This article refers to how to use application security group (ASG) logging.
After enabling Application security group logging the diego cell will log all security group traffic locally to /var/log/kern.log. The ASG logs will not flow through any application log drain and you will not see them when running "cf logs" command. The only way to have the ASG logs exported out of the platform is by enabling syslog forwarding in Operations Manager -> TPCF Tile -> System Logging Tab.
In this example, we are adding a sample ASG with logging enabled to allow traffic from a container to the Gorouter IP address. The ASG is bound to org o
and space s
which has one app proxy
running.
The proxy
app is merely used for demonstration here. It will forward HTTP requests to the URL or IP provided in the curl URI. For example:
curl proxy.<cf-domain>/proxy/foo.com will forward requests to foo.com
Follow the instructions here to setup application security groups. The ASG configured in this example is:
[ { "protocol": "tcp", "destination": "1.2.3.4", "ports":"80", "log": true, "description": "Allow apps to reach gorouter" } ]
In the above example, all requests to IP 1.2.3.4 (Gorouter IP) will be logged in Syslog. To generate the log entry, we will use the proxy application to forward the request to the Gorouter. For example:
curl proxy.cfapps-14.haas-##.###.#####.##/proxy/10.10.10.30:80
This will generate a Syslog entry as follows:
Note the IPs in this example are
2025/05/07 03:00:14 map[client:10.10.10.12:33056 content:<14>1 2025-05-07T03:00:14.230935Z 10.10.10.12 iptables-logger rs2 - [instance@47450 director="" deployment="cf-7fd3e58e1b8ead43f163" group="diego_cell" az="az1" id="193fe9cf-7d23-4962-a772-e1535f912d28"] {"timestamp":"2025-05-07T03:00:13.635688948Z","level":"info","source":"cfnetworking.iptables","message":"cfnetworking.iptables.egress-allowed","data":{"packet":{"direction":"egress","allowed":true,"src_ip":"10.255.7.24","dst_ip":"1.2.3.4","src_port":34500,"dst_port":80,"protocol":"TCP","mark":"","icmp_type":0,"icmp_code":0},"source":{"container_id":"b4874ffd-7af9-4a1c-4ca0-134c","app_guid":"4ccbb24c-268e-421a-9d1b-3678b6eb40d0","space_guid":"8d3a60cf-c9bb-465e-9f8e-71d4a37b45bf","organization_guid":"8230be6e-c821-4ccd-86e2-be350fae562c","host_ip":"10.10.10.12","host_guid":"193fe9cf-7d23-4962-a772-e1535f912d28"}}} tls_peer:]
Note: The SRC IP and DST IP - SRC IP is the IP of the container trying to reach DST Gorouter IP.
In the second example, we are adding an ASG with logging enabled to log all traffic egressing from a container inside Cloud Foundry.
[ { "description": "Allow apps to reach router", "destination": "0.0.0.0-0.0.0.255", "log": true, "ports": "80", "protocol": "tcp" } ]
Note: For this procedure to work, it is necessary to have aggregated logging for Syslog messages to a Syslog server. See the instructions to set up Syslog forwarding here.
Here we will illustrate an example of how a Syslog entry from an ASG can be mapped back to the app container that is generating the log.
1. Run the curl command to the proxy
app from the example above to generate a log entry
2. From the logging aggregator server, to get log entries to the Gorouter IP, grep or search for the string DST=<gorouter_ip>
to get a sample log from ASG logging. In your case, it could be any of the search string of interest to you based on the sample ASG log entry
$ grep "DST=1.2.3.4" *
2025/05/07 03:00:14 map[client:10.10.10.12:33056 content:<14>1 2025-05-07T03:00:14.230935Z 10.10.10.12 iptables-logger rs2 - [instance@47450 director="" deployment="cf-7fd3e58e1b8ead43f163" group="diego_cell" az="az1" id="193fe9cf-7d23-4962-a772-e1535f912d28"] {"timestamp":"2025-05-07T03:00:13.635688948Z","level":"info","source":"cfnetworking.iptables","message":"cfnetworking.iptables.egress-allowed","data":{"packet":{"direction":"egress","allowed":true,"src_ip":"10.255.7.24","dst_ip":"1.2.3.4","src_port":34500,"dst_port":80,"protocol":"TCP","mark":"","icmp_type":0,"icmp_code":0},"source":{"container_id":"b4874ffd-7af9-4a1c-4ca0-134c","app_guid":"4ccbb24c-268e-421a-9d1b-3678b6eb40d0","space_guid":"8d3a60cf-c9bb-465e-9f8e-71d4a37b45bf","organization_guid":"8230be6e-c821-4ccd-86e2-be350fae562c","host_ip":"10.10.10.12","host_guid":"193fe9cf-7d23-4962-a772-e1535f912d28"}}} tls_peer:]
3. In the syslog entry you will find the app GUID
$ "app_guid":"4ccbb24c-268e-421a-9d1b-3678b6eb40d0"
4. Find the application name by calling CC API if the application is still running.
$ cf curl /v2/apps/4ccbb24c-268e-421a-9d1b-3678b6eb40d0
{ "metadata": "guid": "4ccbb24c-268e-421a-9d1b-3678b6eb40d0", "url": "/v2/apps/4ccbb24c-268e-421a-9d1b-3678b6eb40d0", "created_at": "2017-06-16T23:13:55Z", "updated_at": "2017-06-20T22:56:40Z" }, "entity": { "name": "proxy", "production": false, "space_guid": "c65add41-d85b-4823-9e2a-545a5e0e5812", "stack_guid": "9dad41b8-3043-48da-acf4-e1d4a700ea88", " "ports": [ 8080 --- snip --- ], "space_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812", "stack_url": "/v2/stacks/9dad41b8-3043-48da-acf4-e1d4a700ea88", "routes_url": "/v2/apps/4ccbb24c-268e-421a-9d1b-3678b6eb40d0/routes", "events_url": "/v2/apps/4ccbb24c-268e-421a-9d1b-3678b6eb40d0/events", "service_bindings_url": "/v2/apps/4ccbb24c-268e-421a-9d1b-3678b6eb40d0/service_bindings", "route_mappings_url": "/v2/apps/4ccbb24c-268e-421a-9d1b-3678b6eb40d0/route_mappings" }
5. Find the space name by calling Cloud Controller API:
$ cf curl /v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812
{ "metadata": { "guid": "c65add41-d85b-4823-9e2a-545a5e0e5812", "url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812", "created_at": "2017-06-16T18:14:40Z", "updated_at": null }, "entity": { "name": "s", "organization_guid": "2c279d6c-6f15-4cc0-99ed-72ef76ec50eb", "space_quota_definition_guid": null, "allow_ssh": true, "organization_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb", "developers_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/developers", "managers_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/managers", "auditors_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/auditors", "apps_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/apps", "routes_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/routes", "domains_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/domains", "service_instances_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/service_instances", "app_events_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/app_events", "events_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/events", "security_groups_url": "/v2/spaces/c65add41-d85b-4823-9e2a-545a5e0e5812/security_groups"
6. Find the org name by calling Cloud Controller (CC) API:
$ cf curl /v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb
{ "metadata": { "guid": "2c279d6c-6f15-4cc0-99ed-72ef76ec50eb", "url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb", "created_at": "2017-06-16T18:14:19Z", "updated_at": null }, "entity": { "name": "o", "billing_enabled": false, "quota_definition_guid": "6002a805-f285-4e7b-8ff6-cd4ac607d26e", "status": "active", "quota_definition_url": "/v2/quota_definitions/6002a805-f285-4e7b-8ff6-cd4ac607d26e", "spaces_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/spaces", "domains_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/domains", "private_domains_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/private_domains", "users_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/users", "managers_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/managers", "billing_managers_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/billing_managers", "auditors_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/auditors", "app_events_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/app_events", "space_quota_definitions_url": "/v2/organizations/2c279d6c-6f15-4cc0-99ed-72ef76ec50eb/space_quota_definitions" } }
If the application has been deleted, curl
will return an "App not found" message.
$ cf curl /v2/apps/4ccbb24c-268e-421a-9d1b-3678b6eb40d0
{ "description": "The app could not be found: 4ccbb24c-268e-421a-9d1b-3678b6eb40d0", "error_code": "CF-AppNotFound", "code": 100004 }
Call the events endpoint to find the app information and follow the steps above to get the space and org information.
$ cf curl /v2/events?q=actee:4ccbb24c-268e-421a-9d1b-3678b6eb40d0
{ "total_results": 6, "total_pages": 1, "prev_url": null, "next_url": null, "resources": [ { "metadata": { "guid": "d343a7dc-8882-4529-b3b9-83677ee2017e", "url": "/v2/events/d343a7dc-8882-4529-b3b9-83677ee2017e", "created_at": "2017-06-16T23:13:55Z", "updated_at": null }, "entity": { "type": "audit.app.create", "actor": "7b2d6421-db00-4a1d-86d3-dc07edbe8afd", "actor_type": "user", "actor_name": "admin", "actee": "4ccbb24c-268e-421a-9d1b-3678b6eb40d0", "actee_type": "app", "actee_name": "proxy", "timestamp": "2017-06-16T23:13:55Z", "metadata": { "request": { "name": "proxy", "space_guid": "c65add41-d85b-4823-9e2a-545a5e0e5812", "memory": 32, "disk_quota": 32, "buildpack": "go_buildpack", "environment_json": "PRIVATE DATA HIDDEN", "console": false, "docker_credentials_json": "PRIVATE DATA HIDDEN", "health_check_type": "port", "instances": 1, "production": false, "state": "STOPPED" } }, "space_guid": "c65add41-d85b-4823-9e2a-545a5e0e5812", "organization_guid": "2c279d6c-6f15-4cc0-99ed-72ef76ec50eb" } --snip--