https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437747#M41103 <P>Hi&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/49015">@DavidDAVE</a>&nbsp;</P><P>&nbsp;</P><P>So a couple of things to keep in mind.&nbsp;</P><P>&nbsp;</P><UL><LI>"<SPAN>cluster log-forwarding" commands are used for enabling AUDIT LOGS to be sent to a Syslog&nbsp;</SPAN>destination</LI><LI><SPAN>"event notification" commands is for enabling EMS LOGS to be sent to a Syslog&nbsp;</SPAN>destination.</LI></UL><P>&nbsp;</P><P><SPAN>Now, you can control to an extent what is included in the AUDIT LOGs (and in turn passed along to the Syslog server). See -&nbsp;<A href="https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html" target="_blank">https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html</A></SPAN></P><P>&nbsp;</P><P><SPAN>In terms of the EMS logs, you can absolutely manage what EMS events are passed along to the Syslog server when configuring it using the event notification commands.</SPAN></P><P>&nbsp;</P><P><SPAN>Some helpful articles that might point you in the right direction,<BR /><BR /></SPAN></P><UL><LI><SPAN><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Overview_of_ONTAP_Logs" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Overview_of_ONTAP_Logs</A></SPAN></LI><LI><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server</A>&nbsp;</LI><LI><A href="https://www.netapp.com/pdf.html?item=/media/16880-tr-4303pdf.pdf" target="_blank">https://www.netapp.com/pdf.html?item=/media/16880-tr-4303pdf.pdf</A>&nbsp;</LI></UL><P>&nbsp;</P><P>&nbsp;</P> Mon, 29 Aug 2022 07:16:02 GMT RossC 2022-08-29T07:16:02Z https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437685#M41089 <P><SPAN>Dear all,</SPAN></P><P>&nbsp;</P><P>First of all, thank you for your time reading this. We have configured splunk as our syslog server, and configuring everything to forward over there. We are working with a non-standard port for this, so no 514.</P><P>&nbsp;</P><P>Googling this a bit, I founded this new command, “cluster log-forwarding”, which allows you to specify a port, so that’s cool. Our worries here are that this command doesnt seem to filter which events are sent to the syslog server, and we are worried about the level of logging, we don’t want our splunk server to be overwhelmed.</P><P>&nbsp;</P><P>Is possible to combine cluster log-forwarding with even destination filtering somehow?</P><P>&nbsp;</P><P><A href="https://docs.netapp.com/us-en/ontap-cli-93/cluster-log-forwarding-create.html#description" target="_blank" rel="noopener">https://docs.netapp.com/us-en/ontap-cli-93/cluster-log-forwarding-create.html#description</A></P><P><A href="https://docs.netapp.com/us-en/ontap/error-messages/configure-ems-events-notifications-syslog-task.html" target="_blank" rel="noopener">https://docs.netapp.com/us-en/ontap/error-messages/configure-ems-events-notifications-syslog-task.html</A></P><P>&nbsp;</P><P>Thanks in advance!<BR /><BR />Kind regards,</P><P>&nbsp;</P><P>David</P> Wed, 04 Jun 2025 09:57:37 GMT https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437685#M41089 DavidDAVE 2025-06-04T09:57:37Z https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437747#M41103 <P>Hi&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/49015">@DavidDAVE</a>&nbsp;</P><P>&nbsp;</P><P>So a couple of things to keep in mind.&nbsp;</P><P>&nbsp;</P><UL><LI>"<SPAN>cluster log-forwarding" commands are used for enabling AUDIT LOGS to be sent to a Syslog&nbsp;</SPAN>destination</LI><LI><SPAN>"event notification" commands is for enabling EMS LOGS to be sent to a Syslog&nbsp;</SPAN>destination.</LI></UL><P>&nbsp;</P><P><SPAN>Now, you can control to an extent what is included in the AUDIT LOGs (and in turn passed along to the Syslog server). See -&nbsp;<A href="https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html" target="_blank">https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html</A></SPAN></P><P>&nbsp;</P><P><SPAN>In terms of the EMS logs, you can absolutely manage what EMS events are passed along to the Syslog server when configuring it using the event notification commands.</SPAN></P><P>&nbsp;</P><P><SPAN>Some helpful articles that might point you in the right direction,<BR /><BR /></SPAN></P><UL><LI><SPAN><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Overview_of_ONTAP_Logs" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Overview_of_ONTAP_Logs</A></SPAN></LI><LI><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server</A>&nbsp;</LI><LI><A href="https://www.netapp.com/pdf.html?item=/media/16880-tr-4303pdf.pdf" target="_blank">https://www.netapp.com/pdf.html?item=/media/16880-tr-4303pdf.pdf</A>&nbsp;</LI></UL><P>&nbsp;</P><P>&nbsp;</P> Mon, 29 Aug 2022 07:16:02 GMT https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437747#M41103 RossC 2022-08-29T07:16:02Z https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437789#M41117 <P>Ey mate, really good answer!!</P><P>&nbsp;</P><P>Just something to clarify here, is there anyway to choose port for event notification? 514 forbidden here!</P><P>&nbsp;</P> Mon, 29 Aug 2022 19:40:11 GMT https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437789#M41117 DavidDAVE 2022-08-29T19:40:11Z https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437817#M41122 <P>Hi&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/49015">@DavidDAVE</a>&nbsp;</P><P>&nbsp;</P><P>From the looks of our documentations it looks like we do not support a custom port at this point in time for the "Event notification" commands. You can see a similar conversation unfold over at this thread, where another customer had to use NAT rules to reroute the traffic.</P><P>&nbsp;</P><P><A href="https://community.netapp.com/t5/ONTAP-Discussions/Syslog-custom-port/m-p/430889/highlight/true#M39809" target="_blank" rel="noopener">https://community.netapp.com/t5/ONTAP-Discussions/Syslog-custom-port/m-p/430889/highlight/true#M39809</A></P><P>&nbsp;</P><P>Alternatively (and I think it's also discussed in the same above thread) we have customers whom deploy ActiveIQ Unified Manager to monitor and manage their ONTAP based NetApp systems, then use SNMP traps to gather certain log events from Unified Manger (instead of each separate ONTAP system).&nbsp;</P> Tue, 30 Aug 2022 03:26:49 GMT https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437817#M41122 RossC 2022-08-30T03:26:49Z https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437823#M41125 <P>Understood, thanks for your time and your answers Ross <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Tue, 30 Aug 2022 10:09:17 GMT https://community.netapp.com/t5/ONTAP-Discussions/Syslogging-Cluster-log-forwarding-vs-event-destination/m-p/437823#M41125 DavidDAVE 2022-08-30T10:09:17Z