Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear all,
First of all, thank you for your time reading this. We have configured splunk as our syslog server, and configuring everything to forward over there. We are working with a non-standard port for this, so no 514.
Googling this a bit, I founded this new command, “cluster log-forwarding”, which allows you to specify a port, so that’s cool. Our worries here are that this command doesnt seem to filter which events are sent to the syslog server, and we are worried about the level of logging, we don’t want our splunk server to be overwhelmed.
Is possible to combine cluster log-forwarding with even destination filtering somehow?
https://docs.netapp.com/us-en/ontap-cli-93/cluster-log-forwarding-create.html#description
Thanks in advance!
Kind regards,
David
Solved! See The Solution
1 ACCEPTED SOLUTION
DavidDAVE has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DavidDAVE
So a couple of things to keep in mind.
- "cluster log-forwarding" commands are used for enabling AUDIT LOGS to be sent to a Syslog destination
- "event notification" commands is for enabling EMS LOGS to be sent to a Syslog destination.
Now, you can control to an extent what is included in the AUDIT LOGs (and in turn passed along to the Syslog server). See - https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html
In terms of the EMS logs, you can absolutely manage what EMS events are passed along to the Syslog server when configuring it using the event notification commands.
Some helpful articles that might point you in the right direction,
- https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Overview_of_ONTAP_Logs
- https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server
- https://www.netapp.com/pdf.html?item=/media/16880-tr-4303pdf.pdf
4 REPLIES 4
DavidDAVE has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DavidDAVE
So a couple of things to keep in mind.
- "cluster log-forwarding" commands are used for enabling AUDIT LOGS to be sent to a Syslog destination
- "event notification" commands is for enabling EMS LOGS to be sent to a Syslog destination.
Now, you can control to an extent what is included in the AUDIT LOGs (and in turn passed along to the Syslog server). See - https://docs.netapp.com/us-en/ontap/system-admin/commands-manage-audit-settings-reference.html
In terms of the EMS logs, you can absolutely manage what EMS events are passed along to the Syslog server when configuring it using the event notification commands.
Some helpful articles that might point you in the right direction,
- https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Overview_of_ONTAP_Logs
- https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Event_forwarding_to_a_Syslog_server
- https://www.netapp.com/pdf.html?item=/media/16880-tr-4303pdf.pdf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ey mate, really good answer!!
Just something to clarify here, is there anyway to choose port for event notification? 514 forbidden here!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DavidDAVE
From the looks of our documentations it looks like we do not support a custom port at this point in time for the "Event notification" commands. You can see a similar conversation unfold over at this thread, where another customer had to use NAT rules to reroute the traffic.
Alternatively (and I think it's also discussed in the same above thread) we have customers whom deploy ActiveIQ Unified Manager to monitor and manage their ONTAP based NetApp systems, then use SNMP traps to gather certain log events from Unified Manger (instead of each separate ONTAP system).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Understood, thanks for your time and your answers Ross 🙂