After upgrading our NetApp to 9.12.1, we found that we were not seeing syslog from our clusters anymore. It appears they have modified their message structure.
OLD:
“message”: “NetApp-ip-address Jan 3 18:04:39 Netapp-NAME kernel - csm.badConnection - ONTAP received a CSM connection with unrecognizable content”,
NEW:
“message”: "NetApp-ip-address [Netapp-NAME: security.invalid.login:ALERT]: Failed to authenticate login attempt to Vserver: ",
Any assistance with getting the new message structure to report would be appreciated.
I have. The new message type appears using the Raw/Plaintext UDP input. Unfortunately this input doesn’t format the messages.
What’s frustrating is that the syslog input worked fine before the upgrade.
I havent used NetApp but you could do a work around with a pipeline and/or extractor to get the fields needed from the RawplainText input, just an idea.