Hermes is an audit trail service for OpenStack, originally designed for SAP's internal OpenStack Cloud.
Hermes is named after the Futurama character, not the Greek god.
- 📜 Central repository for OpenStack audit events
- 🔐 Identity v3 authentication & project/domain scoping
- ⚙️ Integration with cloud-based audit APIs
- 📈 Exposes Prometheus metrics
- 🧾 CLI support via HermesCLI
OpenStack has an audit log through OpenStack Audit Middleware, but no way for customers to view these audit events. Hermes enables easy access to audit events on a tenant basis, relying on the ELK stack for storage. Now cloud customers can view their project level audit events through an API, or as a module in Elektra, an OpenStack Dashboard.
The Audit log can be used by information auditors or cloud based audit APIs to track events for a resource in a domain or project. Support teams can validate when customers communicate problems with cloud services, verify what occurred, and view additional detail about the customer issue.
Hermes enables customer access for audit relevant events that occur from OpenStack in an Open Standards CADF Format.
Dependencies
- OpenStack
- OpenStack Audit Middleware - To Generate audit events in a WSGI Pipeline
- RabbitMQ - To queue audit events from OpenStack
- Logstash - To transform and route audit events
- Elasticsearch or Opensearch - To store audit events for the API to query
Installation
To install Hermes, you can use the Helm charts available at SAPCC Helm Charts. These charts provide a simple and efficient way to deploy Hermes in a Kubernetes cluster.
In addition to the Helm charts, you can also use the following related repositories and projects to further customize and integrate Hermes into your OpenStack environment:
Related Repositories:
- OpenStack Audit Middleware
- Hermes CLI Command Line Client
- Hermes Audit Tools for Creation of Events
- GopherCloud Extension for Hermes Audit
- SAPCC Go Api Declarations
Related Projects:
Supported Services
- Keystone Identity Service
- Nova Compute Service
- Neutron Network Service
- Designate DNS Service
- Cinder Block Storage Service
- Manila Shared Filesystem Service
- Glance Image Service
- Barbican Key Manager Service
- Ironic Baremetal Service
- Octavia Load Balancer Service
- Limes Quota/Usage Tracking Service
- Castellum Vertical Autoscaling Service
- Keppel Container Image Registry Service
- Archer End Point Service
- Cronus Email Service
For detailed usage, refer to the documentation provided in doc.go within the audittools package. This includes examples on how to generate audit events and publish them to a RabbitMQ server.
This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.
If you find any bug that may be a security problem, please follow our instructions at in our security policy on how to report it. Please do not create GitHub issues for security-related doubts or problems.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.
Copyright 2017-2025 SAP SE or an SAP affiliate company and hermes contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.