https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437941#M41142 <P>Hello&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/111036">@nfantinato</a>&nbsp;</P><P>&nbsp;</P><P>Sorry i missed read your original post. You referring to audit logging which you would use cluster log-forwarding as the event notification if for ems logs that was generated by the system.</P><P>So regarding the issue receiving logs only from one node, is most likely since the cluster-mgmt lif live on the working node. Try moving the cluster-mgmt lif to node 2 and see if you are getting logs forwarded to the syslog server.</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Fri, 02 Sep 2022 04:14:49 GMT hmoubara 2022-09-02T04:14:49Z https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437870#M41133 <P>Hello,</P><P>&nbsp;</P><P>we have configured audit logs to be sent via syslog to a Splunk server using command:</P><P><FONT face="courier new,courier">cluster log-forwarding create -destination xx.xx.xx.xx -port 514 -protocol tcp-unencrypted -verify-server false -facility user</FONT></P><P>but it seems that logs are sent only from node 1 of the Netapp storage array. So node 2 always results as it is not sending anything to Splunk.</P><P>It is normal? I mean, are all logs normally sent only from node 1?</P><P>The storage is a FAS8200, Ontap version is&nbsp;<SPAN class="">9.7P17</SPAN></P><P>&nbsp;</P><P><SPAN class="">Thanks in advance for any information.</SPAN></P><P>&nbsp;</P><P><SPAN class="">Regards.</SPAN></P> Wed, 04 Jun 2025 09:57:01 GMT https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437870#M41133 nfantinato 2025-06-04T09:57:01Z https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437906#M41137 <P>Hello&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/111036">@nfantinato</a>&nbsp;</P><P>&nbsp;</P><P>Can you run the below command and check if there is connection between the node the syslog server and also review history of events that were set to be forwarded to the server.</P><P>&nbsp;</P><P>cluster::&gt; event notification destination check -node &lt;node-name&gt; -destination-name &lt;&gt;</P><P>cluster::&gt; event notification history show -node&nbsp; &lt;node-name&gt; -destination-name &lt;&gt;</P><P>&nbsp;</P><P><A href="https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server" target="_blank">https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server</A></P><P>&nbsp;</P><P>Thanks&nbsp;</P> Thu, 01 Sep 2022 03:43:49 GMT https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437906#M41137 hmoubara 2022-09-01T03:43:49Z https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437913#M41138 <P>Hello&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/14855">@hmoubara</a>,</P><P>&nbsp;</P><P>thank you for your reply. Because we found a bit complex to set correct filters in event notification, instead of those commands you indicated we've run the following one for both nodes:<BR /><FONT face="courier new,courier">cluster log-forwarding statistics show -node &lt;node_name&gt; -destination 161.27.170.14 -port 514</FONT></P><P>and those statistics show no errors and all messages correctly sent. So everything on Netapp side seems to work well, but on Spunk side no logs arrive from node 2. And this beahaviour happens only for some storages, not all.</P><P>Is it better to use <FONT face="courier new,courier">event notification</FONT> command instead of <FONT face="courier new,courier">cluster log-forwarding</FONT>?</P><P>&nbsp;</P><P>Thank you.</P> Thu, 01 Sep 2022 09:55:12 GMT https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437913#M41138 nfantinato 2022-09-01T09:55:12Z https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437941#M41142 <P>Hello&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/111036">@nfantinato</a>&nbsp;</P><P>&nbsp;</P><P>Sorry i missed read your original post. You referring to audit logging which you would use cluster log-forwarding as the event notification if for ems logs that was generated by the system.</P><P>So regarding the issue receiving logs only from one node, is most likely since the cluster-mgmt lif live on the working node. Try moving the cluster-mgmt lif to node 2 and see if you are getting logs forwarded to the syslog server.</P><P>&nbsp;</P><P>Thanks&nbsp;</P> Fri, 02 Sep 2022 04:14:49 GMT https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437941#M41142 hmoubara 2022-09-02T04:14:49Z https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437962#M41146 <P>Hello&nbsp;<a href="https://community.netapp.com/t5/user/viewprofilepage/user-id/14855">@hmoubara</a>,</P><P>&nbsp;</P><P>thank you for your reply.</P><P>Unfortunately we are can't move LIFs or our monitoring tools get crazy. We tried to compare settings of two different storages, one sending logs from both nodes and the other sending logs only from node 1 and they seem the same.<BR /><BR />Maybe with <FONT face="courier new,courier">event notification</FONT> commands, as you suggested initially, we can reach a deeper level of customization.</P> Fri, 02 Sep 2022 15:19:57 GMT https://community.netapp.com/t5/ONTAP-Discussions/Events-sent-to-Splunk-only-from-one-node/m-p/437962#M41146 nfantinato 2022-09-02T15:19:57Z