- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Question about the NetApp log format compatible wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Question about the NetApp log format compatible with StorageGRID App.
Hello, I'm having trouble to read the NetApp CIFS Audit logs with the NetApp StorageGRID App for SPlunk.
I'm using the standard CIFS audit log configuration settings recommended by NetApp in the Filer:
FAS2020-F1> options cifs.audit
cifs.audit.account_mgmt_events.enable off
cifs.audit.autosave.file.extension timestamp
cifs.audit.autosave.file.limit 20
cifs.audit.autosave.onsize.enable on
cifs.audit.autosave.onsize.threshold 75%
cifs.audit.autosave.ontime.enable off
cifs.audit.autosave.ontime.interval 1d
cifs.audit.enable on
cifs.audit.file_access_events.enable on
cifs.audit.liveview.allowed_users
cifs.audit.liveview.enable off
cifs.audit.logon_events.enable off
cifs.audit.logsize 5000000
cifs.audit.nfs.enable off
cifs.audit.nfs.filter.filename
cifs.audit.saveas /vol/vol0/Share/CIFS_Audit/CIFS_Audit_log.evt
I have too a shared folder in the filer to access to the logs from the Splunk Server side.
But the log files generated by the NetApp Filer are in "Windows Event" format and seems that the StorageGRID App can't process them.
I have seen too in the StorageGRID App folder an example log that it's in a text format that I can't match like a CSV file.
What are the log format types supported by the StorageGRID App?
If they are not in the native format used by the NetApp FIler, what is your preferred method to convert them to be compatible with StorageGRID App?
Thanks,
Joseph Lopez
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe NetApp supports XML format for CIFS logging....have you tried that? That would make it much easier for Splunk if you set props.conf KV_MODE = xml for your NetApp sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The article only applies to cluster and Vserver storage.
It doesn't applies to single storage like FAS2050.
But thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The StorageGRID app doesn't seem like it will work for CIFs auditing. Can you check the following article to turn on XML formatting via command line on the NetApp?
https://library.netapp.com/ecmdocs/ECMP1610202/html/vserver/audit/modify.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kapanig,
After reading your answer I reviewed for the umpteenth time by Netapp documentation if something had passed me by.
Neither in the documents nor in the knowledge base I have found no information specifying that we can export audit logs CIFS in XML format.
All manuals specify that audit logs CIFS always be created in EVT (Windows Event Viewer) format.
Perhaps the information you've seen references to other NetApp logs.
Anyway, thank you very much for your help.
Joseph
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
