All Apps and Add-ons

Question about the NetApp log format compatible with StorageGRID App.

jmla69
New Member

Hello, I'm having trouble to read the NetApp CIFS Audit logs with the NetApp StorageGRID App for SPlunk.

I'm using the standard CIFS audit log configuration settings recommended by NetApp in the Filer:

FAS2020-F1> options cifs.audit
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension timestamp
cifs.audit.autosave.file.limit 20
cifs.audit.autosave.onsize.enable on
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable off
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable on
cifs.audit.file_access_events.enable on
cifs.audit.liveview.allowed_users
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable off
cifs.audit.logsize 5000000
cifs.audit.nfs.enable off
cifs.audit.nfs.filter.filename
cifs.audit.saveas /vol/vol0/Share/CIFS_Audit/CIFS_Audit_log.evt

I have too a shared folder in the filer to access to the logs from the Splunk Server side.

But the log files generated by the NetApp Filer are in "Windows Event" format and seems that the StorageGRID App can't process them.

I have seen too in the StorageGRID App folder an example log that it's in a text format that I can't match like a CSV file.

What are the log format types supported by the StorageGRID App?
If they are not in the native format used by the NetApp FIler, what is your preferred method to convert them to be compatible with StorageGRID App?

Thanks,

Joseph Lopez

Tags (1)
0 Karma

kapanig
Explorer

I believe NetApp supports XML format for CIFS logging....have you tried that? That would make it much easier for Splunk if you set props.conf KV_MODE = xml for your NetApp sourcetype.

0 Karma

jmla69
New Member

The article only applies to cluster and Vserver storage.

It doesn't applies to single storage like FAS2050.

But thanks for your help.

0 Karma

kapanig
Explorer

The StorageGRID app doesn't seem like it will work for CIFs auditing. Can you check the following article to turn on XML formatting via command line on the NetApp?
https://library.netapp.com/ecmdocs/ECMP1610202/html/vserver/audit/modify.html

0 Karma

jmla69
New Member

Hi Kapanig,

After reading your answer I reviewed for the umpteenth time by Netapp documentation if something had passed me by.

Neither in the documents nor in the knowledge base I have found no information specifying that we can export audit logs CIFS in XML format.

All manuals specify that audit logs CIFS always be created in EVT (Windows Event Viewer) format.

Perhaps the information you've seen references to other NetApp logs.

Anyway, thank you very much for your help.

Joseph

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...