All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

NetApp syslog truncated

jwhughes58
Contributor
‎03-03-2021 12:25 PM

I'm working with the Splunk TA ONTAP 2.1.7 and the NetApp A400 AFF.  The syslog-ng farm we have is receiving the syslog events being sent from the NetApp.  Two problems.  First is the messages don't look like what is in the sample files.

Mar 3 19:44:28 10.16.48.250 NetApp: NetApp: hex_digits_1.hex_digits_2 hex_digits_3 Wed Mar 03 2021 11:44:27 -08:00 [kern_audit:info:9521] hex_digits4 :: NetApp:http :: aa.bb.cc.dd:port :: NetApp:CS\script :: GET /spi/NetApp/etc/log/stats/ccma/kernel/opm/078029_000300_1614800101000_0239077.ccma.gz HTTP/1.1 :: Success: 200 OK
 
7-mode samples
Dec 9 09:48:53 10.0.1.40 Dec 9 09:44:45 [cluster07:kern.syslogd.restarted:info]: syslogd: Restarted. ","10.0.1.40",ontap,"udp:514","ontap:syslog","2016-12-09 09:48:53"
Dec 9 09:53:06 10.0.1.40 Dec 9 09:48:58 [cluster07:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1991-05.com.microsoft:cdslwin07 at IP addr 10.0.1.1
","10.0.1.40",ontap,"udp:514","ontap:syslog","2016-12-09 09:53:06"
 
C-mode samples
Dec 9 11:21:35 10.0.1.39 Dec 9 11:22:01 [crest-cluster01-01:raid.rg.media_scrub.done:notice]: /aggr1/plex0/rg0: media scrub completed in 23:57.00 ","10.0.1.39",ontap,"udp:514","ontap:syslog","2016-12-09 11:21:35"
Dec 9 11:23:39 10.0.1.56 Dec 9 11:21:04 [crest-cluster01-01:raid.rg.media_scrub.start:notice]: /aggr1/plex0/rg0: start media scrub ","10.0.1.56",ontap,"udp:514","ontap:syslog","2016-12-09 11:23:39"
 
The 7 and C modes don't look anything like the syslog events that are in the syslog-ng.  The second issue is the messages are being truncated.
 
Mar 3 20:11:04 NetApp NetApp: NetApp: hex_digits_1.hex_digits_2 hex_digits_3 Wed Mar 03 2021 12:11:04 -08:00 [kern_audit:info:1817] hex_digits_4 :: NetApp:ontapi :: aa.bb.cc.dd:port :: NetApp:DC\script :: <netapp version='1.0' xmlns='http://www.netapp.com/filer/admin' nmsdk_version='9.5' nmsdk_platform='Windows Server 2016' nmsdk_language='Java'><diagnosis-alert-get-iter><query><diagnosis-alert-info><monitor>system-connect|node-connect</monitor><subsystem>FHM-Switch|metrocluster_node|metrocluster|fhm-bridge|sas_connect</subsystem><alert-id>InterclusterBrokenConnectionAlert|InterconnectAdapterOfflineAlert|RaidDegradedMirrorAggrAlert|RaidLeftBehindAggrAlert|RaidLeftBehindSpareAlert|StorageFCAdapterFault_Alert|ClusterSeveredAllLinksAlert|NoISLPresentAlert|FabricSwitchFanFail_Alert|FabricSwitchPowerFail_Alert|FabricSwitchTempCritical_Alert|FabricSwitchUnreachable_Alert|StorageBridgePortDown_Alert|StorageBridgeTempAboveCritical_Alert|StorageBridgeTempBelowCritical... :: Pending:
 
The above contains incomplete XML.  We have proved to ourselves that the listening port can take longer messages so the thought is the message is truncated at the sender.
 
If anyone has any ideas about why the messages don't look similar, I don't control the NetApp only Splunk, or why the messages get truncated, please let me know.
 
TIA
Joe
 
Splunk : 7.3.6
OS : Red Hat Enterprise Linux release 8.3 (Ootpa)
Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...