78. NetApp
NetApp storage is capable of sending logs to a remote Syslog destination via UDP as well as saving audit logs directly to a network share.
4/14/2017 15:40:25 p-netapp1 DEBUG repl.engine.error: replStatus="8", replFailureMsg="5898503", replFailureMsgDetail="0", functionName="repl_util::Result repl_core::Instance::endTransfer(spinnp_uuid_t*)", lineNumber="738"For more details about configuring logging on NetApp storage, please
refer to the
Product
Documentation section of the NetApp Support site. Search for your ONTAP
version, which can be determined by running version -b from the
command line.
This example shows the output from ONTAP 8.3.
> version -b
/cfcard/x86_64/freebsd/image1/kernel: OS 8.3.1P278.1. Sending Logs in Syslog Format
The NetApp web interface does not provide a way to configure an external Syslog server, but it is possible to configure this on the command line. This is a cluster level change that only needs to performed only once per cluster, and will automatically be applied to all members.
|
Note
|
The steps below have been tested with ONTAP 8 and should work for earlier versions. Exact commands for newer versions may vary. |
-
Configure NXLog to receive log entries via UDP and process them as Syslog (see the examples below). Then restart NXLog.
-
Make sure the NXLog agent is accessible from each member of the cluster.
-
Log in to the cluster address with SSH.
-
Run the following command to configure the Syslog destination. Replace
NAMEandIP_ADDRESSwith the required values. The default port for UDP is 514.> event destination create -name NAME -syslog IP_ADDRESS -
Now select the messages to be sent. Use the same
NAMEas in the previous step and setMSGSto the required value.> event route add-destinations -destinations NAME -messagename MSGSA list of messages can be obtained by running the command with a question mark (
?) as the argument.> event route add-destinations -destinations NAME -messagename ?It is also possible to specify a severity level in addition to message types. The severity levels are
EMERGENCY,ALERT,CRITICAL,ERROR,WARNING,NOTICE,INFORMATIONAL, andDEBUG.> event route add-destinations -destinations NAME -messagename MSGS -severity SEVERITYExample 349. Sending Messages at Informational Level to 192.168.6.143The following commands send all messages with Informational severity level (including higher severites) to 192.168.6.143 in Syslog format via UDP port 514.
> event destination create -name nxlog -syslog 192.168.6.143 > event route add-destinations -destinations nxlog -messagename * -severity <=INFORMATIONAL
This example shows NetApp Syslog logs as received and processed by NXLog.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_syslog_udp>
Module im_udp
Host 0.0.0.0
Port 514
Exec parse_syslog();
</Input>
<Output file>
Module om_file
File "/var/log/netapp.log"
Exec to_json();
</Output>
{
"MessageSourceAddress": "192.168.5.61",
"EventReceivedTime": "2017-04-14 15:38:58",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 0,
"SyslogFacility": "KERN",
"SyslogSeverityValue": 7,
"SyslogSeverity": "DEBUG",
"SeverityValue": 1,
"Severity": "DEBUG",
"Hostname": "192.168.5.61",
"EventTime": "2017-04-14 15:40:25",
"Message": "[p-netapp1:repl.engine.error:debug]: replStatus=\"8\", replFailureMsg=\"5898503\", replFailureMsgDetail=\"0\", functionName=\"repl_util::Result repl_core::Instance::endTransfer(spinnp_uuid_t*)\", lineNumber=\"738\""
}Messages that contain key-value pairs, like the example at the beginning of the section, can be parsed with the xm_kvp module to extract more fields if required.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<Output out>
Module om_null
</Output>
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension kvp>
Module xm_kvp
KVPDelimiter ,
KVDelimiter =
EscapeChar \\
</Extension>
<Input in_syslog_udp>
Module im_udp
Host 0.0.0.0
Port 514
<Exec>
parse_syslog();
if $Message =~ /(?x)^\[([a-z-A-Z0-9-]*):([a-z-A-Z.]*):([a-z-A-Z]*)\]:
\ ([a-zA-Z]+=.+)/
{
$NAUnit = $1;
$NAMsgName = $2;
$NAMsgSev = $3;
$NAMessage = $4;
kvp->parse_kvp($4);
}
</Exec>
</Input>
{
"MessageSourceAddress": "192.168.5.63",
"EventReceivedTime": "2017-04-15 23:13:45",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 0,
"SyslogFacility": "KERN",
"SyslogSeverityValue": 7,
"SyslogSeverity": "DEBUG",
"SeverityValue": 1,
"Severity": "DEBUG",
"Hostname": "192.168.5.63",
"EventTime": "2017-04-15 23:15:14",
"Message": "[p-netapp3:repl.engine.error:debug]: replStatus=\"5\", replFailureMsg=\"5898500\", replFailureMsgDetail=\"0\", functionName=\"void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)\", lineNumber=\"149\"",
"NAUnit": "p-netapp3",
"NAMsgName": "repl.engine.error",
"NAMsgSev": "debug",
"NAMessage": "replStatus=\"5\", replFailureMsg=\"5898500\", replFailureMsgDetail=\"0\", functionName=\"void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)\", lineNumber=\"149\"",
"replStatus": "5",
"replFailureMsg": "5898500",
"replFailureMsgDetail": "0",
"functionName": "void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)",
"lineNumber": "149"
}78.2. Sending Logs to a Remote File Share
NetApp saves its logs in the Windows EventLog (EVTX) format. In the case
of a standalone unit, these logs are available over the network in the
\etc$ share, and can be parsed by the im_msvistalog
module. However in cluster mode, starting from ONTAP 7, this share is
not accessible. Instead, audit logs from each virtual server can be sent
to a CIFS share where NXLog can access and read them. This
configuration must be performed for each virtual server separately.
To accomplish this, create and enable an audit policy for each virtual server.
> vserver audit create -vserver <VIRTUAL_SERVER> -destination <SHARE>
-rotate-size <SIZE> -rotate-limit <NUMBER>
> vserver audit enable -vserver <VIRTUAL_SERVER>These commands set up an audit policy that sends logs to the specified share, rotates log files at 100 MB, and retains the last 10 rotated log files.
> vserver audit create -vserver vs_p12_cifs
-destination /p-GRT -rotate-size 100M -rotate-limit 10
> vserver audit enable vs_p12_cifsThis example shows NetApp events as collected and processed by NXLog from an EventLog file.
1
2
3
4
5
6
7
8
9
10
<Input in_file_evt>
Module im_msvistalog
File C:\Temp\NXLog\audit_vs_p12_cifs_last.evtx
</Input>
<Output file_from_eventlog>
Module om_file
File "C:\Temp\evt.log"
Exec to_json();
</Output>
{
"EventTime": "2017-05-10 21:17:12",
"Hostname": "e3864b4d-8937-11e5-b812-00a098831757/bf4a40a5-9216-11e5-8d9a-00a098831757",
"Keywords": -9214364837600035000,
"EventType": "AUDIT_SUCCESS",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 4624,
"SourceName": "NetApp-Security-Auditing",
"ProviderGuid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
"Version": 101,
"OpcodeValue": 0,
"RecordNumber": 0,
"ProcessID": 0,
"ThreadID": 0,
"Channel": "Security",
"ERROR_EVT_UNRESOLVED": true,
"IpAddress' IPVersion='4": "192.168.17.151",
"IpPort": "49421",
"TargetUserSID": "S-1-5-21-4103495029-501085275-2219630704-2697",
"TargetUserName": "App_Service",
"TargetUserIsLocal": "false",
"TargetDomainName": "DOMAIN",
"AuthenticationPackageName": "KRB5",
"LogonType": "3",
"EventReceivedTime": "2017-05-10 22:33:00",
"SourceModuleName": "in_file_evt",
"SourceModuleType": "im_msvistalog"
}