Splunk® App for NetApp Data ONTAP (Legacy)

Deploy and Use the Splunk App for NetApp Data ONTAP

This documentation does not apply to the most recent version of Splunk® App for NetApp Data ONTAP (Legacy). For documentation on the most recent version, go to the latest release.

Configure ONTAP log collection

Forward syslog events from NetApp

This topic talks about how to configure System log forwarding for your NetApp ONTAP storage systems to forward to a Splunk forwarder.

Configure timezones in syslog data

Syslog data from NetApp by default carries a UTC timestamp. If the timestamp is of a different format, then to parse the data in the correct format in Splunk, add timezone information to the props.conf file on all of the indexers receiving syslog data from your NetApp environment.

Note: On your Linux or Unix systems, the props.conf file is located in the following directory on your indexer(s): $SPLUNK_HOME/etc/apps/Splunk_TA_ontap/default/props.conf

On all indexers:

  1. Create a $SPLUNK_HOME/etc/apps/Splunk_TA_ontap/local/props.conf file and copy the [ontap:syslog] stanza from /Splunk_TA_ontap/default/props.conf to it.
  2. Edit the TIME_FORMAT and the TZ fields in the [ontap:syslog] stanza to match the timestamp format and the time zone being used by the filers.
    [ontap:syslog]
    TZ = UTC
    TRANSFORMS-ontapsyslogfields = ontap_generic_syslog_fields
    MAX_TIMESTAMP_LOOKAHEAD = 1
    TIME_FORMAT = %b %d %H:%M:%S
  3. After making the change to the props.conf file, restart your Splunk indexers for the change to take effect.

Read "Edit timestamp properties in props.conf" in the Splunk Enterprise Getting Data in manual for more information.

Configure Splunk to receive syslog data

We recommend that you use a data collection node as the collection point for syslog data as it has Splunk_TA_ontap installed and the data input is set up. When you have installed the Splunk App for NetApp Data ONTAP on the selected data collection node, enable the ontap:syslog data input. In Splunk Web, click Settings, then Data Inputs, then UDP, then click Enable to enable the port.

In very large environments, if you see a degradation in performance of your data collection node you can manually split the collection of your syslog data across multiple data collection nodes.

You can also use a dedicated forwarder or use the indexer that is connected to the data collection node as the collection point. In all cases, follow standard Splunk practices to configure Splunk to receive syslog data. Check that:

  • Splunk is listening on UDP port 514.
  • The sourcetype is set to ontap:syslog in the inputs.conf file.
  • Splunk_TA_ontap is installed on the machine receiving syslog.

If you currently collect syslog data from the NetApp filers using a Splunk forwarder, you can continue to use the setup you have in your environment. Check that the forwarder receiving syslog is configured to send the data to the same indexers as the data collection node.

System log (syslog) management is important for troubleshooting performance problems across your network. Configure system log forwarding from NetApp to Splunk separately for your 7-mode and cluster mode filers. Log forwarding is done on the command line in your NetApp environment to forward to a Splunk forwarder. The forwarder must have network access to the storage device and be configured to listen on UDP port 514. Read the topic "Get data from TCP and UDP ports" in the Getting Data In manual for more information.

Configure your NetApp environment to send syslog data to Splunk

In both 7-mode and in cluster mode, syslog is forwarded from your NetApp storage systems to Splunk by default on UDP port 514.

Configure syslog on 7-mode filers

  1. Log in to the NetApp filer with the correct permissions.
  2. To configure forwarding, on the command line enter the following, where forwarder is the IP address or DNS name of the receiving host:
    wrfile -a /etc/syslog.conf *.* @<forwarder>

Configure syslog on Cluster mode

In cluster mode there are many types of events, one of which is a syslog event. You can use specific Data ONTAP commands in the event family for managing these events. See the complete list of "Commands for managing events" in the NetApp online support documentation.

Configuring syslog in cluster mode is a two step process. First create a destination to where you will send the event. Once this is done you can forward the syslog event. You can forward to multiple forwarders, but you must specify a name for each one.

  1. Log in to the NetApp filer with the correct permissions.
  2. On the command line, set up the destination for the event as follows, where <machine_name> is the IP address or DNS name of the receiving host:
    event destination create -name int_fwd -syslog <machine_name>
  3. Specify exactly what you want to forward. You can forward all of the data from the cluster or you can forward a select set of data. In this command you add the destination(s) established in the previous step to the event route. In this example we forward all of the data.
  4. Filter the data you want to forward, and forward the data using this command:
    event route add-destinations -destinations int_fwd -messagename all

See the NetApp documentation, on "Managing event messages" for more detailed information.

Last modified on 09 April, 2015
Configure ONTAP credentials   Configure data collection intervals

This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (Legacy): 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters