Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Question about the NetApp log format compatibl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question about the NetApp log format compatible with StorageGRID App.
Hello, I'm having trouble to read the NetApp CIFS Audit logs with the NetApp StorageGRID App for SPlunk.
I'm using the standard CIFS audit log configuration settings recommended by NetApp in the Filer:
FAS2020-F1> options cifs.audit
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension timestamp
cifs.audit.autosave.file.limit 20
cifs.audit.autosave.onsize.enable on
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable off
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable on
cifs.audit.file_access_events.enable on
cifs.audit.liveview.allowed_users
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable off
cifs.audit.logsize 5000000
cifs.audit.nfs.enable off
cifs.audit.nfs.filter.filename
cifs.audit.saveas /vol/vol0/Share/CIFS_Audit/CIFS_Audit_log.evt
I have too a shared folder in the filer to access to the logs from the Splunk Server side.
But the log files generated by the NetApp Filer are in "Windows Event" format and seems that the StorageGRID App can't process them.
I have seen too in the StorageGRID App folder an example log that it's in a text format that I can't match like a CSV file.
What are the log format types supported by the StorageGRID App?
If they are not in the native format used by the NetApp FIler, what is your preferred method to convert them to be compatible with StorageGRID App?
Thanks,
Joseph Lopez
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe NetApp supports XML format for CIFS logging....have you tried that? That would make it much easier for Splunk if you set props.conf KV_MODE = xml for your NetApp sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The article only applies to cluster and Vserver storage.
It doesn't applies to single storage like FAS2050.
But thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The StorageGRID app doesn't seem like it will work for CIFs auditing. Can you check the following article to turn on XML formatting via command line on the NetApp?
https://library.netapp.com/ecmdocs/ECMP1610202/html/vserver/audit/modify.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kapanig,
After reading your answer I reviewed for the umpteenth time by Netapp documentation if something had passed me by.
Neither in the documents nor in the knowledge base I have found no information specifying that we can export audit logs CIFS in XML format.
All manuals specify that audit logs CIFS always be created in EVT (Windows Event Viewer) format.
Perhaps the information you've seen references to other NetApp logs.
Anyway, thank you very much for your help.
Joseph
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Tiling
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
