ONTAP Discussions

problem with event logging


Hi all, 


in short - how can I change the formatting on the event logs going to a syslog server?

in detail - 
 I have configured my cluster to to send event logs to Splunk.

mucfs01::> event notification destination show -name fluentd_sierra
                Destination Name: fluentd_sierra
             Type of Destination: syslog
                     Destination: fluentd.sierra.local
 Server CA Certificates Present?: -
   Client Certificate Issuing CA: -
Client Certificate Serial Number: -
       Client Certificate Valid?: -
mucfs01::> event filter show -filter-name forSplunk
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
            1        include   *                      *               EMERGENCY, ALERT, ERROR
            2        exclude   *                      *               *
2 entries were displayed.


Splunk sees the hostname as cluster nodename + event message name



And if you look at how packages are being sent from NetApp, the syslog package is created this way.



I don't know the reason for this, but I could not change it. And this way it is creating for each event on each node a new 'host' entry on Splunk, which ends up with 100x new non-existing nodes.

I want to be able to modify the syslog event like

hostname = name of the node

ident = message name

message = message text


Re: problem with event logging


Curious....ONTAP version and Splunk Version?

Maybe there is a bug on either side?

Have you updated one or both?

Re: problem with event logging


we are using NetApp Release 9.6P8.

Splunk Ent. is using version 7.2.10


The problem is Splunk is a central service and I don't have permissions to update it.


I found a tutorial. http://www.cosonok.com/2017/09/how-to-setup-syslog-from-netapp-in.html

If you look at the 3rd picture, you will see that his logs are also being formatted with hostname + error type. 



As a workaround, we have installed a plugin on the fluentd aggregator, which parses the input coming from the cluster and pushes it properly to Splunk.

But I am still curious, why Ontap does not allow me to modify how I want to send my syslog messages. 



Earn Rewards for Your Review!
GPI Review Banner
All Community Forums