ONTAP Discussions

Syslogging: Cluster log-forwarding vs event destination

DavidDAVE
4,969 Views

Dear all,

 

First of all, thank you for your time reading this. We have configured splunk as our syslog server, and configuring everything to forward over there. We are working with a non-standard port for this, so no 514.

 

Googling this a bit, I founded this new command, “cluster log-forwarding”, which allows you to specify a port, so that’s cool. Our worries here are that this command doesnt seem to filter which events are sent to the syslog server, and we are worried about the level of logging, we don’t want our splunk server to be overwhelmed.

 

Is possible to combine cluster log-forwarding with even destination filtering somehow?

 

https://docs.netapp.com/us-en/ontap-cli-93/cluster-log-forwarding-create.html#description

https://docs.netapp.com/us-en/ontap/error-messages/configure-ems-events-notifications-syslog-task.html

 

Thanks in advance!

Kind regards,

 

David

1 ACCEPTED SOLUTION
DavidDAVE has accepted the solution

RossC
4,868 Views

Hi @DavidDAVE 

 

So a couple of things to keep in mind. 

 

  • "cluster log-forwarding" commands are used for enabling AUDIT LOGS to be sent to a Syslog destination
  • "event notification" commands is for enabling EMS LOGS to be sent to a Syslog destination.

 

Now, you can control to an extent what is included in the AUDIT LOGs (and in turn passed along to the Syslog server). See - https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html

 

In terms of the EMS logs, you can absolutely manage what EMS events are passed along to the Syslog server when configuring it using the event notification commands.

 

Some helpful articles that might point you in the right direction,

 

 

View solution in original post

4 REPLIES 4
DavidDAVE has accepted the solution

RossC
4,869 Views

Hi @DavidDAVE 

 

So a couple of things to keep in mind. 

 

  • "cluster log-forwarding" commands are used for enabling AUDIT LOGS to be sent to a Syslog destination
  • "event notification" commands is for enabling EMS LOGS to be sent to a Syslog destination.

 

Now, you can control to an extent what is included in the AUDIT LOGs (and in turn passed along to the Syslog server). See - https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html

 

In terms of the EMS logs, you can absolutely manage what EMS events are passed along to the Syslog server when configuring it using the event notification commands.

 

Some helpful articles that might point you in the right direction,

 

 

DavidDAVE
4,833 Views

Ey mate, really good answer!!

 

Just something to clarify here, is there anyway to choose port for event notification? 514 forbidden here!

 

RossC
4,821 Views

Hi @DavidDAVE 

 

From the looks of our documentations it looks like we do not support a custom port at this point in time for the "Event notification" commands. You can see a similar conversation unfold over at this thread, where another customer had to use NAT rules to reroute the traffic.

 

https://community.netapp.com/t5/ONTAP-Discussions/Syslog-custom-port/m-p/430889/highlight/true#M39809

 

Alternatively (and I think it's also discussed in the same above thread) we have customers whom deploy ActiveIQ Unified Manager to monitor and manage their ONTAP based NetApp systems, then use SNMP traps to gather certain log events from Unified Manger (instead of each separate ONTAP system). 

DavidDAVE
4,810 Views

Understood, thanks for your time and your answers Ross 🙂

 

Public