we plan an application where user’s could dynamically request access to services.
For this concept we also plan to track usage and do some ‘expiry’ of the requested access. Are there any hints on this?
The ‘closest’ thing i’ve found is
fabric list circuits
ziti@ziti-controller-5db6867b48-gnfvl:/persistent$ ziti fabric list circuits
│ ID │ CLIENT │ SERVICE │ TERMINATOR │ PATH │
│ 0OqhJAzoU │ cle3xd0o210oi01a828fi2bpt │ central.jumpy-guaca.svc │ 1ea7c0c6-c65b-4a30-995e-d4283f6341dd │ r/core-router │
│ 9xlKKkroU │ cleyd9hzf4oym01a82lhrdfo0 │ central.default.svc │ 461bdecc-12fc-4d6e-87ad-70b5ec910ee4 │ r/core-router │
│ DHpoJJrx8 │ cleyd9gsv4oyj01a8zqm9gs9s │ central.jumpy-guaca.svc │ 886bff38-4bf9-4df9-81b1-3256463148c8 │ r/core-router │
From here it seems I could get the details. But (especially for HTTP Browser/Rest requests) it seems to be short-lived - so I have to pull and parse it quite often. Is there a way to get this streamed? Or a way to specify a time frame, i.e. give me all circuits that have been active during the last 5 mins?
I assume i also can get this via API. But it seems the fabric API is currently not published: Fabric APIs | OpenZiti - is there a way to get the OpenAPI schema i.e. directly from the controller?
Maybe there is even a better option
Thanks & Bye,
The logging is quite extensive, including utilization logging that includes the data volume per circuit (Individual data connection) and the information to ascribe this back to an identity. You’ll want to configure the logging options on the controller, then you can post process at will. There is also a Prometheus endpoint available for collection.
Look at the events section of the controller config documentation for more information on the logging configuration.
An example logging config that we use:
- type: metrics
- type: metrics
- type: metrics
- type: metrics
- type: edge.sessions
- type: fabric.circuits
- type: fabric.usage
- type: edge.apiSessions
- type: fabric.routers
- type: services
- type: edge.entityCounts
- type: fabric.terminators
- type: fabric.links
To follow up on what @mike.gorman wrote, the events are generally streamed to disk, where a separate process can do whatever needs to be done. They can also be streamed over websocket, however the websocket endpoint isn’t very useful because there’s no persistence for events so you can’t guarantee that you won’t miss events. It can be helpful for debugging, though. See
ziti fabric stream events for more details.
We do have plans to add a plugin system for events (see Add event plugin system · Issue #561 · openziti/fabric · GitHub), which will hopefully allow for more flexibility in the future.
Hi. Thanks for the feedback - That is what I need!
Also the websocket endpoint sounds quite interesting. We could implement a small process connecting to it and forwarding the events to a message queue like kafka. So the event plugin’s would be a great thing
Is there any docu on the websocket interface? Or maybe just a quick pointer to the implementation in ziti console, I could extract it from there
Thanks a lot!
The CLI client code is here: ziti/stream_events.go at release-next · openziti/ziti · GitHub
I think it would be safer to have a process reading the events file and forwarding to Kafka, just because there are fewer opportunities for race conditions. Longer term, we’re hoping the event plugins system will let us do things like feed data to Kafka directly.
Is there a way for Ziti to perform a resolution before logging?
Similar to auditd’s
log_format=enriched, I am looking for a way to be able to get human readable information in the logs.
This would be especially useful for the fields
The specific usecase for us is to log to our SIEM and detect e.g. possible violations for service use abuse and also create proof to log access to services.
There isn’t a current way to enrich the logging within OpenZiti. The information is all available via API, so an enrichment pipeline could be written. What SIEM are you using? Does it have enrichment pipelines or a processor of some sort that could add data gathered via the API to add to the stream?
Thanks, yes, that would work. I didn’t know the API was this thorough. Which API should I use here?
A fetch from the SIEM to the controller every e.g. 1 hour would be totally sufficient by using the Edge Router’s tunneler.
### Edit: ###
Found it, sorry about that: Session Types | OpenZiti
API Sessions are represented by opaque strings and are provided in the HTTP header zt-session and in Edge Router connection requests initiated by Ziti SDKs. API Sessions remain valid as long they have not timed out.
I’m just right now trying this out. How do I state the established session while making requests to the client API?
I was able to successfully authenticate to the API like here: Authentication | OpenZiti but I couldn’t find where I’ll have put the token in the upcoming requests. I assume it’s going to be an HTTP header?
You put the token in a ‘zt-session’ header. That;'s what that blurb is saying, perhaps just not clearly enough.
BTW, I posted some Grafana work at Using Grafana to view OpenZiti API's | OpenZiti It may move, so if that link doesn’t work, just search for Grafana.