Skip to main content
NetApp Knowledge Base

Event forwarding to a Syslog server

Views:
44,306
Visibility:
Public
Votes:
31
Category:
ontap-9
Specialty:
core
Last Updated:

 

Applies to

  • ONTAP 9
  • Clustered Data ONTAP 8
  • Data ONTAP 7-Mode

Answer

Overview

  • Syslogs are event-triggered messages ranging in severity
  • EMS events follow the syslog standard
  • The standard is defined by the IETF in RFC 5424

How to configure Syslog forwarding

In general, configuring Syslog forwarding comprises three steps
  1. Create a syslog destination server in ONTAP
  2. Create an event filter which identifies the list of EMS events you wish to have forwarded to your destination server of choice
  3. Create an event notification to forward the selected event filter to the syslog server:
    • cluster-1::> event notification create -filter-name important-raid-events -destinations syslog-ems
Additional guides on Syslogging in ONTAP

Differences between 7-Mode and Clustered Data ONTAP

ONTAP 9
  • Changes in ONTAP 9.X to EMS configuration and the Event notification system
  • EMS operations have been redesigned for ONTAP 9.X
  • Notifications are now setup using the 'event notification'  commands
  • The ‘event route’ and ‘event destination’ command family has been DEPRECATED in 9.X
  • Upgrading from 8.3.x
    • After upgrading to ONTAP 9.X, use the ONTAP docs page Update EMS event mapping from deprecated ONTAP commands to make changes to your current event notifications
    • To remove any old 8.3.x configuration and start your EMS event mappings over from scratch in ONTAP 9.X, do the following:

::> event route remove-destinations -message-name !callhome.* -destinations *

::> event route modify -message-name callhome.* -destinations asup

Clustered Data ONTAP (8.X)
  •  In clustered Data ONTAP, the /etc/syslog.conf file has been deprecated
  • Thus, what goes to the remote syslog host is controlled by the settings
  • Syslog can setup using the event route and event destination commands
7-Mode
  • In Data ONTAP 7-Mode, The syslogd daemon logs system messages to the console, log files and other remote systems as specified by its configuration file, /etc/syslog.conf
  • The syslogd daemon reads its configuration file when it starts up during the boot procedure, or within 30 seconds after the /etc/syslog.conf file is modified
  • For information about the format of the configuration file, see na_syslog.conf(5).
    • Example of a configuration file in 7-Mode
  # Log all kernel messages, and anything of level err or
  # higher to the console.
  *.err;kern.*                  /dev/console
 
  # Log anything of level info or higher to /etc/messages.
  *.info                        /etc/messages
 
  # Also log the messages that go to the console to a remote
  # loghost system called adminhost.
  *.err;kern.*                  @adminhost
 
  # Also log the messages that go to the console to the local7
  # facility of another remote loghost system called adminhost2
  # at level info.
  *.err;kern.*                  local7.info@adminhost2
 
  # The /etc/secure.message file has restricted access.
  auth.notice                   /etc/secure.message
 

What is the Syslog translator?

Troubleshooting

  • When troubleshooting Syslog related problems, the most common issues point to:
    • Configuration issues
      •  Review the setup guides and related Articles linked above for additional assistance
    • Connectivity to the syslog server
      • For connectivity testing:
        • If you are having issues not receiving messages on your Syslog server, then you can use a free packet capture program such as Wireshark.
        • This program provides the ability to capture packets as they are sent to your Network Interface Card (NIC). By filtering for and analyzing this traffic, you will be able to determine if your network devices are actually sending the expected information to your system
To Test Connectivity (Networking) Issues from the syslog server:
  1. Download and install the program Wireshark
  2. Use the Capture menu to open the Capture Options form
  3. Select your NIC that connects to the ONTAP nodes, and define a capture filter that will look for all packets sent to UDP port 514 (the default syslog port)
  4. Press the Start button and you should see packets being sent
  5. Stop the capture and view the data. It should show packets with the protocol being Syslog
  6. If you are not receiving any messages use the ping and traceroute commands to check connectivity to your syslog server
ONTAP 9
  • In ONTAP 9 you may run the following commands to verify if the EMS message was created and also verify connectivity to the syslog server

::> set diag

::*> event notification destination check -node {nodename>|local} -destination-name <dest>    

::*> event notification history show

  • event notification destination check command checks connectivity to a destination by sending a test message to it
    • The destination must be already configured by using the event notification destination command
    • The command displays a result indicating whether or not the message has successfully been sent to the destination
    • In case of a failure, more detailed information can be found in the notifyd.log file
      • Note: Currently this command can only check connectivity to a destination of the rest-api type
  • event notification history show command displays a list of event messages that have been sent to a notification destination
    • The information displayed by the command for each event is identical to that of the event log show command
    • This command displays events sent to a notification destination while the event log show command displays all events that have been logged

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.