NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

ONTAP Discussions

problem with event logging

keremcumhur
3,421 Views

Hi all, 

 

in short - how can I change the formatting on the event logs going to a syslog server?

in detail - 
 I have configured my cluster to to send event logs to Splunk.

mucfs01::> event notification destination show -name fluentd_sierra
 
                Destination Name: fluentd_sierra
             Type of Destination: syslog
                     Destination: fluentd.sierra.local
 Server CA Certificates Present?: -
   Client Certificate Issuing CA: -
Client Certificate Serial Number: -
       Client Certificate Valid?: -
 
mucfs01::> event filter show -filter-name forSplunk
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
forSplunk
            1        include   *                      *               EMERGENCY, ALERT, ERROR
            2        exclude   *                      *               *
2 entries were displayed.

 

Splunk sees the hostname as cluster nodename + event message name

keremcumhur_0-1606211984051.png

 

And if you look at how packages are being sent from NetApp, the syslog package is created this way.

keremcumhur_1-1606212082490.png

 

I don't know the reason for this, but I could not change it. And this way it is creating for each event on each node a new 'host' entry on Splunk, which ends up with 100x new non-existing nodes.

I want to be able to modify the syslog event like

hostname = name of the node

ident = message name

message = message text

2 REPLIES 2

TMACMD
3,393 Views

Curious....ONTAP version and Splunk Version?

Maybe there is a bug on either side?

Have you updated one or both?

keremcumhur
3,329 Views

we are using NetApp Release 9.6P8.

Splunk Ent. is using version 7.2.10

 

The problem is Splunk is a central service and I don't have permissions to update it.

 

I found a tutorial. http://www.cosonok.com/2017/09/how-to-setup-syslog-from-netapp-in.html

If you look at the 3rd picture, you will see that his logs are also being formatted with hostname + error type. 

 

 

As a workaround, we have installed a plugin on the fluentd aggregator, which parses the input coming from the cluster and pushes it properly to Splunk.

But I am still curious, why Ontap does not allow me to modify how I want to send my syslog messages. 

 

 

Public