audit mode or by using the
Log action in either
Network Policy or Global Network Policy.
These logs are written to syslog (specifically the
/dev/log socket) on the nodes where the events are generated.
Collection, rotation and other management of these logs is provided by your syslog agent, for example, journald or rsyslogd.
Policy audit mode
Calico Cloud adds a Felix option
DropActionOverride that configures how the
action in a Rule is interpreted.
It can add logs for denied packets, or even allow the traffic through.
See the Felix configuration reference for information on how to configure this option.
DropActionOverride controls what happens to each packet that is denied by
the current Calico Cloud policy, i.e., by the ordered combination of all the
configured policies and profiles that apply to that packet. It may be
set to one of the following values:
LogAndDrop value should be used, as dropping a
packet is the obvious implication of that packet being denied. However when
experimenting, or debugging a scenario that is not behaving as you expect, the
"Accept" and "LogAndAccept" values can be useful: then the packet will be
still be allowed through.
When one of the
LogAnd* values is set, each denied packet is logged in
syslog, with an entry like this:
May 18 18:42:44 ubuntu kernel: [ 1156.246182] calico-drop: IN=tunl0 OUT=cali76be879f658 MAC= SRC=192.168.128.30 DST=192.168.157.26 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=56743 DF PROTO=TCP SPT=56248 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0xa000000
Note that Denied Packet Metrics are independent of the
setting. Specifically, if packets that would normally be denied are being
allowed through by a setting of
LogAndAccept, those packets
still contribute to the denied packet metrics as normal.
For example, to set a
myhost to log then drop denied packets:
Edit the FelixConfiguration object for the
kubectl patch felixconfiguration.p node.myhost --type='merge' -p \
For a global setting, modify the
default FelixConfiguration resource.