#Sending "All" ONTAP Logs to HTTPS Endpoint

A large enterprise customer is asking us how to add a custom header w/ an auth token to the EMS / Audit log forwarding, which does not appear possible directly based on the documentation. In addition, they asked to ingest "all" the logs. We sent this KB for clarification - https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/Overview_of_ONTAP_Logs

Their response is below:

"EMS and Audit logs are a must, We are also looking at enabling debug logs, node level logs, etc.
We would like to enable and disable almost all logs presented in the page, based on the need and priority internal to the team"

So basically they want the ability to push any of the log files from /mroot/etc/log/*, plus the EMS/Audit logs, to their custom https endpoint with an auth token in the header of the request.

Has anyone ever run into a similar request? Our SAM/PS team is looking for some wisdom before embarking on this journey.

My initial thought was to have them set up a proxy server that takes the EMS/audit forward from ONTAP, adds the header they need, and sends it along to the final https endpoint.

For the wide range of other logs though, we are not sure there's a clean way to accomplish this. Seems like scripting some kind of a pull/polling mechanism to the same proxy server would be the only option, no?

I send it all probably 2x the amount of logs they want. I use the log forwarding commands to send to an IP address . I forget what it's called, but it's like a Kafka thing, and then it goes into a data lake, then ends up in a splunk-like system. I don't do any authentication though, if you have to I think you would need something in between to reformat the information and then send it again. I can look up more details on Monday. I set this up a long time ago..

Oh and you can read almost any log file you want by using debug log show and customizing the logs returned. You could do this systematically if you wanted to get a little crazy with scripts and time filtering.

Had not considered a hacky script based on that command. My only thought had been a hacky script pulling from the https://<cluster>/spi interface lol