Netapp ontap audit ems support

[cwadhwani-splunk]

ONTAP sends syslog data from two different subsystems, Event Management System (EMS) and Audit logs.
Reviewing the SC4S config file and tests, appears it is defined for the ONTAP Audit log format, which is different than the ONTAP EMS format. yet the config file has it titled as “ontap:ems”

Conf file:
https://github.com/splunk/splunk-connect-for-syslog/blob/main/package/etc/conf.d/conflib/syslog/app-syslog-netapp_ontap.conf
Test file
https://github.com/splunk/splunk-connect-for-syslog/blob/main/tests/test_netapp.py
testdata = [
"{{ mark }}{{ bsd }} {{ host }}: {{ host }}: 0000001e.0794c163 055b6737 {{ device_time }} [kern_audit:info:2385] 8503ea0000ba6b71 :: nodea:ontapi :: 1.1.1.1:41464 :: nodea-esx:usera :: clone-create :: Error: Missing input: source-path; Missing input: volume",
]

ONTAP Audit log example

• <14>Oct 3 11:36:46 cluster-01: cluster-01: 00000030.00c8f1e2 11e5347f Thu Oct 03 2024 11:36:44 -06:00 [kern_audit:info:3167] 8003f7000021e73b:8003f7000021e73d :: cluster:ssh :: 1.1.1.1:32910 :: cluster:admin :: qos statistics volume performance show -rows 20 -iter 1 :: Pending

ONTAP EMS log examples

• Format set to legacy-netapp (rfc3164 variant):
  <13>Oct 3 11:36:10 [cluster-01:secd.conn.auth.failure:notice]: Vserver (datavserver) could not make a connection over the network to server (ip 2.3.3.3, port 389). Error: Operation timed out (Service: LDAP (Active Directory), Operation: SiteDiscovery).
• Format set to rfc-5424:
  <5>1 2024-10-03T07:54:02-06:00 cluster-2 kernel - wafl.scan.done - Completed Volume Footprint Estimator Scan on volume vm_unix002_0d@vserver:27902083bf98-11e9-87fe-00a098b15eb6.