I have a requirement to use a custom syslog port and can't find any way of doing this using the Event Notification command set?
It is an option with the "cluster log-forward" command set but my understanding is that this is for audit log forwarding, not EMS, so isn't what I'm after (although I'm happy to be wrong)?
I did find this RFE bug from a couple of years ago but doesn't give any recent info (last updated Dec 2019) on whether this is still open and progressing:
The solution in this post references a possible internal "hack", so thought I'd chuck this out to see if anyone has that relevant info/workaround to hand? Or if not, an alternative method to achieve what I need?
Have you at least tried cluster log-forwarding command?
KBs said: "Creating a syslog forwarding destination with TCP or UDP and custom port". It use the above command.
I saw that the example in the docs states audit log, but there's no other information mentioning it (audit) or anything else.
Regarding the event notification command, did you try to create a destination specifying the port?(event notification destination create -name XYZ -syslog 10.0.0.1:1234)
Yes, it's been tested and cluster log-fowarding only forwards audit logs, not EMS.
"Creating a syslog forwarding destination with TCP or UDP and custom port" - I'm guessing this is just referring to the mechanism/standard being used.
I did try appending the port number (with event notification cmd) and it doesn't like it (& yes, this is a previously tested and working config using default port 514):
"Error: command failed: The value for the field "syslog" is invalid: Unknown host x.x.x.x:5140"
I'd create a case and ask for an update on the RFE bug. You can also go through the account team to help push if this is a major requirement of your business.
You can try these commands, but it's not guaranteed. I found them internally:
event notification destination create -name <name> -syslog host.company.com event notification create -filter-name no-info-debug-events -destinations <name cluster log-forwarding create -destination host.company.com -port 5148 -facility local1
I have logged a case and the response on the RFE status is that it's open but doesn't look like it's going to be implemented.
Do you know what the different syslog facilities are for?
kern user local0 local1 local2 local3 local4 local5 local6 local7
After getting the runaround in a support ticket about this, and blowing a bunch of time trying to figure out how to ship EMS events into our logging concentrator (Graylog), I found this thread.
All I can say is yikes - it sounds like we can't use our enterprise toolset to monitor events on NetApp because EMS events have to be handled completely within the NetApp ecosystem (eg AIQUM) - this SUCKS.
How could something as simple as syslog forwarding (beyond audit logs...) not work? I understand that NetApp are something of a lumbering giant at this point, but syslog isn't a new concept, and central logging isn't either.
What is your case number? I don't remember but AIQUM may be able to forward to SNMP servers, and maybe SNMP traps could be used.
Thanks Paul - I'll probably be taking on SNMP next, but I'm frustrated that I'll have to do that.
We're really trying to standardize as much as possible on using modern logging SIEMs (eg Graylog) for operational monitoring. So far NetApp EMS appear to be the only thing that can't manage.
For the ungodly sums of money being forked over to NetApp, the amount of trouble I encounter trying to do simple things is just unreal. I love that FAS hardware is so rock-solid, but working in ONTAP just makes me want to jump out of a window, frequently.
Our latest foray into trying to make sense of logging was 2009035646.
This forum post makes it seem like you can at least forward EMS events hard-coded into the important-events filter (not great, we like flexibility): Solved: Re: FAS8200 configure External SYSLOG Server - NetApp Community
...but I think we're back to the whole "can't use a custom port" problem, which is wonky because udp/514 is usually reserved for really old, really stupid devices, so if your SIEM expects to use dedicated ports for input separation, you have to lump ONTAP in with the really old, really stupid device class (eg really old network appliances) - but we don't even offer that at our site currently because it's difficult to run a modern SIEM syslog listener on a privileged port, and ONTAP would be the only device that actually needs it.
I feel for you. That case looks like it was opened but never got a response so it got closed in L1. If you respond to it, make sure to include this thread. The case will require a response in a timely manner to move it forward.
Also, with a bug, the account team can help with prioritizing a fix. A PVR may even help here.
Thanks. Yep we have a hard time replying back within the timeout period for tickets.
I'm playing stupid games with iptables ipsets now and will be doing a bunch of NATing on our SIEM to forward udp/514 to various inputs based on ipset membership to pull EMS events out of the general udp/514 bucket.
This is overly complicated but it'll probably work.
That'll leave the final remaining thing to work around simply being monkeying with the important-events filter, if that's even possible.
Final piece of advice until NetApp figure out how to support custom ports for syslog: Use 'ipset' + iptables to create a NAT rule for all NetApp devices that are too bone-headed to use a custom port.
-A PREROUTING -p udp --dport 514 -m set --match-set netapp-systems src -j REDIRECT --to-port 1517