in short - how can I change the formatting on the event logs going to a syslog server?in detail - I have configured my cluster to to send event logs to Splunk.
mucfs01::> event notification destination show -name fluentd_sierra
Destination Name: fluentd_sierra
Type of Destination: syslog
Server CA Certificates Present?: -
Client Certificate Issuing CA: -
Client Certificate Serial Number: -
Client Certificate Valid?: -
mucfs01::> event filter show -filter-name forSplunk
Filter Name Rule Rule Message Name SNMP Trap Type Severity
----------- -------- --------- ---------------------- --------------- --------
1 include * * EMERGENCY, ALERT, ERROR
2 exclude * * *
2 entries were displayed.
Splunk sees the hostname as cluster nodename + event message name
And if you look at how packages are being sent from NetApp, the syslog package is created this way.
I don't know the reason for this, but I could not change it. And this way it is creating for each event on each node a new 'host' entry on Splunk, which ends up with 100x new non-existing nodes.
I want to be able to modify the syslog event like
hostname = name of the node
ident = message name
message = message text
Curious....ONTAP version and Splunk Version?
Maybe there is a bug on either side?
Have you updated one or both?
we are using NetApp Release 9.6P8.
Splunk Ent. is using version 7.2.10
The problem is Splunk is a central service and I don't have permissions to update it.
I found a tutorial. http://www.cosonok.com/2017/09/how-to-setup-syslog-from-netapp-in.html
If you look at the 3rd picture, you will see that his logs are also being formatted with hostname + error type.
As a workaround, we have installed a plugin on the fluentd aggregator, which parses the input coming from the cluster and pushes it properly to Splunk.
But I am still curious, why Ontap does not allow me to modify how I want to send my syslog messages.