This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Netapp Clustered Data ONTAP CIFS auditing to LEM

NetApp Clustered Data ONTAP creates audit log files on a file share (as far as I can tell it is not able to send the log information via syslog or snmp etc). Does anyone know whether and if so how it is possible to import these log files in to Solarwinds LEM?

Thanks

  • This post is old, but Google makes it look like OnTap has a syslog forwarding capability.

    Syslog - NetApp Community

    Based on the connector config in my lab, that's what the LEM is expecting from OnTap.

  • FormerMember
    0 FormerMember

    Our current NetApp auditing support is based on remotely accessing the .evt formatted audit trail info (once CIFS auditing is enabled on the OnTAP side). You configure the NetApp connector (under "Operating Systems") on an agent that can remotely access the NetApp system by UNC path.

    (There are some service messages that I believe are logged via syslog, but it likely does not include the audit trails...)

  • I don't have a Netapp connector under "Operating Systems", I'm using version 6.0, is this likely to have been added in a newer release?

    Thanks

  • I am no expert on logging for the NetApp Clustered Data ONTAP platform but this could be an option if you cannot get log files. We develop a software solution called LANGuardian. It uses network packets as a data source and extracts file activity information from this. Typically it is installed on a virtual or physical server and is connected to a SPAN or mirror port. I mention this here as we sold to the US Navy who needed auditing for some of their NetApp infrastructure. Log files were problematic so their deployed LANGuardian to get the audit trial.

    The information gathered by LANGuardian can also be integrated with SolarWinds so you retain a single console for monitoring network activity. You can see what it looks like in action at this link.

    http://demo2.netfort.com/Orion/SummaryView.aspx?viewid=35&AccountID=guest

    Hope this helps

    Darragh

  • Will, you should be able to see the NetApp connector on 6.0 if you have a current connector pack.

    http://knowledgebase.solarwinds.com/kb/questions/3196/How+to+apply+a+LEM+connector+update+package

  • Did this get depreciated because I am running 6.1.0 and I don't have a NetApp connector under Operating Systems.  I need to know the best way to get NetApp logs into LEM.

  • FormerMember
    0 FormerMember in reply to byrona

    There are two NetApp connectors:

    • the syslog one is under File Transfer & Sharing ("IBM NetApp OnTAP")
    • the event log auditing remotely one is under Operating Systems ("NetApp") - and you will ONLY see it on agents (it needs to run from a windows agent since it connects to a remote event log, kind of like a remote windows server except some subtle uniquenesses)


    You might deselect all the categories and just do a search -

    netapp.PNG

    We have had a customer report that something changed in NetApp's auditing (or certain firmwares are different?) and this method we're using (remote event log collection) may not work. If you're able to use Computer Management to remotely connect to the NetApp device's event log, our method will work. If all you have access to is a bare evtx on a file share, it may not work. We're still researching what/why/how on that issue and don't know how widespread it is.

  • Ah, I think the syslog one may be more applicable for what I am planning.  My NetApp guy is working on sending the syslog data to the LEM appliance so if I setup that connector on the appliance I am hoping it will work.

  • FormerMember
    0 FormerMember in reply to byrona

    The syslog connector will have all the device availability/service stuff, the other one has all the file auditing stuff. Events included:

    • FileExecute - FileExecute: kern.cli.cmd
    • FileSystemTrafficAudit - FileSystemTrafficAudit: cifs.op.subOp.unsupported
    • FileSystemTrafficAudit - FileSystemTrafficAudit: cifs.oplock.break.timeout
    • NamingTrafficAudit - NamingTrafficAudit: ddns_loop
    • ServiceInfo - ServiceInfo: asup.post.sent
    • ServiceInfo - ServiceInfo: asup.smtp.sent
    • ServiceInfo - ServiceInfo: asup_main
    • ServiceInfo - ServiceInfo: kern.log.rotate
    • ServiceInfo - ServiceInfo: kern.uptime.filer
    • ServiceInfo - ServiceInfo: mem_scrub_admin
    • ServiceStart - ServiceStart: raid.rg.scrub.start
    • ServiceInfo - ServiceInfo: raid.rg.scrub.done
    • ServiceInfo - ServiceInfo: raid.rg.scrub.resume
    • ServiceInfo - ServiceInfo: raid.rg.scrub.summary.{cksum,media,pi,lw}, zero error
    • ServiceInfo - ServiceInfo: nbt.nbns.registrationComplete
    • PolicyModify - PolicyModify: wafl.spacemgmnt.policyChg
    • ServiceInfo - ServiceInfo: wafl.vvol.destroyed
    • ServiceInfo - ServiceInfo: wafl.vvol.offline
    • ServiceInfo - ServiceInfo: lun.destroy
    • ServiceInfo - ServiceInfo: callhome.management.log
    • ServiceInfo - ServiceInfo: callhome.performance.data
    • ServiceInfo - ServiceInfo: lun.map
    • ServiceInfo - ServiceInfo: lun.map.unmap
    • ServiceStart - ServiceStart: app.log.info
    • ServiceInfo - ServiceInfo: app.log.info, non-space found
    • ServiceInfo - ServiceInfo: app.log.info
    • ServiceInfo - ServiceInfo: app.log.info 2
    • ServiceInfo - ServiceInfo: wafl.volume.clone.created, info
    • ServiceInfo - ServiceInfo: wafl.scan.start, info
    • ServiceInfo - ServiceInfo: wafl.reallocate.check.under, info
    • ServiceInfo - ServiceInfo: wafl.reallocate.check.highAdvise, info
    • ServiceWarning - ServiceWarning: wafl.vol.autoSize.fail, info
    • SystemStatus - SystemStatus: monitor.chassisTemperature.ok
    • ServiceWarning - ServiceWarning: asup.post.disconnected
    • ServiceWarning - ServiceWarning: asup.smtp.drop
    • ServiceWarning - ServiceWarning: asup.post.drop
    • ServiceWarning - ServiceWarning: ems.engine.inputSuppress
    • ServiceWarning - ServiceWarning: ems.engine.suppressed,{info,debug}
    • ServiceWarning - ServiceWarning: Java_Thread
    • ServiceWarning - ServiceWarning: nbt.nbns.socketError
    • ServiceWarning - ServiceWarning: nbt.WINS.registrationTimeout
    • ServiceWarning - ServiceWarning: raid.rg.scrub.summary.{cksum,media,pi,lw}
    • ServiceWarning - ServiceWarning: raid.rg.scrub.suspended
    • ServiceWarning - ServiceWarning: raid.scrub.suspended
    • ServiceWarning - ServiceWarning: raid.scrub.suspended.timer, notice
    • ServiceWarning - ServiceWarning: time.daemon.targetNotResponding
    • ServiceWarning - ServiceWarning: wafl.snap.delete
    • ServiceWarning - ServiceWarning: sip.op.aborted
    • ServiceWarning - ServiceWarning: sip.op.stopped, error
    • ServiceWarning - ServiceWarning: sip.changelog.full, warning
    • ServiceWarning - ServiceWarning: sis.autoSched.failed, error
    • ServiceWarning - ServiceWarning: wafl.aggr.overcommitted.vsm
    • UserLogonFailure - UserLogonFailure: useradmin.unauthorized.user
    • ServiceWarning - ServiceWarning: replication.dst.err
    • ServiceWarning - ServiceWarning: replication.src.err
    • ServiceWarning - ServiceWarning: callhome.client.app.err
    • ServiceWarning - ServiceWarning: app.log.err
    • MachineLogonFailure - MachineLogonFailure: fci.device.login.failure
    • ServiceWarning - ServiceWarning: tapemc.device.resvConfl, error
    • NetworkConnectionAudit - NetworkConnectionAudit: iscsi.notice, new session
    • ServiceWarning - ServiceWarning: iscsi.warning, unexpected event
    • ServiceWarning - ServiceWarning: lun.newLocation.offline
    • ServiceWarning - ServiceWarning: telnet.socket.timeout, warning
    • ServiceWarning - ServiceWarning: snapmirror.dst.snapDelErr, error
    • ServiceWarning - ServiceWarning: snapmirror.src.noNewData, error
    • ServiceWarning - ServiceWarning: snapmirror.dst.updateDelayed, notice
    • UserLogonFailure - UserLogonFailure: failed password
    • ServiceWarning - ServiceWarning: asup.general.reminder
    • ServiceWarning - ServiceWarning: openssh.invalid.channel.req, warning
    • SystemScanStart - SystemScanStart: disk.ddr.scan.start
    • SystemScanStop - SystemScanStop: disk.ddr.scan.summary
    • ServiceInfo - ServiceInfo: cmds.sysconf.validDebug
    • ServiceInfo - ServiceInfo: cmds.sysconf.wakeDebug
    • ServiceInfo - ServiceInfo: wafl.snap.autoDelete
    • ServiceInfo - ServiceInfo: wafl.snap.autoDelete.deleteStateSnap
    • FileSystemTrafficAudit - FileSystemTrafficAudit: cifs.op.unsupported
    • ServiceStop - ServiceStop: app.log.info
    • ServiceWarning - ServiceWarning: openssh.dispatch.protocol
    • ServiceInfo - ServiceInfo: raid.aggr.log.CP.count
    • ServiceWarning - ServiceWarning: wafl.fill.disbale, debug
    • ServiceInfo - ServiceInfo: wafl.scan.ownblocks.done
    • ServiceStart - ServiceStart: kern.syslogd.restarted, info
    • ServiceWarning - ServiceWarning: wafl.inode.overwrite.disbale, debug
    • ServiceWarning - ServiceWarning: wafl.snap.autoDelete.createStateSnap
    • ServiceInfo - ServiceInfo: callhome.management.log
    • ServiceInfo - ServiceInfo: callhome.weekly.log
    • ServiceWarning - ServiceWarning: callhome.hm.sas.alert.major
    • ServiceWarning - ServiceWarning: openssh.versionExchange.Fail
    • ServiceWarning - ServiceWarning: net.if.filterDrop
    • ServiceWarning - ServiceWarning: lun.offline
    • ServiceInfo - ServiceInfo: zapi.snapshot.success, notice
    • ServiceWarning - ServiceWarning: cf.hwassist.localMonitor, warning
    • ServiceWarning - ServiceWarning: cf.hwassist.socBindFailed, warning
    • ServiceWarning - ServiceWarning: fmmb.BlobNotFound, warning
    • ServiceWarning - ServiceWarning: repl.src.snaps.check.failed, warning
    • NFSAccess - NFSAccess: Nblade.nfsLongRunningOp, debug
    • ServiceWarning - ServiceWarning: smc.snapmir.schd.trans.overrun, warning
    • ServiceWarning - ServiceWarning: sm.vlt.xfer.no.new.snap, warning
    • ServiceWarning - ServiceWarning: monitor.shelf.fault, CRITICAL
    • ServiceWarning - ServiceWarning: monitor.shelf.configError, CRITICAL
    • ServiceWarning - ServiceWarning: cmds.sysconf.logErr, error
    • ServiceWarning - ServiceWarning: vscan.dropped.connection, warning
    • ServiceWarning - ServiceWarning: vscan.server.connectedNone, warning
    • ServiceWarning - ServiceWarning: vscan.server.requestTimeout, error
    • ServiceWarning - ServiceWarning: vscan.server.completionRequestLost, warning
    • FailedAuthentication - FailedAuthentication: HTTPPool00, warning
    • VirusAttack - VirusAttack: vscan.virus.detected, error
    • ServiceWarning - ServiceWarning: fci.mserr.general, error
    • ServiceInfo - ServiceInfo: debug catchall
    • ServiceInfo - ServiceInfo: info catchall
    • ServiceInfo - ServiceInfo: notice catchall
    • InternalNewToolData - InternalNewToolData: unmatched data
  • Has anyone gotten clustered NetApp auditing working on LEM?