NetApp Syslog Message Changes

patrickr · March 10, 2023, 11:05pm

To anyone who can help,

After upgrading our NetApp to 9.12.1, we found that we were not seeing syslog from our clusters anymore. It appears they have modified their message structure.

OLD:
“message”: “NetApp-ip-address Jan 3 18:04:39 Netapp-NAME kernel - csm.badConnection - ONTAP received a CSM connection with unrecognizable content”,

NEW:
“message”: "NetApp-ip-address [Netapp-NAME: security.invalid.login:ALERT]: Failed to authenticate login attempt to Vserver: ",

Any assistance with getting the new message structure to report would be appreciated.

Thank you!

gsmith · March 11, 2023, 12:11am

Hey @patrickr

Have you tried a different Input?

patrickr · March 11, 2023, 5:01am

I have. The new message type appears using the Raw/Plaintext UDP input. Unfortunately this input doesn’t format the messages.
What’s frustrating is that the syslog input worked fine before the upgrade.

gsmith · March 11, 2023, 5:11am

Hey @patrickr

I havent used NetApp but you could do a work around with a pipeline and/or extractor to get the fields needed from the RawplainText input, just an idea.

patrickr · March 11, 2023, 4:58pm

I appreciate the suggestion. I haven’t really had time to research pipelines or extractors. That will be my next step.

Thanks!

system · March 25, 2023, 4:58pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't get Syslog messages Graylog Central (peer support)	5	769	December 1, 2017
DaVinciCode UDP Graylog Central (peer support)	4	363	July 7, 2022
Error processing message from Cisco ASA Graylog Central (peer support)	3	360	May 6, 2021
Netapp extractor Graylog Add-ons	4	871	November 24, 2021
Syslog Messages and Parsing Fortinet Graylog Central (peer support)	1	536	July 31, 2019

NetApp Syslog Message Changes

Related Topics