ONTAP Discussions

problem with event logging

keremcumhur

Hi all, 

 

in short - how can I change the formatting on the event logs going to a syslog server?

in detail - 
 I have configured my cluster to to send event logs to Splunk.

mucfs01::> event notification destination show -name fluentd_sierra
 
                Destination Name: fluentd_sierra
             Type of Destination: syslog
                     Destination: fluentd.sierra.local
 Server CA Certificates Present?: -
   Client Certificate Issuing CA: -
Client Certificate Serial Number: -
       Client Certificate Valid?: -
 
mucfs01::> event filter show -filter-name forSplunk
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
forSplunk
            1        include   *                      *               EMERGENCY, ALERT, ERROR
            2        exclude   *                      *               *
2 entries were displayed.

 

Splunk sees the hostname as cluster nodename + event message name

keremcumhur_0-1606211984051.png

 

And if you look at how packages are being sent from NetApp, the syslog package is created this way.

keremcumhur_1-1606212082490.png

 

I don't know the reason for this, but I could not change it. And this way it is creating for each event on each node a new 'host' entry on Splunk, which ends up with 100x new non-existing nodes.

I want to be able to modify the syslog event like

hostname = name of the node

ident = message name

message = message text

2 REPLIES 2

TMAC_CTG

Curious....ONTAP version and Splunk Version?

Maybe there is a bug on either side?

Have you updated one or both?

keremcumhur

we are using NetApp Release 9.6P8.

Splunk Ent. is using version 7.2.10

 

The problem is Splunk is a central service and I don't have permissions to update it.

 

I found a tutorial. http://www.cosonok.com/2017/09/how-to-setup-syslog-from-netapp-in.html

If you look at the 3rd picture, you will see that his logs are also being formatted with hostname + error type. 

 

 

As a workaround, we have installed a plugin on the fluentd aggregator, which parses the input coming from the cluster and pushes it properly to Splunk.

But I am still curious, why Ontap does not allow me to modify how I want to send my syslog messages. 

 

 

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

Public