Netapp syslog.conf and is it working


I am not sure how to edit the syslog.conf file on my netapp filer. I repalced adminhost with the IP address of the splunk server, but when I do a search, nothing comes up. I tried to search filername and same; nothing. How do I know if the syslog is actually going to send data over? I rebooted to try to send some sort of trap.. NOthing shows up

Tags (1)

Path Finder

Can the syslog forward the Netapp filer cifs logs to centralized syslog server?

0 Karma

Splunk Employee
Splunk Employee

We have an amazing brand new release of Splunk App for NetApp Data ONTAP. Download it here:
Key new capabilities include:

  • Centralized visibility into the health of NetApp Data ONTAP Cluster-Mode and 7-Mode storage systems, including performance metrics, logs and events for improved MTTR
  • Flexible operational analytics with a report pack of 30 sample reports for proactive capacity planning, customizable SLA tracking and more
  • Real-time correlation using NetApp data with other data for cross-tier operational visibility and simplified troubleshooting (including built-in links to data collected by the Splunk App for VMware)
  • Enhanced scalability to allow the monitoring of many NetApp Data ONTAP storage systems
0 Karma


Do you know exactly what version of syslog it uses?

Generally speaking (massive generalisation there 😄 ) the following command at the top of the syslog.conf file (which I am assuming may work due to the name of the file) will forward all data out of the default port of 514 (assuming this is the default).

*.*     @splunk.server.ip.adddress

Most syslog servers support adding the :PORT to the end, but hopefully it will just use port 514. Then on splunk you need to configure it to listen on UDP port 514 ala;

The syslog server will probably need a restart after a conf change, if thats no good then let us know what exact version it is and we can change things up slightly 🙂


So if you add the line I had in my answer it should forward it out correctly.
Make sure that after the blah.blah and the @IP you use a tab as it appears it won't be happy without, and if the text above isn't commented out then just delete it to be safe.
Also ensure that the port is open on the indexer side and nothing inbetween is going to potentially block the traffic 🙂

0 Karma


this is the syslog conf file; I am using the IP so name resolution shouldn't be an issue. Port 514 is open on the storage device.

$Id: //depot/prod/DOT/R8.0.2x/ontap/files/syslog.conf.sample#1 $

Copyright (c) 1994-1996 Network Appliance.

All rights reserved.

Sample syslog.conf file. Copy to /etc/syslog.conf to use.

You must use TABS for separators between fields.

cmdsaudit.auditlog @

0 Karma