ONTAP sends syslog data from two different subsystems, Event Management System (EMS) and Audit logs.
Reviewing the SC4S config file and tests, appears it is defined for the ONTAP Audit log format, which is different than the ONTAP EMS format. yet the config file has it titled as “ontap:ems”
Format set to legacy-netapp (rfc3164 variant):
<13>Oct 3 11:36:10 [cluster-01:secd.conn.auth.failure:notice]: Vserver (datavserver) could not make a connection over the network to server (ip 2.3.3.3, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery).
Format set to rfc-5424:
<5>1 2024-10-03T07:54:02-06:00 cluster-2 kernel - wafl.scan.done - Completed Volume Footprint Estimator Scan on volume vm_unix002_0d@vserver:27902083bf98-11e9-87fe-00a098b15eb6.
ONTAP sends syslog data from two different subsystems, Event Management System (EMS) and Audit logs. Reviewing the SC4S config file and tests, appears it is defined for the ONTAP Audit log format, which is different than the ONTAP EMS format. yet the config file has it titled as “ontap:ems”
Conf file: https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf Test file https://github.com/splunk/splunk-connect-for-syslog/blob/main/tests/test_netapp.py testdata = [ "{{ mark }}{{ bsd }} {{ host }}: {{ host }}: 0000001e.0794c163 055b6737 {{ device_time }} [kern_audit:info:2385] 8503ea0000ba6b71 :: nodea:ontapi :: 1.1.1.1:41464 :: nodea-esx:usera :: clone-create :: Error: Missing input: source-path; Missing input: volume", ]
ONTAP Audit log example
ONTAP EMS log examples