All Apps and Add-ons

Netapp syslog.conf and is it working

skippsterr
Engager

I am not sure how to edit the syslog.conf file on my netapp filer. I repalced adminhost with the IP address of the splunk server, but when I do a search, nothing comes up. I tried to search filername and same; nothing. How do I know if the syslog is actually going to send data over? I rebooted to try to send some sort of trap.. NOthing shows up

Tags (1)

sshres5
Communicator

Can the syslog forward the Netapp filer cifs logs to centralized syslog server?

0 Karma

sudovicic_splun
Splunk Employee
Splunk Employee

We have an amazing brand new release of Splunk App for NetApp Data ONTAP. Download it here: http://apps.splunk.com/app/1293/
Key new capabilities include:

  • Centralized visibility into the health of NetApp Data ONTAP Cluster-Mode and 7-Mode storage systems, including performance metrics, logs and events for improved MTTR
  • Flexible operational analytics with a report pack of 30 sample reports for proactive capacity planning, customizable SLA tracking and more
  • Real-time correlation using NetApp data with other data for cross-tier operational visibility and simplified troubleshooting (including built-in links to data collected by the Splunk App for VMware)
  • Enhanced scalability to allow the monitoring of many NetApp Data ONTAP storage systems
0 Karma

Drainy
Champion

Do you know exactly what version of syslog it uses?

Generally speaking (massive generalisation there 😄 ) the following command at the top of the syslog.conf file (which I am assuming may work due to the name of the file) will forward all data out of the default port of 514 (assuming this is the default).

*.*     @splunk.server.ip.adddress

Most syslog servers support adding the :PORT to the end, but hopefully it will just use port 514. Then on splunk you need to configure it to listen on UDP port 514 ala;

http://docs.splunk.com/Documentation/Splunk/4.2.3/Data/Configureyourinputs

The syslog server will probably need a restart after a conf change, if thats no good then let us know what exact version it is and we can change things up slightly 🙂

Drainy
Champion

So if you add the line I had in my answer it should forward it out correctly.
Make sure that after the blah.blah and the @IP you use a tab as it appears it won't be happy without, and if the text above isn't commented out then just delete it to be safe.
Also ensure that the port is open on the indexer side and nothing inbetween is going to potentially block the traffic 🙂

0 Karma

skippsterr
Engager

this is the syslog conf file; I am using the IP so name resolution shouldn't be an issue. Port 514 is open on the storage device.

$Id: //depot/prod/DOT/R8.0.2x/ontap/files/syslog.conf.sample#1 $

Copyright (c) 1994-1996 Network Appliance.

All rights reserved.

Sample syslog.conf file. Copy to /etc/syslog.conf to use.

You must use TABS for separators between fields.

cmdsaudit.auditlog @10.11.85.237

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...