Ontap 9.1 Event Suppression

parkea2 · ‎2017-03-28

I have setup event notification for security events like 'security.invalid.login' to be email to an ALERT list. This is an attempt at basic attack detection.

The first event tested perfect then it stopped !

Investigation revealed 'event config show' suppression = ON.

Now here is where I want to have my cake and eat it !!

Is it possible to exclude certain events such as security from event suppression. This is important for 2 reasons:

1) We actual receive event notiifcations as expected without suppression of security.*

2) Our logs show an accurate picture of security events for example a brute force attack

My ailternative would be to turn off suppression however it would be nice to tailor suppression if it was possible.

Rgds AndyP

JGPSHNTAP · ‎2017-03-28

Intersting use cases.

Can you try to create a filter just for security and add that to the filter on the supression

Filter Exempt from Suppression: no-info-debug-events

parkea2 · ‎2017-03-28

Ok I have done this:

event filter> show
Filter Name Rule     Rule      Message Name           SNMP Trap Type Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
default-trap-events
            1        include   *                      *               EMERGENCY, ALERT
            2        include   callhome.*             *               ERROR
            3        include   *                      Standard, Built-in
                                                                      *
            4        exclude   *                      *               *

failedlogin-events
1 include security.invalid.login * ALERT
2 exclude * * *

important-events
            1        include   *                      *               EMERGENCY, ALERT
            2        include   callhome.*             *               ERROR
            3        exclude   *                      *               *

no-info-debug-events
1 include * * EMERGENCY, ALERT, ERROR, NOTICE
2 exclude * * *

event config*> show
                             Mail From: XXXXXX@XXXXXXX
                           Mail Server: HHHH.DDDD.COM
                             Proxy URL: -
                            Proxy User: -
                           Suppression: on
                               Console: on
                   Max Target Log Size: 36700160
                      Max Filter Count: 50
                 Max Filter Rule Count: 128
                 Max Destination Count: 20
                Max Notification Count: 20
        Filter Exempt from Suppression: failedlogin-events
Duplicate Suppression Duration (secs): 120
             Log Rotation Size (bytes): 40MB
      REST API Delivery Timeout (secs): 60

I then generated a failed logon but the event was not logged ! aka it was suppressed.

If I turn off suppression all works OK and the failed login is recorded and shown in:

event log > show

3/28/2017 13:31:37 hncl1-01 ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: hncl1, username: XXXXXX\YYYYYYY, application: ssh.

Nate1202 · ‎2018-03-22

It doesn't seem to work in ONTAP 9.1P9. Creating an 'include' filter for a single event ONLY shows that event

Filter Name Rule Rule Message Name SNMP Trap Type Severity
Position Type
----------- -------- --------- ---------------------- --------------- --------
security_invalid_login
1 include security.invalid.login * ALERT
2 exclude * * *

xxxxxxxx::> event log show -filter-name security_invalid_login

Time Node Severity Event
------------------- ---------------- ------------- ---------------------------
3/20/2018 11:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 10:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 09:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 08:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 07:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 06:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 05:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.
3/20/2018 04:24:28 xxxxxxxx ALERT security.invalid.login: Failed to authenticate login attempt to Vserver: xxxxxxxx, username: admin, application: ontapi.

Changing this to an 'exclude' rule type allows viewing all except these messages.