Event forwarding to a Syslog server

In general, configuring Syslog forwarding comprises three steps

1. Create a syslog destination server in ONTAP
   • cluster-1::> event notification destination create -name syslog-ems -syslog syslog-server-address
     • event notification destination create
2. Create an event filter which identifies the list of EMS events you wish to have forwarded to your destination server of choice
   • cluster-1::> event filter create -filter-name important_raid_event
     • event filter create
   • cluster-1::> event filter rule add -filter-name important_raid_events -type include -message-name raid.aggr.*
     • event filter rule add
   • cluster-1::> event filter show
     • event filter show
3. Create an event notification to forward the selected event filter to the syslog server:
   • cluster-1::> event notification create -filter-name important-raid-events -destinations syslog-ems
     • event notification create

Additional guides on Syslogging in ONTAP

• Syslog Express / Management Guides
  • ONTAP 9
  • 8.3 Express Guide
  • 8.3 System Admin Guide
  • 8.2 7-Mode
• For additional in-depth configuration details, refer to Technical Guide - Logging in Clustered Data ONTAP
  • Currently, only EMS events can be forwarded to a syslog server

ONTAP 9

• Changes in ONTAP 9.X to EMS configuration and the Event notification system
• EMS operations have been redesigned for ONTAP 9.X
• Notifications are now setup using the 'event notification'  commands
• The ‘event route’ and ‘event destination’ command family has been DEPRECATED in 9.X
  • Update EMS event mapping from deprecated ONTAP commands
• Upgrading from 8.3.x
  • After upgrading to ONTAP 9.X, use the ONTAP docs page Update EMS event mapping from deprecated ONTAP commands to make changes to your current event notifications
  • To remove any old 8.3.x configuration and start your EMS event mappings over from scratch in ONTAP 9.X, do the following:

::> event route remove-destinations -message-name !callhome.* -destinations *

::> event route modify -message-name callhome.* -destinations asup

Clustered Data ONTAP (8.X)

•  In clustered Data ONTAP, the /etc/syslog.conf file has been deprecated
• Thus, what goes to the remote syslog host is controlled by the settings
• Syslog can setup using the event route and event destination commands

7-Mode

• In Data ONTAP 7-Mode, The syslogd daemon logs system messages to the console, log files and other remote systems as specified by its configuration file, /etc/syslog.conf
• The syslogd daemon reads its configuration file when it starts up during the boot procedure, or within 30 seconds after the /etc/syslog.conf file is modified
• For information about the format of the configuration file, see na_syslog.conf(5).
  • Example of a configuration file in 7-Mode

  # Log all kernel messages, and anything of level err or
  # higher to the console.
  *.err;kern.*                  /dev/console
 
  # Log anything of level info or higher to /etc/messages.
  *.info                        /etc/messages
 
  # Also log the messages that go to the console to a remote
  # loghost system called adminhost.
  *.err;kern.*                  @adminhost
 
  # Also log the messages that go to the console to the local7
  # facility of another remote loghost system called adminhost2
  # at level info.
  *.err;kern.*                  local7.info@adminhost2
 
  # The /etc/secure.message file has restricted access.
  auth.notice                   /etc/secure.message

To Test Connectivity (Networking) Issues from the syslog server:

1. Download and install the program Wireshark
2. Use the Capture menu to open the Capture Options form
3. Select your NIC that connects to the ONTAP nodes, and define a capture filter that will look for all packets sent to UDP port 514 (the default syslog port)
4. Press the Start button and you should see packets being sent
5. Stop the capture and view the data. It should show packets with the protocol being Syslog
6. If you are not receiving any messages use the ping and traceroute commands to check connectivity to your syslog server

ONTAP 9

• In ONTAP 9 you may run the following commands to verify if the EMS message was created and also verify connectivity to the syslog server

::> set diag

::*> event notification destination check -node {nodename>|local} -destination-name <dest>    

::*> event notification history show

• event notification destination check command checks connectivity to a destination by sending a test message to it
  • The destination must be already configured by using the event notification destination command
  • The command displays a result indicating whether or not the message has successfully been sent to the destination
  • In case of a failure, more detailed information can be found in the notifyd.log file
    • Note: Currently this command can only check connectivity to a destination of the rest-api type
• event notification history show command displays a list of event messages that have been sent to a notification destination
  • The information displayed by the command for each event is identical to that of the event log show command
  • This command displays events sent to a notification destination while the event log show command displays all events that have been logged