topic Re: FAS8200 configure External SYSLOG Server in ONTAP Hardware

FAS8200 configure External SYSLOG Server

Ops_Darren — Wed, 04 Jun 2025 11:02:50 GMT

I searched about the syslog configuration in the NetApp documentation center and found that the two commands involve syslog. What is the difference between these two commands?

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

cluster1::> cluster log-forwarding create -destination <syslog server IP>

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.exp-ems%2Fhome.html

cluster1::> event destination create -name support.bucket01 -syslog <syslog server IP>

Re: FAS8200 configure External SYSLOG Server

Ontapforrum — Thu, 02 Jul 2020 11:46:21 GMT

Audit logs: (It's up to you)
Audit logs (Since 9.x) only contains management related activities from the three shells for CLI commands—the clustershell, the nodeshell, and the non-interactive systemshell (interactive systemshell commands are not logged)—as well as API commands. The audit.log file is sent by the AutoSupport tool to the specified recipients. However, you can also forward the content securely to external destinations that you specify; for example, a Splunk or a syslog server.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

EMS Events: (More important)
To log notifications of the most severe (Important) events on a syslog server, you must configure the EMS to forward notifications for events that signal important activity.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-ssg%2FGUID-2C98AC64-51D7-44F9-8D29-75BAC122D5E6.html

If you want to know what those important events are, then run this command:
::> event catalog show -filter-name important-events

Re: FAS8200 configure External SYSLOG Server

Ops_Darren — Fri, 03 Jul 2020 06:23:54 GMT

Thank you for your explanation, but I still don't understand it. And I found that the second link in my topic is wrong, it should be https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/event__destination__create.html.

The description of this commands shows: The event destination create command creates a new event destination. An event destination is a list of addresses that receive event notifications. These addresses can be e-mail addresses, SNMP trap hosts, and syslog servers.

So suppose I have a Splunk server, and I want to send my FAS8200 syslog to my Splunk server. Which command should I choose to use?

cluster1::> cluster log-forwarding create -destination <Splunk IP>

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

Re: FAS8200 configure External SYSLOG Server

Ontapforrum — Fri, 03 Jul 2020 09:49:37 GMT

Hi,

Please use this one:

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

Confirm to see if it's added :

::> event destination show

Thanks!

Re: FAS8200 configure External SYSLOG Server

Ops_Darren — Fri, 03 Jul 2020 14:46:03 GMT

Thank you very much! 👍

Re: FAS8200 configure External SYSLOG Server

Ops_Darren — Fri, 03 Jul 2020 14:55:14 GMT

cluster1::> cluster log-forwarding create -destination <Splunk IP>

By the way, I re-read the description of this command: You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

Can I think: NetApp's existing logs can be exported to a SIEM system like Splunk for log analysis or archiving using this command?

Re: FAS8200 configure External SYSLOG Server

keremcumhur — Fri, 20 Nov 2020 10:15:53 GMT

this is a great answer, thanks a lot!

I have 3 questions

- is it possible to use a specific port for the event logging?

::*> event notification destination create -syslog server01:1234 -name test

- is a good practise to forwarding audit logs (cluster log-forwarding create) & event logs (event notification destination create) to same server?

- what is the best practise for the setting the facility level?

*> cluster log-forwarding create -destination bla -port 514 -protocol udp-unencrypted -verify-server false -facility kern user local0 local1 local2 local3 local4 local5 local6 local7

Re: FAS8200 configure External SYSLOG Server

Mjizzini — Thu, 11 Mar 2021 07:45:18 GMT

Cluster syslog forwarding: what does each facility represent?