Skip to main content

NetApp_Insight_2020.png 

NetApp Knowledgebase

What is EMS and what is the difference between the messages in /etc/messages and /etc/log/ems files?

Views:
334
Visibility:
Public
Votes:
0
Category:
data-ontap-8
Specialty:
core
Last Updated:

 

Applies to

Clustered Data ONTAP 8
Data ONTAP 7 and earlier

Answer

The Event Management System (EMS) collects event data from various parts of the Data ONTAP kernel and provides a set of filtering and event forwarding mechanisms. An event producer recognizes the existence of an event and generates an event indication. The EMS definitions typically include text formatting for syslog messages and optional formatting for SNMP traps. EMS events always go to the EMS file. The only "filtering" performed is suppression.

EMS log data:

EMS supports a built-in logging facility that logs all EMS events. The log is maintained in the /etc/log/ems file, and is rotated weekly. Rotated log files are identified by an integer suffix. For example, the first rotated file would normally be /etc/log/ems.0, the second /etc/log/ems.1, and so on. With Data ONTAP 8.1, EMS and other log files are not rotated weekly, but rather rotated through an AutoSupport collection activity at least daily. The naming convention followed is ems.log.XXXXXXXXXX, which increases with each collection. For example, /etc/log/ems, ems.log.0000000001, ems.log.0000000002, ems.log.0000000003, and so on.

Note: In clustered Data ONTAP, the EMS log files are found in /mroot/etc/log.

An EMS event has a name which is always expressed in a dot-notation format and a collection of named attributes. This is how EMS messages are differentiated from the non-EMS messages in syslog. Attribute values are either strings or integers.

For explanations and/ or corrective action for EMS events found in either Data ONTAP operating in 7-Mode or clustered Data ONTAP, use the Syslog Translator Tool on the NetApp Support site. You can also look up all of the AutoSupport messages from the AutoSupport Message Matrix page, which just invokes a wild-carded Syslog Translator Tool query for all callhome.* EMS events. Click here to see an AutoSupport message query for Data ONTAP 8.2. 

In clustered Data ONTAP, you can also view an EMS event's details with the event route show command. For example, to view the complete details of the callhome.battery.failure AutoSupport EMS event:

Cluster1::> event route show -messagename callhome.battery.failure -instance

Example of XML-encoded EMS log description:

<LR
d="19Apr2012 10:45:19"      # Date the event was logged
n="filerB"                             # Node name
pn="partner"                           # Name of the partner node
t="1334832319"                     # Timestamp
id="1334832183/177"            # Generation/sequence number of event
p="5"                                        # Priority 0->7 (0=Emergency, 1=Alert, 2=Critical, 3=Error, 4=Warning, 5=Notice, 6=Info and 7=Debug)
s="NULL"                                # Cluster status
o="emslog_main"                     # Thread name
vf="">                                      # vFiler name
<ems_log_open_1                    # Event name and the number of times the event (that is, ems_log_open) has been suppressed since the last time it was written to this log, followed by any defined parameters
    logName="/etc/log/ems"
    osVersion="NetApp//8.0.1"
    nvramId="987654-32-0"
    tz="GMT"
    partner="partner"/>
</LR>

Run the following commands to obtain the log status:

  • Data ONTAP 7-Mode: filer> ems log status
  • Clustered Data ONTAP: Cluster1::> event log show  

How to view the event status?

  • Data ONTAP 7-Mode: filer> ems event status
  • Clustered Data ONTAP: Cluster1::> event status show  

Example of the event status output (Data ONTAP 7-Mode):

filer> ems event status
Current time: 01May2012 09:39:35 Engine status: total 336 (errs 0), drops 0, suppr (dup 26, timer 0, auto 0)
Event:Priority       Last Time         Indications Drops  DupSuppr TimerSuppr AutoSuppr   
asup.post.host:INFO 01May2012 09:39:35    10         0       26          0         0      

The fields have the following meanings:

  • Event:Priority: The name of the event followed by its priority.
  • Last Time: This field contains timestamp header information associated with the last event received of this type. A value 'local' indicates that the event was received by EMS on behalf of the local node. A value 'partner' indicates that the event was received by EMS on behalf of a HA partner node.
  • Indications: The number of event indications of this type that have been received.
  • Drops: The number of times an event indication of this type was dropped due to resource constraints.
  • DupSuppr: The number of times an event indication of this type was suppressed by duplicate suppression.
  • TimerSuppr: The number of times an event indication of this type was suppressed by timer suppression.
  • AutoSuppr: The number of times an event indication of this type was suppressed by auto suppression.  

What is the EMS event severity, and how does it relate to syslog severity?

Syslog is one of the consumers of EMS events. The severity level of a syslog message is an indication of the severity of the reported issue, and it is also useful as a filtering mechanism for syslog messages. If the <syslog></syslog> section does not specify a severity, it inherits it from the EMS severity level. In 7-Mode, syslog severity level filtering is configured by using syslog.conf.  In clustered Data ONTAP, severity level filtering is configured with the event route command set.

Do EMS messages go to the console directly?

  • Data ONTAP 7-Mode:

EMS does not directly forward messages to the console. Instead, it is sent to syslog (listener/consumer). Whether or not a syslog message goes to the console is completely controlled by /etc/syslog.conf. The /etc/syslog.conf configuration file on the storage system’s root volume determines how system messages are logged, and depending on the severity and origin, messages can be sent to:

The console:  /dev/console

A file: /etc/messages

A remote system: @adminhost  

Note: In the default installation of Data ONTAP 7-Mode, /etc/syslog.conf does not exist. Data ONTAP provides a sample syslog file /etc/syslog.conf.sample, which includes detailed examples of different configuration options. The sample can be a good starting point for further tuning as per your requirements. You can copy the /etc/syslog.conf.sample file to create the /etc/syslog.conf file.

  • Clustered Data ONTAP:

By default, only messages with a NODE_FAULT severity go to the console. Use the advanced-privilege command event config modify -console on to turn them on. Furthermore, what goes to console in in clustered Data ONTAP is controlled by settings from the command event config modify (at the diag privilege level). Use the (privilege: diag) command event config modify –consoleloglevel to change the severity threshold. 

Note: In Clustered Data ONTAP, EMS routing to syslog is configured with event destination and event route commands. Therefore, the /etc/syslog.conf file is not present. 

What is the difference between messages logged in the /etc/messages and /etc/log/ems files?

Both /etc/messages and /etc/log/ems are message logging facilities. However, the event messages in /etc/log/ems are in raw XML encoded format. whereas the /etc/messages file contains event messages were routed to syslog and are decoded in the syslog format, which is easier for a person to read and interpret. 

Note: In clustered Data ONTAP, the /etc/messages file is no longer used as a local syslog file destination.

 

 

Additional Information

Add your text here.