NetApp ONTAP
NetApp is a provider of data services and management solutions. NetApp’s proprietary operating system, ONTAP, is capable of sending logs from its Event Management System (EMS) to a remote syslog destination via UDP as well as saving audit logs to a network share in EVTX or XML format. NXLog Agent can be configured to receive logs from ONTAP using the im_udp input module. It can also process ONTAP audit log files using the im_msvistalog and im_file input modules.
ONTAP version
The commands and steps in this guide have been tested with ONTAP 8.3. Commands for different versions may vary. For more information about configuring logging, please refer to the Product Documentation for your version on the NetApp Support site.
Your ONTAP version can be determined by running version -b
from the command
line. This example shows the output from ONTAP 8.3:
> version -b
/cfcard/x86_64/freebsd/image1/kernel: OS 8.3.1P2
Sending logs in syslog format
The NetApp web interface does not provide a way to configure an external syslog server, but it is possible to configure this from the command line. This is a cluster level change that only needs to performed once per cluster and will automatically be applied to all members.
The event destination and event route commands used here have been
replaced by the event notification command set in version 9.
|
-
Configure NXLog Agent to receive log entries via UDP and process them as syslog (see the examples below). Then restart NXLog Agent.
-
Make sure NXLog Agent is accessible from each member of the cluster.
-
Log in to the cluster address with SSH.
-
Run the following command to configure the syslog destination. Replace
NAME
andIP_ADDRESS
with the required values. The default port for UDP is 514.> event destination create -name NAME -syslog IP_ADDRESS
-
Now select the messages to be sent. Use the same
NAME
as in the previous step and setMSGS
to the required value.> event route add-destinations -destinations NAME -messagename MSGS
A list of messages can be obtained by running the command with a question mark (
?
) as the argument.> event route add-destinations -destinations NAME -messagename ?
It is also possible to specify a severity level in addition to message types. The severity levels are
EMERGENCY
,ALERT
,CRITICAL
,ERROR
,WARNING
,NOTICE
,INFORMATIONAL
, andDEBUG
.> event route add-destinations -destinations NAME -messagename MSGS -severity SEVERITY
The following commands send all messages with Informational severity and higher to 192.168.6.143 in syslog format via UDP port 514.
> event destination create -name nxlog -syslog 192.168.6.143 > event route add-destinations -destinations nxlog -messagename * -severity <=INFORMATIONAL
The following is a debug event logged by the NetApp replication engine. This example depicts the kind of data NXLog Agent will receive.
2/2/2021 15:40:25 p-netapp1 DEBUG repl.engine.error: replStatus="8", replFailureMsg="5898503", replFailureMsgDetail="0", functionName="repl_util::Result repl_core::Instance::endTransfer(spinnp_uuid_t*)", lineNumber="738"
This configuration listens for UDP connections on port 514 using all available IPv4 addresses. It uses the xm_syslog module to parse NetApp logs in syslog format and convert them to JSON using the xm_json module.
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_syslog_udp>
Module im_udp
ListenAddr 0.0.0.0:514
Exec parse_syslog();
</Input>
<Output output_file>
Module om_file
File "/var/log/netapp.log"
Exec to_json();
</Output>
{
"MessageSourceAddress": "192.168.5.61",
"EventReceivedTime": "2021-02-14 15:38:58",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 0,
"SyslogFacility": "KERN",
"SyslogSeverityValue": 7,
"SyslogSeverity": "DEBUG",
"SeverityValue": 1,
"Severity": "DEBUG",
"Hostname": "192.168.5.61",
"EventTime": "2021-02-14 14:40:25",
"Message": "[p-netapp1:repl.engine.error:debug]: replStatus=\"8\", replFailureMsg=\"5898503\", replFailureMsgDetail=\"0\", functionName=\"repl_util::Result repl_core::Instance::endTransfer(spinnp_uuid_t*)\", lineNumber=\"738\""
}
Messages that contain key-value pairs, like the example event above, can be parsed with the xm_kvp module to extract additional fields if required.
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension kvp>
Module xm_kvp
KVPDelimiter ,
KVDelimiter =
EscapeChar \\
</Extension>
<Input in_syslog_udp>
Module im_udp
ListenAddr 0.0.0.0:514
<Exec>
parse_syslog();
if $Message =~ /(?x)^\[([a-z-A-Z0-9-]*):([a-z-A-Z.]*):([a-z-A-Z]*)\]:
\ ([a-zA-Z]+=.+)/
{
$NAUnit = $1;
$NAMsgName = $2;
$NAMsgSev = $3;
$NAMessage = $4;
kvp->parse_kvp($4);
}
</Exec>
</Input>
{
"MessageSourceAddress": "192.168.5.63",
"EventReceivedTime": "2021-02-15 23:13:45",
"SourceModuleName": "in_syslog_udp",
"SourceModuleType": "im_udp",
"SyslogFacilityValue": 0,
"SyslogFacility": "KERN",
"SyslogSeverityValue": 7,
"SyslogSeverity": "DEBUG",
"SeverityValue": 1,
"Severity": "DEBUG",
"Hostname": "192.168.5.63",
"EventTime": "2021-02-15 23:13:14",
"Message": "[p-netapp3:repl.engine.error:debug]: replStatus=\"5\", replFailureMsg=\"5898500\", replFailureMsgDetail=\"0\", functionName=\"void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)\", lineNumber=\"149\"",
"NAUnit": "p-netapp3",
"NAMsgName": "repl.engine.error",
"NAMsgSev": "debug",
"NAMessage": "replStatus=\"5\", replFailureMsg=\"5898500\", replFailureMsgDetail=\"0\", functionName=\"void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)\", lineNumber=\"149\"",
"replStatus": "5",
"replFailureMsg": "5898500",
"replFailureMsgDetail": "0",
"functionName": "void repl_volume::Query::_queryResponse(repl_spinnp::Request&, const spinnp_repl_result_t&, repl_spinnp::Response*)",
"lineNumber": "149"
}
Sending logs to a remote file share
NetApp audit logs are saved in the Windows Event Log (EVTX) format by default and can be parsed by NXLog Agent using the im_msvistalog module. It can also be configured to output logs in ONTAP-specific XML format. XML files can be parsed using a combination of the im_file input module and the xm_xml extension module.
In the case of a standalone unit, these logs are available over the network in
the \etc$
share. However, in cluster mode, starting from ONTAP 7 this share is
not accessible. Instead, audit logs from each virtual server can be sent
to a CIFS share where NXLog Agent can access and read them. This
configuration must be performed for each virtual server separately.
To configure NetApp to send logs to a file share, create and enable an audit policy for each virtual server.
> vserver audit create -vserver <VIRTUAL_SERVER> -destination <SHARE>
-format <LOG_FORMAT> -rotate-size <SIZE> -rotate-limit <NUMBER>
> vserver audit enable -vserver <VIRTUAL_SERVER>
These commands set up an audit policy that sends logs to the specified share, rotates log files at 100 MB, and retains the last 10 rotated log files. Logs will be saved in EVTX format.
> vserver audit create -vserver vs_p12_cifs
-destination /p-GRT -rotate-size 100M -rotate-limit 10
> vserver audit enable vs_p12_cifs
The following commands set up the same audit policy as above, but save the logs in XML format.
> vserver audit create -vserver vs_p12_cifs -destination /p-GRT
-format xml -rotate-size 100M -rotate-limit 10
> vserver audit enable vs_p12_cifs
This example shows an NXLog Agent configuration using the im_msvistalog input module to process NetApp audit events in EVTX format. Log records are converted to JSON using the xm_json module and saved to a file.
<Extension _json>
Module xm_json
</Extension>
<Input in_file_evt>
Module im_msvistalog
File C:\Temp\NXLog\audit_vs_p12_cifs_last.evtx
</Input>
<Output output_file>
Module om_file
File "C:\Temp\evt.log"
Exec to_json();
</Output>
{
"EventTime": "2021-02-10 21:17:12",
"Hostname": "e3864b4d-8937-11e5-b812-00a098831757/bf4a40a5-9216-11e5-8d9a-00a098831757",
"Keywords": -9214364837600035000,
"EventType": "AUDIT_SUCCESS",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 4624,
"SourceName": "NetApp-Security-Auditing",
"ProviderGuid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
"Version": 101,
"OpcodeValue": 0,
"RecordNumber": 0,
"ProcessID": 0,
"ThreadID": 0,
"Channel": "Security",
"ERROR_EVT_UNRESOLVED": true,
"IpAddress' IPVersion='4": "192.168.17.151",
"IpPort": "49421",
"TargetUserSID": "S-1-5-21-4103495029-501085275-2219630704-2697",
"TargetUserName": "App_Service",
"TargetUserIsLocal": "false",
"TargetDomainName": "DOMAIN",
"AuthenticationPackageName": "KRB5",
"LogonType": "3",
"EventReceivedTime": "2021-02-10 22:33:00",
"SourceModuleName": "in_file_evt",
"SourceModuleType": "im_msvistalog"
}
This example shows an NXLog Agent configuration that processes NetApp audit events in XML format. Since the ONTAP XML format is similar to the Windows Event Log XML format, the parse_windows_eventlog_xml() of the xm_xml module is used to parse the data into fields. Log records are then converted to JSON using the xm_json module.
<Extension _xml>
Module xm_xml
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input in_netapp_xml>
Module im_file
File "/path/to/netapp/audit.xml"
<Exec>
# Drop lines that do not start with <Event> tag
if $raw_event !~ /^<Event>/ drop();
# Parse the XML into fields
parse_windows_eventlog_xml();
# Convert to JSON
to_json();
</Exec>
</Input>
<Events
xmlns="http://www.netapp.com/schemas/ONTAP/2007/AuditLog">
<Event>
<System>
<Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/>
<EventID>4656</EventID>
<EventName>Open Object</EventName>
<Version>101.3</Version>
<Source>CIFS</Source>
<Level>0</Level>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<Result>Audit Success</Result>
<TimeCreated SystemTime="2021-02-10T22:34:04.113197000Z"/>
<Correlation/>
<Channel>Security</Channel>
<Computer>e3864b4d-8937-11e5-b812-00a098831757/bf4a40a5-9216-11e5-8d9a-00a098831757</Computer>
<ComputerUUID>06d47d29-7e8c-11e6-904b-00a0989380d9/969da028-8ce6-11e6-9724-00a09893803b</ComputerUUID>
<Security/>
</System>
<EventData>
<Data Name="SubjectIP" IPVersion="4">192.168.17.151</Data>
<Data Name="SubjectUnix" Uid="224867" Gid="1086" Local="false"></Data>
<Data Name="SubjectUserSid">S-1-5-21-379614923-3435630508-3781305282-624513</Data>
<Data Name="SubjectUserIsLocal">false</Data>
<Data Name="SubjectDomainName">AM</Data>
<Data Name="SubjectUserName">App_Service</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">Directory</Data>
<Data Name="HandleID">0000000000042e;00;00000040;5c785a2e</Data>
<Data Name="ObjectName">(oci_backup_temp);/</Data>
<Data Name="AccessList">%%4416 %%4423 </Data>
<Data Name="AccessMask">81</Data>
<Data Name="DesiredAccess">Read Data; List Directory; Read Attributes; </Data>
<Data Name="Attributes"></Data>
</EventData>
</Event>
</Events>
{
"EventReceivedTime": "2021-02-10T14:56:13.329604+01:00",
"SourceModuleName": "in_netapp_xml",
"SourceModuleType": "im_file",
"SourceName": "NetApp-Security-Auditing",
"ProviderGuid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
"EventID": 4656,
"System.EventName": "Open Object",
"System.Source": "CIFS",
"LevelValue": 0,
"OpcodeValue": 0,
"Keywords": "0x8020000000000000",
"System.Result": "Audit Success",
"EventTime": "2021-02-10T12:34:04.354197+02:00",
"Channel": "Security",
"Hostname": "e3864b4d-8937-11e5-b812-00a098831757/bf4a40a5-9216-11e5-8d9a-00a098831757",
"System.ComputerUUID": "06d47d29-7e8c-11e6-904b-00a0989380d9/969da028-8ce6-11e6-9724-00a09893803b",
"SubjectIP.IPVersion": "4",
"SubjectIP": "192.168.17.151",
"SubjectUnix.Uid": "224867",
"SubjectUnix.Gid": "1086",
"SubjectUnix.Local": "false",
"SubjectUserSid": "S-1-5-21-379614923-3435630508-3781305282-624513",
"SubjectUserIsLocal": "false",
"SubjectDomainName": "AM",
"SubjectUserName": "App_Service",
"ObjectServer": "Security",
"ObjectType": "Directory",
"HandleID": "0000000000042e;00;00000040;5c785a2e",
"ObjectName": "(oci_backup_temp);/",
"AccessList": "%%4416 %%4423 ",
"AccessMask": "81",
"DesiredAccess": "Read Data; List Directory; Read Attributes; ",
"EventType": "AUDIT_SUCCESS",
"SeverityValue": 2,
"Severity": "INFO"
}