9 Replies Latest reply on Jun 24, 2015 4:54 PM by nicole pauls

    Netapp Clustered Data ONTAP CIFS auditing to LEM

    will burgess

      NetApp Clustered Data ONTAP creates audit log files on a file share (as far as I can tell it is not able to send the log information via syslog or snmp etc). Does anyone know whether and if so how it is possible to import these log files in to Solarwinds LEM?



        • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM

          This post is old, but Google makes it look like OnTap has a syslog forwarding capability.


          Syslog - NetApp Community


          Based on the connector config in my lab, that's what the LEM is expecting from OnTap.

          • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM
            nicole pauls

            Our current NetApp auditing support is based on remotely accessing the .evt formatted audit trail info (once CIFS auditing is enabled on the OnTAP side). You configure the NetApp connector (under "Operating Systems") on an agent that can remotely access the NetApp system by UNC path.


            (There are some service messages that I believe are logged via syslog, but it likely does not include the audit trails...)

              • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM
                will burgess

                I don't have a Netapp connector under "Operating Systems", I'm using version 6.0, is this likely to have been added in a newer release?



                  • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM

                    Will, you should be able to see the NetApp connector on 6.0 if you have a current connector pack.



                      • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM

                        Did this get depreciated because I am running 6.1.0 and I don't have a NetApp connector under Operating Systems.  I need to know the best way to get NetApp logs into LEM.

                          • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM
                            nicole pauls

                            There are two NetApp connectors:

                            • the syslog one is under File Transfer & Sharing ("IBM NetApp OnTAP")
                            • the event log auditing remotely one is under Operating Systems ("NetApp") - and you will ONLY see it on agents (it needs to run from a windows agent since it connects to a remote event log, kind of like a remote windows server except some subtle uniquenesses)

                            You might deselect all the categories and just do a search -




                            We have had a customer report that something changed in NetApp's auditing (or certain firmwares are different?) and this method we're using (remote event log collection) may not work. If you're able to use Computer Management to remotely connect to the NetApp device's event log, our method will work. If all you have access to is a bare evtx on a file share, it may not work. We're still researching what/why/how on that issue and don't know how widespread it is.

                              • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM

                                Ah, I think the syslog one may be more applicable for what I am planning.  My NetApp guy is working on sending the syslog data to the LEM appliance so if I setup that connector on the appliance I am hoping it will work.

                                  • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM
                                    nicole pauls

                                    The syslog connector will have all the device availability/service stuff, the other one has all the file auditing stuff. Events included:


                                    • FileExecute - FileExecute: kern.cli.cmd
                                    • FileSystemTrafficAudit - FileSystemTrafficAudit: cifs.op.subOp.unsupported
                                    • FileSystemTrafficAudit - FileSystemTrafficAudit: cifs.oplock.break.timeout
                                    • NamingTrafficAudit - NamingTrafficAudit: ddns_loop
                                    • ServiceInfo - ServiceInfo: asup.post.sent
                                    • ServiceInfo - ServiceInfo: asup.smtp.sent
                                    • ServiceInfo - ServiceInfo: asup_main
                                    • ServiceInfo - ServiceInfo: kern.log.rotate
                                    • ServiceInfo - ServiceInfo: kern.uptime.filer
                                    • ServiceInfo - ServiceInfo: mem_scrub_admin
                                    • ServiceStart - ServiceStart: raid.rg.scrub.start
                                    • ServiceInfo - ServiceInfo: raid.rg.scrub.done
                                    • ServiceInfo - ServiceInfo: raid.rg.scrub.resume
                                    • ServiceInfo - ServiceInfo: raid.rg.scrub.summary.{cksum,media,pi,lw}, zero error
                                    • ServiceInfo - ServiceInfo: nbt.nbns.registrationComplete
                                    • PolicyModify - PolicyModify: wafl.spacemgmnt.policyChg
                                    • ServiceInfo - ServiceInfo: wafl.vvol.destroyed
                                    • ServiceInfo - ServiceInfo: wafl.vvol.offline
                                    • ServiceInfo - ServiceInfo: lun.destroy
                                    • ServiceInfo - ServiceInfo: callhome.management.log
                                    • ServiceInfo - ServiceInfo: callhome.performance.data
                                    • ServiceInfo - ServiceInfo: lun.map
                                    • ServiceInfo - ServiceInfo: lun.map.unmap
                                    • ServiceStart - ServiceStart: app.log.info
                                    • ServiceInfo - ServiceInfo: app.log.info, non-space found
                                    • ServiceInfo - ServiceInfo: app.log.info
                                    • ServiceInfo - ServiceInfo: app.log.info 2
                                    • ServiceInfo - ServiceInfo: wafl.volume.clone.created, info
                                    • ServiceInfo - ServiceInfo: wafl.scan.start, info
                                    • ServiceInfo - ServiceInfo: wafl.reallocate.check.under, info
                                    • ServiceInfo - ServiceInfo: wafl.reallocate.check.highAdvise, info
                                    • ServiceWarning - ServiceWarning: wafl.vol.autoSize.fail, info
                                    • SystemStatus - SystemStatus: monitor.chassisTemperature.ok
                                    • ServiceWarning - ServiceWarning: asup.post.disconnected
                                    • ServiceWarning - ServiceWarning: asup.smtp.drop
                                    • ServiceWarning - ServiceWarning: asup.post.drop
                                    • ServiceWarning - ServiceWarning: ems.engine.inputSuppress
                                    • ServiceWarning - ServiceWarning: ems.engine.suppressed,{info,debug}
                                    • ServiceWarning - ServiceWarning: Java_Thread
                                    • ServiceWarning - ServiceWarning: nbt.nbns.socketError
                                    • ServiceWarning - ServiceWarning: nbt.WINS.registrationTimeout
                                    • ServiceWarning - ServiceWarning: raid.rg.scrub.summary.{cksum,media,pi,lw}
                                    • ServiceWarning - ServiceWarning: raid.rg.scrub.suspended
                                    • ServiceWarning - ServiceWarning: raid.scrub.suspended
                                    • ServiceWarning - ServiceWarning: raid.scrub.suspended.timer, notice
                                    • ServiceWarning - ServiceWarning: time.daemon.targetNotResponding
                                    • ServiceWarning - ServiceWarning: wafl.snap.delete
                                    • ServiceWarning - ServiceWarning: sip.op.aborted
                                    • ServiceWarning - ServiceWarning: sip.op.stopped, error
                                    • ServiceWarning - ServiceWarning: sip.changelog.full, warning
                                    • ServiceWarning - ServiceWarning: sis.autoSched.failed, error
                                    • ServiceWarning - ServiceWarning: wafl.aggr.overcommitted.vsm
                                    • UserLogonFailure - UserLogonFailure: useradmin.unauthorized.user
                                    • ServiceWarning - ServiceWarning: replication.dst.err
                                    • ServiceWarning - ServiceWarning: replication.src.err
                                    • ServiceWarning - ServiceWarning: callhome.client.app.err
                                    • ServiceWarning - ServiceWarning: app.log.err
                                    • MachineLogonFailure - MachineLogonFailure: fci.device.login.failure
                                    • ServiceWarning - ServiceWarning: tapemc.device.resvConfl, error
                                    • NetworkConnectionAudit - NetworkConnectionAudit: iscsi.notice, new session
                                    • ServiceWarning - ServiceWarning: iscsi.warning, unexpected event
                                    • ServiceWarning - ServiceWarning: lun.newLocation.offline
                                    • ServiceWarning - ServiceWarning: telnet.socket.timeout, warning
                                    • ServiceWarning - ServiceWarning: snapmirror.dst.snapDelErr, error
                                    • ServiceWarning - ServiceWarning: snapmirror.src.noNewData, error
                                    • ServiceWarning - ServiceWarning: snapmirror.dst.updateDelayed, notice
                                    • UserLogonFailure - UserLogonFailure: failed password
                                    • ServiceWarning - ServiceWarning: asup.general.reminder
                                    • ServiceWarning - ServiceWarning: openssh.invalid.channel.req, warning
                                    • SystemScanStart - SystemScanStart: disk.ddr.scan.start
                                    • SystemScanStop - SystemScanStop: disk.ddr.scan.summary
                                    • ServiceInfo - ServiceInfo: cmds.sysconf.validDebug
                                    • ServiceInfo - ServiceInfo: cmds.sysconf.wakeDebug
                                    • ServiceInfo - ServiceInfo: wafl.snap.autoDelete
                                    • ServiceInfo - ServiceInfo: wafl.snap.autoDelete.deleteStateSnap
                                    • FileSystemTrafficAudit - FileSystemTrafficAudit: cifs.op.unsupported
                                    • ServiceStop - ServiceStop: app.log.info
                                    • ServiceWarning - ServiceWarning: openssh.dispatch.protocol
                                    • ServiceInfo - ServiceInfo: raid.aggr.log.CP.count
                                    • ServiceWarning - ServiceWarning: wafl.fill.disbale, debug
                                    • ServiceInfo - ServiceInfo: wafl.scan.ownblocks.done
                                    • ServiceStart - ServiceStart: kern.syslogd.restarted, info
                                    • ServiceWarning - ServiceWarning: wafl.inode.overwrite.disbale, debug
                                    • ServiceWarning - ServiceWarning: wafl.snap.autoDelete.createStateSnap
                                    • ServiceInfo - ServiceInfo: callhome.management.log
                                    • ServiceInfo - ServiceInfo: callhome.weekly.log
                                    • ServiceWarning - ServiceWarning: callhome.hm.sas.alert.major
                                    • ServiceWarning - ServiceWarning: openssh.versionExchange.Fail
                                    • ServiceWarning - ServiceWarning: net.if.filterDrop
                                    • ServiceWarning - ServiceWarning: lun.offline
                                    • ServiceInfo - ServiceInfo: zapi.snapshot.success, notice
                                    • ServiceWarning - ServiceWarning: cf.hwassist.localMonitor, warning
                                    • ServiceWarning - ServiceWarning: cf.hwassist.socBindFailed, warning
                                    • ServiceWarning - ServiceWarning: fmmb.BlobNotFound, warning
                                    • ServiceWarning - ServiceWarning: repl.src.snaps.check.failed, warning
                                    • NFSAccess - NFSAccess: Nblade.nfsLongRunningOp, debug
                                    • ServiceWarning - ServiceWarning: smc.snapmir.schd.trans.overrun, warning
                                    • ServiceWarning - ServiceWarning: sm.vlt.xfer.no.new.snap, warning
                                    • ServiceWarning - ServiceWarning: monitor.shelf.fault, CRITICAL
                                    • ServiceWarning - ServiceWarning: monitor.shelf.configError, CRITICAL
                                    • ServiceWarning - ServiceWarning: cmds.sysconf.logErr, error
                                    • ServiceWarning - ServiceWarning: vscan.dropped.connection, warning
                                    • ServiceWarning - ServiceWarning: vscan.server.connectedNone, warning
                                    • ServiceWarning - ServiceWarning: vscan.server.requestTimeout, error
                                    • ServiceWarning - ServiceWarning: vscan.server.completionRequestLost, warning
                                    • FailedAuthentication - FailedAuthentication: HTTPPool00, warning
                                    • VirusAttack - VirusAttack: vscan.virus.detected, error
                                    • ServiceWarning - ServiceWarning: fci.mserr.general, error
                                    • ServiceInfo - ServiceInfo: debug catchall
                                    • ServiceInfo - ServiceInfo: info catchall
                                    • ServiceInfo - ServiceInfo: notice catchall
                                    • InternalNewToolData - InternalNewToolData: unmatched data
                        • Re: Netapp Clustered Data ONTAP CIFS auditing to LEM

                          I am no expert on logging for the NetApp Clustered Data ONTAP platform but this could be an option if you cannot get log files. We develop a software solution called LANGuardian. It uses network packets as a data source and extracts file activity information from this. Typically it is installed on a virtual or physical server and is connected to a SPAN or mirror port. I mention this here as we sold to the US Navy who needed auditing for some of their NetApp infrastructure. Log files were problematic so their deployed LANGuardian to get the audit trial.


                          The information gathered by LANGuardian can also be integrated with SolarWinds so you retain a single console for monitoring network activity. You can see what it looks like in action at this link.




                          Hope this helps