Hermes is an audit trail service for OpenStack, originally designed for SAP's internal OpenStack Cloud.
Hermes is named after the Futurama character, not the Greek god.
- 📜 Central repository for OpenStack audit events
- 🔐 Identity v3 authentication & project/domain scoping
- ⚙️ Integration with cloud-based audit APIs
- 📈 Exposes Prometheus metrics
- 🧾 CLI support via HermesCLI
OpenStack has an audit log through OpenStack Audit Middleware, but no way for customers to view these audit events. Hermes enables easy access to audit events on a tenant basis, relying on the ELK stack for storage. Now cloud customers can view their project level audit events through an API, or as a module in Elektra, an OpenStack Dashboard.
The Audit log can be used by information auditors or cloud based audit APIs to track events for a resource in a domain or project. Support teams can validate when customers communicate problems with cloud services, verify what occurred, and view additional detail about the customer issue.
Hermes enables customer access for audit relevant events that occur from OpenStack in an Open Standards CADF Format.
Dependencies
- OpenStack
- OpenStack Audit Middleware - To Generate audit events in a WSGI Pipeline
- RabbitMQ - To queue audit events from OpenStack
- Logstash - To transform and route audit events
- Elasticsearch or Opensearch - To store audit events for the API to query
Installation
To install Hermes, you can use the Helm charts available at SAPCC Helm Charts. These charts provide a simple and efficient way to deploy Hermes in a Kubernetes cluster.
In addition to the Helm charts, you can also use the following related repositories and projects to further customize and integrate Hermes into your OpenStack environment:
Related Repositories:
- OpenStack Audit Middleware
- Hermes CLI Command Line Client
- Hermes Audit Tools for Creation of Events
- GopherCloud Extension for Hermes Audit
- SAPCC Go Api Declarations
Related Projects:
Supported Services
- Keystone Identity Service
- Nova Compute Service
- Neutron Network Service
- Designate DNS Service
- Cinder Block Storage Service
- Manila Shared Filesystem Service
- Glance Image Service
- Barbican Key Manager Service
- Ironic Baremetal Service
- Octavia Load Balancer Service
- Limes Quota/Usage Tracking Service
- Castellum Vertical Autoscaling Service
- Keppel Container Image Registry Service
- Archer End Point Service
- Cronus Email Service
For detailed usage, refer to the documentation provided in doc.go within the audittools package. This includes examples on how to generate audit events and publish them to a RabbitMQ server.