NetApp ONTAP

NetApp is a provider of data services and management solutions. NetApp’s proprietary operating system, ONTAP, is capable of sending logs from its Event Management System (EMS) to a remote syslog destination via UDP as well as saving audit logs to a network share in EVTX or XML format. NXLog Agent can be configured to receive logs from ONTAP using the im_udp input module. It can also process ONTAP audit log files using the im_msvistalog and im_file input modules.

ONTAP version

The commands and steps in this guide have been tested with ONTAP 8.3. Commands for different versions may vary. For more information about configuring logging, please refer to the Product Documentation for your version on the NetApp Support site.

Your ONTAP version can be determined by running version -b from the command line. This example shows the output from ONTAP 8.3:

> version -b
/cfcard/x86_64/freebsd/image1/kernel: OS 8.3.1P2

Sending logs in syslog format

The NetApp web interface does not provide a way to configure an external syslog server, but it is possible to configure this from the command line. This is a cluster level change that only needs to performed once per cluster and will automatically be applied to all members.

The event destination and event route commands used here have been replaced by the event notification command set in version 9.
  1. Configure NXLog Agent to receive log entries via UDP and process them as syslog (see the examples below). Then restart NXLog Agent.

  2. Make sure NXLog Agent is accessible from each member of the cluster.

  3. Log in to the cluster address with SSH.

  4. Run the following command to configure the syslog destination. Replace NAME and IP_ADDRESS with the required values. The default port for UDP is 514.

    > event destination create -name NAME -syslog IP_ADDRESS
  5. Now select the messages to be sent. Use the same NAME as in the previous step and set MSGS to the required value.

    > event route add-destinations -destinations NAME -messagename MSGS

    A list of messages can be obtained by running the command with a question mark (?) as the argument.

    > event route add-destinations -destinations NAME -messagename ?

    It is also possible to specify a severity level in addition to message types. The severity levels are EMERGENCY, ALERT, CRITICAL, ERROR, WARNING, NOTICE, INFORMATIONAL, and DEBUG.

    > event route add-destinations -destinations NAME -messagename MSGS
      -severity SEVERITY

    The following commands send all messages with Informational severity and higher to 192.168.6.143 in syslog format via UDP port 514.

    > event destination create -name nxlog -syslog 192.168.6.143
    > event route add-destinations -destinations nxlog -messagename *
      -severity <=INFORMATIONAL

The following is a debug event logged by the NetApp replication engine. This example depicts the kind of data NXLog Agent will receive.

2/2/2021 15:40:25  p-netapp1        DEBUG         repl.engine.error: replStatus="8", replFailureMsg="5898503", replFailureMsgDetail="0", functionName="repl_util::Result repl_core::Instance::endTransfer(spinnp_uuid_t*)", lineNumber="738"
Example 1. Receiving syslog from NetApp

This configuration listens for UDP connections on port 514 using all available IPv4 addresses. It uses the xm_syslog module to parse NetApp logs in syslog format and convert them to JSON using the xm_json module.

nxlog.conf
<Extension _syslog>
    Module        xm_syslog
</Extension>

<Extension _json>
    Module        xm_json
</Extension>

<Input in_syslog_udp>
    Module        im_udp
    ListenAddr    0.0.0.0:514
    Exec          parse_syslog();
</Input>

<Output output_file>
    Module        om_file
    File          "/var/log/netapp.log"
    Exec          to_json();
</Output>
Output sample
{
  "MessageSourceAddress": "192.168.5.61",
  "EventReceivedTime": "2021-02-14 15:38:58",
  "SourceModuleName": "in_syslog_udp",
  "SourceModuleType": "im_udp",
  "SyslogFacilityValue": 0,
  "SyslogFacility": "KERN",
  "SyslogSeverityValue": 7,
  "SyslogSeverity": "DEBUG",
  "SeverityValue": 1,
  "Severity": "DEBUG",
  "Hostname": "192.168.5.61",
  "EventTime": "2021-02-14 14:40:25",
  "Message": "[p-netapp1:repl.engine.error:debug]: replStatus=\"8\", replFailureMsg=\"5898503\", replFailureMsgDetail=\"0\", functionName=\"repl_util::Result repl_core::Instance::endTransfer(spinnp_uuid_t*)\", lineNumber=\"738\""
}
Example 2. Extracting additional fields from syslog messages

Messages that contain key-value pairs, like the example event above, can be parsed with the xm_kvp module to extract additional fields if required.

nxlog.conf
<Extension _syslog>
    Module          xm_syslog
</Extension>

<Extension kvp>
    Module          xm_kvp
    KVPDelimiter    ,
    KVDelimiter     =
    EscapeChar      \\
</Extension>

<Input in_syslog_udp>
    Module          im_udp
    ListenAddr      0.0.0.0:514
    <Exec>
        parse_syslog();
        if $Message =~ /(?x)^\[([a-z-A-Z0-9-]*):([a-z-A-Z.]*):([a-z-A-Z]*)\]:
                        \ ([a-zA-Z]+=.+)/
        {
            $NAUnit = $1;
            $NAMsgName = $2;
            $NAMsgSev = $3;
            $NAMessage = $4;
            kvp->parse_kvp($4);
        }
    </Exec>
</Input>
Output sample
{
  "MessageSourceAddress": "192.168.5.63",
  "EventReceivedTime": "2021-02-15 23:13:45",
  "SourceModuleName": "in_syslog_udp",
  "SourceModuleType": "im_udp",
  "SyslogFacilityValue": 0,
  "SyslogFacility": "KERN",
  "SyslogSeverityValue": 7,
  "SyslogSeverity": "DEBUG",
  "SeverityValue": 1,
  "Severity": "DEBUG",
  "Hostname": "192.168.5.63",
  "EventTime": "2021-02-15 23:13:14",
  "Message": "[p-netapp3:repl.engine.error:debug]: replStatus=\"5\", replFailureMsg=\"5898500\", replFailureMsgDetail=\"0\", functionName=\"void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)\", lineNumber=\"149\"",
  "NAUnit": "p-netapp3",
  "NAMsgName": "repl.engine.error",
  "NAMsgSev": "debug",
  "NAMessage": "replStatus=\"5\", replFailureMsg=\"5898500\", replFailureMsgDetail=\"0\", functionName=\"void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)\", lineNumber=\"149\"",
  "replStatus": "5",
  "replFailureMsg": "5898500",
  "replFailureMsgDetail": "0",
  "functionName": "void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)",
  "lineNumber": "149"
}

Sending logs to a remote file share

NetApp audit logs are saved in the Windows Event Log (EVTX) format by default and can be parsed by NXLog Agent using the im_msvistalog module. It can also be configured to output logs in ONTAP-specific XML format. XML files can be parsed using a combination of the im_file input module and the xm_xml extension module.

In the case of a standalone unit, these logs are available over the network in the \etc$ share. However, in cluster mode, starting from ONTAP 7 this share is not accessible. Instead, audit logs from each virtual server can be sent to a CIFS share where NXLog Agent can access and read them. This configuration must be performed for each virtual server separately.

To configure NetApp to send logs to a file share, create and enable an audit policy for each virtual server.

> vserver audit create -vserver <VIRTUAL_SERVER> -destination <SHARE>
  -format <LOG_FORMAT> -rotate-size <SIZE> -rotate-limit <NUMBER>
> vserver audit enable -vserver <VIRTUAL_SERVER>

These commands set up an audit policy that sends logs to the specified share, rotates log files at 100 MB, and retains the last 10 rotated log files. Logs will be saved in EVTX format.

> vserver audit create -vserver vs_p12_cifs
  -destination /p-GRT -rotate-size 100M -rotate-limit 10
> vserver audit enable vs_p12_cifs

The following commands set up the same audit policy as above, but save the logs in XML format.

> vserver audit create -vserver vs_p12_cifs -destination /p-GRT
  -format xml -rotate-size 100M -rotate-limit 10
> vserver audit enable vs_p12_cifs
Example 3. Reading logs from a NetApp Windows Event Log file

This example shows an NXLog Agent configuration using the im_msvistalog input module to process NetApp audit events in EVTX format. Log records are converted to JSON using the xm_json module and saved to a file.

nxlog.conf
<Extension _json>
    Module  xm_json
</Extension>

<Input in_file_evt>
    Module  im_msvistalog
    File    C:\Temp\NXLog\audit_vs_p12_cifs_last.evtx
</Input>

<Output output_file>
    Module  om_file
    File    "C:\Temp\evt.log"
    Exec    to_json();
</Output>
Output sample
{
  "EventTime": "2021-02-10 21:17:12",
  "Hostname": "e3864b4d-8937-11e5-b812-00a098831757/bf4a40a5-9216-11e5-8d9a-00a098831757",
  "Keywords": -9214364837600035000,
  "EventType": "AUDIT_SUCCESS",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 4624,
  "SourceName": "NetApp-Security-Auditing",
  "ProviderGuid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
  "Version": 101,
  "OpcodeValue": 0,
  "RecordNumber": 0,
  "ProcessID": 0,
  "ThreadID": 0,
  "Channel": "Security",
  "ERROR_EVT_UNRESOLVED": true,
  "IpAddress' IPVersion='4": "192.168.17.151",
  "IpPort": "49421",
  "TargetUserSID": "S-1-5-21-4103495029-501085275-2219630704-2697",
  "TargetUserName": "App_Service",
  "TargetUserIsLocal": "false",
  "TargetDomainName": "DOMAIN",
  "AuthenticationPackageName": "KRB5",
  "LogonType": "3",
  "EventReceivedTime": "2021-02-10 22:33:00",
  "SourceModuleName": "in_file_evt",
  "SourceModuleType": "im_msvistalog"
}
Example 4. Reading logs from a NetApp XML file

This example shows an NXLog Agent configuration that processes NetApp audit events in XML format. Since the ONTAP XML format is similar to the Windows Event Log XML format, the parse_windows_eventlog_xml() of the xm_xml module is used to parse the data into fields. Log records are then converted to JSON using the xm_json module.

nxlog.conf
<Extension _xml>
    Module  xm_xml
</Extension>

<Extension _json>
    Module  xm_json
</Extension>

<Input in_netapp_xml>
    Module  im_file
    File    "/path/to/netapp/audit.xml"
    <Exec>
        # Drop lines that do not start with <Event> tag
        if $raw_event !~ /^<Event>/ drop();

        # Parse the XML into fields
        parse_windows_eventlog_xml();

        # Convert to JSON
        to_json();
    </Exec>
</Input>
Input sample
<Events
    xmlns="http://www.netapp.com/schemas/ONTAP/2007/AuditLog">
    <Event>
        <System>
            <Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
            <EventID>4656</EventID>
            <EventName>Open Object</EventName>
            <Version>101.3</Version>
            <Source>CIFS</Source>
            <Level>0</Level>
            <Opcode>0</Opcode>
            <Keywords>0x8020000000000000</Keywords>
            <Result>Audit Success</Result>
            <TimeCreated SystemTime="2021-02-10T22:34:04.113197000Z"/>
            <Correlation/>
            <Channel>Security</Channel>
            <Computer>e3864b4d-8937-11e5-b812-00a098831757/bf4a40a5-9216-11e5-8d9a-00a098831757</Computer>
            <ComputerUUID>06d47d29-7e8c-11e6-904b-00a0989380d9/969da028-8ce6-11e6-9724-00a09893803b</ComputerUUID>
            <Security/>
        </System>
        <EventData>
            <Data Name="SubjectIP" IPVersion="4">192.168.17.151</Data>
            <Data Name="SubjectUnix" Uid="224867" Gid="1086" Local="false"></Data>
            <Data Name="SubjectUserSid">S-1-5-21-379614923-3435630508-3781305282-624513</Data>
            <Data Name="SubjectUserIsLocal">false</Data>
            <Data Name="SubjectDomainName">AM</Data>
            <Data Name="SubjectUserName">App_Service</Data>
            <Data Name="ObjectServer">Security</Data>
            <Data Name="ObjectType">Directory</Data>
            <Data Name="HandleID">0000000000042e;00;00000040;5c785a2e</Data>
            <Data Name="ObjectName">(oci_backup_temp);/</Data>
            <Data Name="AccessList">%%4416 %%4423 </Data>
            <Data Name="AccessMask">81</Data>
            <Data Name="DesiredAccess">Read Data; List Directory; Read Attributes; </Data>
            <Data Name="Attributes"></Data>
        </EventData>
    </Event>
</Events>
Output sample
{
  "EventReceivedTime": "2021-02-10T14:56:13.329604+01:00",
  "SourceModuleName": "in_netapp_xml",
  "SourceModuleType": "im_file",
  "SourceName": "NetApp-Security-Auditing",
  "ProviderGuid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
  "EventID": 4656,
  "System.EventName": "Open Object",
  "System.Source": "CIFS",
  "LevelValue": 0,
  "OpcodeValue": 0,
  "Keywords": "0x8020000000000000",
  "System.Result": "Audit Success",
  "EventTime": "2021-02-10T12:34:04.354197+02:00",
  "Channel": "Security",
  "Hostname": "e3864b4d-8937-11e5-b812-00a098831757/bf4a40a5-9216-11e5-8d9a-00a098831757",
  "System.ComputerUUID": "06d47d29-7e8c-11e6-904b-00a0989380d9/969da028-8ce6-11e6-9724-00a09893803b",
  "SubjectIP.IPVersion": "4",
  "SubjectIP": "192.168.17.151",
  "SubjectUnix.Uid": "224867",
  "SubjectUnix.Gid": "1086",
  "SubjectUnix.Local": "false",
  "SubjectUserSid": "S-1-5-21-379614923-3435630508-3781305282-624513",
  "SubjectUserIsLocal": "false",
  "SubjectDomainName": "AM",
  "SubjectUserName": "App_Service",
  "ObjectServer": "Security",
  "ObjectType": "Directory",
  "HandleID": "0000000000042e;00;00000040;5c785a2e",
  "ObjectName": "(oci_backup_temp);/",
  "AccessList": "%%4416 %%4423 ",
  "AccessMask": "81",
  "DesiredAccess": "Read Data; List Directory; Read Attributes; ",
  "EventType": "AUDIT_SUCCESS",
  "SeverityValue": 2,
  "Severity": "INFO"
}
Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NetApp ONTAP version 8.3

Last revision: 17 September 2018