ONTAP Hardware

FAS8200 configure External SYSLOG Server

Ops_Darren
8,856 Views

I searched about the syslog configuration in the NetApp documentation center and found that the two commands involve syslog. What is the difference between these two commands?

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

cluster1::> cluster log-forwarding create -destination <syslog server IP>

 

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.exp-ems%2Fhome.html

cluster1::> event destination create -name support.bucket01 -syslog <syslog server IP>

 

1 ACCEPTED SOLUTION

Ontapforrum
8,737 Views

Hi,

 

Please use this one:

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

Confirm to see if it's added  :

::> event destination show

 

Thanks! 

View solution in original post

7 REPLIES 7

Ontapforrum
8,816 Views

Audit logs: (It's up to you)
Audit logs (Since 9.x) only contains management related activities from the three shells for CLI commands—the clustershell, the nodeshell, and the non-interactive systemshell (interactive systemshell commands are not logged)—as well as API commands.  The audit.log file is sent by the AutoSupport tool to the specified recipients. However, you can also forward the content securely to external destinations that you specify; for example, a Splunk or a syslog server.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html


EMS Events: (More important)
To log notifications of the most severe (Important) events on a syslog server, you must configure the EMS to forward notifications for events that signal important activity.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-ssg%2FGUID-2C98AC64-51D7-44F9-8D29-75BAC122D5E6.html

 

If you want to know what those important events are, then run this command:
::> event catalog show -filter-name important-events

Ops_Darren
8,747 Views

Thank you for your explanation, but I still don't understand it. And I found that the second link in my topic is wrong, it should be https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/event__destination__create.html.

 

The description of this commands shows: The event destination create command creates a new event destination. An event destination is a list of addresses that receive event notifications. These addresses can be e-mail addresses, SNMP trap hosts, and syslog servers.

 

So suppose I have a Splunk server, and I want to send my FAS8200 syslog to my Splunk server. Which command should I choose to use?

 

cluster1::> cluster log-forwarding create -destination <Splunk IP>

 or

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

 

Ontapforrum
8,738 Views

Hi,

 

Please use this one:

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

Confirm to see if it's added  :

::> event destination show

 

Thanks! 

Ops_Darren
8,723 Views

Thank you very much! 👍

Ops_Darren
8,720 Views
cluster1::> cluster log-forwarding create -destination <Splunk IP>

 

By the way, I re-read the description of this command: You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

 

Can I think: NetApp's existing logs can be exported to a SIEM system like Splunk for log analysis or archiving using this command?

keremcumhur
7,887 Views

this is a great answer, thanks a lot!

I have 3 questions

- is it possible to use a specific port for the event logging?

 

 

::*> event notification destination create -syslog server01:1234 -name test

 

 

 

- is a good practise to forwarding audit logs (cluster log-forwarding create) & event logs (event notification destination create) to same server? 
 

- what is the best practise for the setting the facility level?

 

 

*> cluster log-forwarding create -destination bla -port 514 -protocol udp-unencrypted -verify-server false -facility
    kern   user   local0 local1 local2 local3 local4 local5 local6 local7

 

 

Public