FAS and V-Series Storage Systems Discussions

FAS8200 configure External SYSLOG Server

I searched about the syslog configuration in the NetApp documentation center and found that the two commands involve syslog. What is the difference between these two commands?



cluster1::> cluster log-forwarding create -destination <syslog server IP>



cluster1::> event destination create -name support.bucket01 -syslog <syslog server IP>



Re: FAS8200 configure External SYSLOG Server

Audit logs: (It's up to you)
Audit logs (Since 9.x) only contains management related activities from the three shells for CLI commands—the clustershell, the nodeshell, and the non-interactive systemshell (interactive systemshell commands are not logged)—as well as API commands.  The audit.log file is sent by the AutoSupport tool to the specified recipients. However, you can also forward the content securely to external destinations that you specify; for example, a Splunk or a syslog server.

EMS Events: (More important)
To log notifications of the most severe (Important) events on a syslog server, you must configure the EMS to forward notifications for events that signal important activity.


If you want to know what those important events are, then run this command:
::> event catalog show -filter-name important-events

Re: FAS8200 configure External SYSLOG Server

Thank you for your explanation, but I still don't understand it. And I found that the second link in my topic is wrong, it should be https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/event__destination__create.html.


The description of this commands shows: The event destination create command creates a new event destination. An event destination is a list of addresses that receive event notifications. These addresses can be e-mail addresses, SNMP trap hosts, and syslog servers.


So suppose I have a Splunk server, and I want to send my FAS8200 syslog to my Splunk server. Which command should I choose to use?


cluster1::> cluster log-forwarding create -destination <Splunk IP>


cluster1::> event destination create -name syslog01 -syslog <Splunk IP>


Re: FAS8200 configure External SYSLOG Server



Please use this one:

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

Confirm to see if it's added  :

::> event destination show



View solution in original post

Re: FAS8200 configure External SYSLOG Server

Thank you very much! 👍

Re: FAS8200 configure External SYSLOG Server

cluster1::> cluster log-forwarding create -destination <Splunk IP>


By the way, I re-read the description of this command: You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.


Can I think: NetApp's existing logs can be exported to a SIEM system like Splunk for log analysis or archiving using this command?

Re: FAS8200 configure External SYSLOG Server

this is a great answer, thanks a lot!

I have 3 questions

- is it possible to use a specific port for the event logging?



::*> event notification destination create -syslog server01:1234 -name test




- is a good practise to forwarding audit logs (cluster log-forwarding create) & event logs (event notification destination create) to same server? 

- what is the best practise for the setting the facility level?



*> cluster log-forwarding create -destination bla -port 514 -protocol udp-unencrypted -verify-server false -facility
    kern   user   local0 local1 local2 local3 local4 local5 local6 local7



Cloud Volumes ONTAP
Review Banner
All Community Forums