Its ages since I
did a blog on setting up syslog for ONTAP, last time was back in November 2013 (and with ONTAP 8.2). Things have changed since then, so time to
revisit.
Setting up the Syslog Server
For this post I’m using the Kiwi Free Syslog Server from here:
The tool requires .Net Framework 4.0 and installation is
a cinch (unpack, double click the EXE and follow the wizard.)
The free version is limited to 5 message sources, so we
need to add our node management LIF(s).
To acquire the node management LIF IP(s), use the
Clustershell::>
net
int show -role node-mgmt -fields address
And to configure Kiwi Free Syslog Server -
File > Setup
> Inputs
- and add in the IP addresses.
Image: Adding
sources to Kiwi Free Syslog Server
Note: The default
setting for Kiwi Syslog Server is to listen on UDP port 514.
Forwarding Command History Log to Syslog
Also see Section
4.1 of TR-4569 which covers ‘Sending Out Syslog’. See: TR-4569: Security Hardening Guide for NetApp ONTAP 9: Guidelines for
Secure Deployment of ONTAP 9
If you want to forward the command-history.log, you don’t
need to use my ‘Command History to Syslog tool’ since ONTAP 8.3.1 (2014 posts part
1 and part
2.) Instead it’s one simple command::>
cluster
log-forwarding create -destination 10.0.1.10
Note i: 10.0.1.10
is my Kiwi Syslog Server.
Note ii: The man
page for ‘cluster log-forwarding create’ is an Appendix to this post.
Note iii:
‘Command-History.log’ was called Audit.log in the 7-Mode world.
Image:
Command-History.log events received on syslog server
Other Syslogging
For everything else (not totally sure why anyone needs to
syslog more than what is in the command-history.log - which includes every SET
API call, and failed/successful logins), the commands are slightly changed from
those in my
2013 post.
As an example with 1 messagename of the 6838 configured
(I wouldn’t recommend to configure every message to go to syslog, since the
notifyd.logs will be very big, and that’s way too much stuff)::>
event
filter create -filter-name syslogger
event
notification destination create -name syslogger -syslog 10.0.1.10
event
notification create -filter-name syslogger -destinations syslogger
event
filter rule add -filter-name syslogger -type include -message-name
login.auth.loginDenied
event
filter show -filter-name syslogger
Filter
Rule Rule
Message Name SNMP Trap
Severity
Name Pos. Type Type
---------
---- --------- ---------------------- --------- --------
syslogger
1
include login.auth.loginDenied
* *
2
exclude * * *
set
d
event
generate -message-name login.auth.loginDenied -values "THIS IS A
TEST"
Image: Received
“THIS IS A TEST”
APPENDIX: Man Page for ‘cluster
log-forwarding’
NAME
cluster
log-forwarding
-- Manage the cluster's log forwarding configuration
DESCRIPTION
Manage the cluster's log forwarding configuration
SUBDIRECTORIES
statistics> - The statistics directory
COMMANDS
create - Create a log forwarding
destination
delete - Delete a log forwarding
destination
modify - Modify log forwarding
destination settings
show - Display log forwarding
destinations
NAME
cluster
log-forwarding create
-- Create a log forwarding destination
AVAILABILITY
This command is available to cluster administrators
at the admin privilege level.
DESCRIPTION
The cluster log-forwarding create command creates
log forwarding destinations for remote logging.
PARAMETERS
-destination
{Remote InetAddress}
- Destination Host
Host name or IPv4 or IPv6 address of the server to
forward the logs to.
[-port {integer}] - Destination Port
The port that the destination server listen on (default = 514)
[-protocol
{udp-unencrypted|tcp-unencrypted|tcp-encrypted}] - Log Forwarding Protocol
The protocols are used for sending messages to the
destination. The protocols can be one of the following values:
udp-unencrypted
- User Datagram Protocol with no security (default)
tcp-unencrypted - Transmission Control
Protocol with no security
tcp-encrypted
- Transmission Control Protocol with Transport Layer Security (TLS)
[-verify-server
{true|false}] -
Verify Destination Server Identity
When this parameter is set to true, the identity of
the log forwarding destination is verified by validating its certificate. The
value can be set to true only when the tcp-encrypted value is selected in the
protocol field (default =
false with udp-encrypted)
[-facility {Syslog Facility}] - Syslog
Facility
The syslog facility to use for the forwarded logs (default = user)
[-force
[true]] - Skip
the Connectivity Test
Normally, the cluster log-forwarding create command
checks that the destination is reachable via an ICMP ping, and fails if it is
not reachable. Setting this value to true bypasses the ping check so that the
destination can be configured when it is unreachable.
Comments
Post a Comment