Hermes is an audit trail service for OpenStack, originally designed for SAP's internal Openstack Cloud.
It is named after the Futurama character, not the Greek god.
OpenStack has an audit log through OpenStack Audit Middleware, but no way for customers to view these audit events. Hermes enables easy access to audit events on a tenant basis, relying on the ELK stack for storage. Now cloud customers can view their project level audit events through an API, or as a module in Elektra, an OpenStack Dashboard.
The Audit log can be used by information auditors or cloud based audit APIs to track events for a resource in a domain or project. Support teams can validate when customers communicate problems with cloud services, verify what occurred, and view additional detail about the customer issue.
Hermes enables customer access for audit relevant events that occur from OpenStack in an Open Standards CADF Format.
- OpenStack
- OpenStack Audit Middleware - To Generate audit events in a WSGI Pipeline
- RabbitMQ - To queue audit events from Openstack
- Logstash - To transform and route audit events
- Elasticsearch or Opensearch - To store audit events for the API to query
To install Hermes, you can use the Helm charts available at SAPCC Helm Charts. These charts provide a simple and efficient way to deploy Hermes in a Kubernetes cluster.
In addition to the Helm charts, you can also use the following related repositories and projects to further customize and integrate Hermes into your OpenStack environment:
Related Repositories:
- OpenStack Audit Middleware
- Hermes CLI Command Line Client
- Hermes Audit Tools for Creation of Events
- GopherCloud Extension for Hermes Audit
- SAPCC Go Api Declarations
Related Projects:
- A managed service for Auditing in OpenStack: A service that provides a central repository for all audit events in OpenStack, making it easy to access and analyze these events for compliance, security and troubleshooting purposes.
- OpenStack Identity v3 authentication and authorization: Allows for the use of OpenStack's built-in identity service for authenticating and authorizing users and groups to access audit events, ensuring that only authorized users have access to sensitive audit information and to comply with regulatory requirements for data access control.
- Project and domain-level access control (scoping): Allows you to specify which events a user or group of users can view based on the project and domain they belong to, useful for multi-tenant environments where different projects and domains have different levels of access and visibility to audit events. Ensures that only authorized users have access to sensitive audit information and to comply with regulatory requirements for data access control.
- Compatible with other cloud based audit APIs: Hermes allows for integration with other cloud-based audit APIs, which enables customers to use their existing audit tools and processes with OpenStack.
- Exposed Prometheus metrics: Allows for monitoring and alerting of key metrics and events, enabling customers to quickly identify and troubleshoot issues with their OpenStack environment.
- HermesCLI for querying events: A command line interface that enables customers to easily query and filter audit events, allowing them to quickly find and analyze relevant events.
- Keystone Identity Service
- Nova Compute Service
- Neutron Network Service
- Designate DNS Service
- Cinder Block Storage Service
- Manila Shared Filesystem Service
- Glance Image Service
- Barbican Key Manager Service
- Ironic Baremetal Service
- Octavia Load Balancer Service
- Limes Quota/Usage Tracking Service
- Castellum Vertical Autoscaling Service
- Keppel Container Image Registry Service
- Archer End Point Service
- Cronus Email Service
For detailed usage, refer to the documentation provided in doc.go within the audittools package. This includes examples on how to generate audit events and publish them to a RabbitMQ server.