https://community.netapp.com/t5/ONTAP-Discussions/problem-with-event-logging/m-p/161476#M36882 <P>Hi all,&nbsp;</P> <P>&nbsp;</P> <P>in short - how can I change the formatting on the event logs going to a syslog server?<BR /><BR />in detail -&nbsp;<BR />&nbsp;I have configured my cluster to to send event logs to Splunk.</P> <LI-CODE lang="markup">mucfs01::&gt; event notification destination show -name fluentd_sierra Destination Name: fluentd_sierra Type of Destination: syslog Destination: fluentd.sierra.local Server CA Certificates Present?: - Client Certificate Issuing CA: - Client Certificate Serial Number: - Client Certificate Valid?: - mucfs01::&gt; event filter show -filter-name forSplunk Filter Name Rule Rule Message Name SNMP Trap Type Severity Position Type ----------- -------- --------- ---------------------- --------------- -------- forSplunk 1 include * * EMERGENCY, ALERT, ERROR 2 exclude * * * 2 entries were displayed.</LI-CODE> <P>&nbsp;</P> <P>Splunk sees the hostname as cluster nodename + event message name</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="keremcumhur_0-1606211984051.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/10441iA64F0986A35163EB/image-size/medium?v=v2&amp;px=400" role="button" title="keremcumhur_0-1606211984051.png" alt="keremcumhur_0-1606211984051.png" /></span></P> <P>&nbsp;</P> <P>And if you look at how packages are being sent from NetApp, the syslog package is created this way.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="keremcumhur_1-1606212082490.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/10442iE5C3DECB0DC46E20/image-size/medium?v=v2&amp;px=400" role="button" title="keremcumhur_1-1606212082490.png" alt="keremcumhur_1-1606212082490.png" /></span></P> <P>&nbsp;</P> <P>I don't know the reason for this, but I could not change it. And this way it is creating for each event on each node a new 'host' entry on Splunk, which ends up with 100x new non-existing nodes.</P> <P>I want to be able to modify the syslog event like</P> <P>hostname = name of the node</P> <P>ident = message name</P> <P>message = message text</P> Wed, 04 Jun 2025 10:44:15 GMT keremcumhur 2025-06-04T10:44:15Z https://community.netapp.com/t5/ONTAP-Discussions/problem-with-event-logging/m-p/161476#M36882 <P>Hi all,&nbsp;</P> <P>&nbsp;</P> <P>in short - how can I change the formatting on the event logs going to a syslog server?<BR /><BR />in detail -&nbsp;<BR />&nbsp;I have configured my cluster to to send event logs to Splunk.</P> <LI-CODE lang="markup">mucfs01::&gt; event notification destination show -name fluentd_sierra Destination Name: fluentd_sierra Type of Destination: syslog Destination: fluentd.sierra.local Server CA Certificates Present?: - Client Certificate Issuing CA: - Client Certificate Serial Number: - Client Certificate Valid?: - mucfs01::&gt; event filter show -filter-name forSplunk Filter Name Rule Rule Message Name SNMP Trap Type Severity Position Type ----------- -------- --------- ---------------------- --------------- -------- forSplunk 1 include * * EMERGENCY, ALERT, ERROR 2 exclude * * * 2 entries were displayed.</LI-CODE> <P>&nbsp;</P> <P>Splunk sees the hostname as cluster nodename + event message name</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="keremcumhur_0-1606211984051.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/10441iA64F0986A35163EB/image-size/medium?v=v2&amp;px=400" role="button" title="keremcumhur_0-1606211984051.png" alt="keremcumhur_0-1606211984051.png" /></span></P> <P>&nbsp;</P> <P>And if you look at how packages are being sent from NetApp, the syslog package is created this way.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="keremcumhur_1-1606212082490.png" style="width: 400px;"><img src="https://community.netapp.com/t5/image/serverpage/image-id/10442iE5C3DECB0DC46E20/image-size/medium?v=v2&amp;px=400" role="button" title="keremcumhur_1-1606212082490.png" alt="keremcumhur_1-1606212082490.png" /></span></P> <P>&nbsp;</P> <P>I don't know the reason for this, but I could not change it. And this way it is creating for each event on each node a new 'host' entry on Splunk, which ends up with 100x new non-existing nodes.</P> <P>I want to be able to modify the syslog event like</P> <P>hostname = name of the node</P> <P>ident = message name</P> <P>message = message text</P> Wed, 04 Jun 2025 10:44:15 GMT https://community.netapp.com/t5/ONTAP-Discussions/problem-with-event-logging/m-p/161476#M36882 keremcumhur 2025-06-04T10:44:15Z https://community.netapp.com/t5/ONTAP-Discussions/problem-with-event-logging/m-p/161488#M36885 <P>Curious....ONTAP version and Splunk Version?</P> <P>Maybe there is a bug on either side?</P> <P>Have you updated one or both?</P> Tue, 24 Nov 2020 13:04:46 GMT https://community.netapp.com/t5/ONTAP-Discussions/problem-with-event-logging/m-p/161488#M36885 TMACMD 2020-11-24T13:04:46Z https://community.netapp.com/t5/ONTAP-Discussions/problem-with-event-logging/m-p/161578#M36908 <P>we are using&nbsp;NetApp Release 9.6P8.</P><P>Splunk Ent. is using version&nbsp;<SPAN>7.2.10</SPAN></P><P>&nbsp;</P><P>The problem is Splunk is a central service and I don't have permissions to update it.</P><P>&nbsp;</P><P>I found a tutorial.&nbsp;<A href="http://www.cosonok.com/2017/09/how-to-setup-syslog-from-netapp-in.html" target="_blank" rel="noopener">http://www.cosonok.com/2017/09/how-to-setup-syslog-from-netapp-in.html</A></P><P>If you look at the 3rd picture, you will see that his logs are also being formatted with hostname + error type.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>As a workaround, we have installed a plugin on the fluentd aggregator, which parses the input coming from the cluster and pushes it properly to Splunk.</P><P>But I am still curious, why Ontap does not allow me to modify how I want to send my syslog messages.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 27 Nov 2020 11:41:40 GMT https://community.netapp.com/t5/ONTAP-Discussions/problem-with-event-logging/m-p/161578#M36908 keremcumhur 2020-11-27T11:41:40Z