How to Setup Syslog from NetApp in ONTAP 9.1+

Its ages since I did a blog on setting up syslog for ONTAP, last time was back in November 2013 (and with ONTAP 8.2). Things have changed since then, so time to revisit.

Setting up the Syslog Server

For this post I’m using the Kiwi Free Syslog Server from here:

The tool requires .Net Framework 4.0 and installation is a cinch (unpack, double click the EXE and follow the wizard.)
The free version is limited to 5 message sources, so we need to add our node management LIF(s).
To acquire the node management LIF IP(s), use the Clustershell::>

net int show -role node-mgmt -fields address

And to configure Kiwi Free Syslog Server -
File > Setup > Inputs
- and add in the IP addresses.

Image: Adding sources to Kiwi Free Syslog Server

Note: The default setting for Kiwi Syslog Server is to listen on UDP port 514.

Forwarding Command History Log to Syslog

Also see Section 4.1 of TR-4569 which covers ‘Sending Out Syslog’. See: TR-4569: Security Hardening Guide for NetApp ONTAP 9: Guidelines for Secure Deployment of ONTAP 9

If you want to forward the command-history.log, you don’t need to use my ‘Command History to Syslog tool’ since ONTAP 8.3.1 (2014 posts part 1 and part 2.) Instead it’s one simple command::>

cluster log-forwarding create -destination

Note i: is my Kiwi Syslog Server.
Note ii: The man page for ‘cluster log-forwarding create’ is an Appendix to this post.
Note iii: ‘Command-History.log’ was called Audit.log in the 7-Mode world.

Image: Command-History.log events received on syslog server

Other Syslogging

For everything else (not totally sure why anyone needs to syslog more than what is in the command-history.log - which includes every SET API call, and failed/successful logins), the commands are slightly changed from those in my 2013 post.

As an example with 1 messagename of the 6838 configured (I wouldn’t recommend to configure every message to go to syslog, since the notifyd.logs will be very big, and that’s way too much stuff)::>

event filter create -filter-name syslogger
event notification destination create -name syslogger -syslog
event notification create -filter-name syslogger -destinations syslogger
event filter rule add -filter-name syslogger -type include -message-name login.auth.loginDenied
event filter show -filter-name syslogger

Filter    Rule Rule      Message Name           SNMP Trap Severity
Name      Pos. Type                             Type
--------- ---- --------- ---------------------- --------- --------
          1    include   login.auth.loginDenied *         *
          2    exclude   *                      *         *

set d
event generate -message-name login.auth.loginDenied -values "THIS IS A TEST"

Image: Received “THIS IS A TEST”

APPENDIX: Man Page for ‘cluster log-forwarding’

cluster log-forwarding -- Manage the cluster's log forwarding configuration

Manage the cluster's log forwarding configuration

statistics> - The statistics directory

create - Create a log forwarding destination
delete - Delete a log forwarding destination
modify - Modify log forwarding destination settings
show - Display log forwarding destinations

cluster log-forwarding create -- Create a log forwarding destination

This command is available to cluster administrators at the admin privilege level.

The cluster log-forwarding create command creates log forwarding destinations for remote logging.

-destination {Remote InetAddress} - Destination Host
Host name or IPv4 or IPv6 address of the server to forward the logs to.
[-port {integer}] - Destination Port
The port that the destination server listen on (default = 514)
[-protocol {udp-unencrypted|tcp-unencrypted|tcp-encrypted}] - Log Forwarding Protocol
The protocols are used for sending messages to the destination. The protocols can be one of the following values:
 udp-unencrypted - User Datagram Protocol with no security (default)
 tcp-unencrypted - Transmission Control Protocol with no security
 tcp-encrypted  - Transmission Control Protocol with Transport Layer Security (TLS)
[-verify-server {true|false}] - Verify Destination Server Identity
When this parameter is set to true, the identity of the log forwarding destination is verified by validating its certificate. The value can be set to true only when the tcp-encrypted value is selected in the protocol field (default = false with udp-encrypted)
[-facility {Syslog Facility}] - Syslog Facility
The syslog facility to use for the forwarded logs (default = user)
[-force [true]] - Skip the Connectivity Test
Normally, the cluster log-forwarding create command checks that the destination is reachable via an ICMP ping, and fails if it is not reachable. Setting this value to true bypasses the ping check so that the destination can be configured when it is unreachable.