ONTAP Discussions

problem with event logging

keremcumhur
2,229 Views

Hi all, 

 

in short - how can I change the formatting on the event logs going to a syslog server?

in detail - 
 I have configured my cluster to to send event logs to Splunk.

mucfs01::> event notification destination show -name fluentd_sierra
 
                Destination Name: fluentd_sierra
             Type of Destination: syslog
                     Destination: fluentd.sierra.local
 Server CA Certificates Present?: -
   Client Certificate Issuing CA: -
Client Certificate Serial Number: -
       Client Certificate Valid?: -
 
mucfs01::> event filter show -filter-name forSplunk
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
forSplunk
            1        include   *                      *               EMERGENCY, ALERT, ERROR
            2        exclude   *                      *               *
2 entries were displayed.

 

Splunk sees the hostname as cluster nodename + event message name

keremcumhur_0-1606211984051.png

 

And if you look at how packages are being sent from NetApp, the syslog package is created this way.

keremcumhur_1-1606212082490.png

 

I don't know the reason for this, but I could not change it. And this way it is creating for each event on each node a new 'host' entry on Splunk, which ends up with 100x new non-existing nodes.

I want to be able to modify the syslog event like

hostname = name of the node

ident = message name

message = message text

2 REPLIES 2

TMACMD
2,201 Views

Curious....ONTAP version and Splunk Version?

Maybe there is a bug on either side?

Have you updated one or both?

keremcumhur
2,137 Views

we are using NetApp Release 9.6P8.

Splunk Ent. is using version 7.2.10

 

The problem is Splunk is a central service and I don't have permissions to update it.

 

I found a tutorial. http://www.cosonok.com/2017/09/how-to-setup-syslog-from-netapp-in.html

If you look at the 3rd picture, you will see that his logs are also being formatted with hostname + error type. 

 

 

As a workaround, we have installed a plugin on the fluentd aggregator, which parses the input coming from the cluster and pushes it properly to Splunk.

But I am still curious, why Ontap does not allow me to modify how I want to send my syslog messages. 

 

 

Public