#sending sys logs to EKS

HI team,

Is there any documents to help us how to send sys logs to EKS

Thank you

EKS as in ...? Elastic Kubernetes Service?

Also which ONTAP logs? management audit logs, or the EMS logs? or file audit logs from a SVM?

I understood "sys logs" as EMS logs. But still, EKS has not a lot to do with log collecting, maybe they meant "ELK"?

In order to send EMS via syslog, the process is the same really no matter who you're sending to:

1. Create an event notification destination
2. Create an event filter, or use an existing one
3. Create an event notification, using the destination and filter

https://docs.netapp.com/us-en/ontap/error-messages/configure-ems-events-notifications-syslog-task.html

Thanks 🙏 a lot

Hi yes

So I need to enter IP address of EKS

what do you mean "IP address of EKS"? EKS is Kubernetes, it has dozens of IP addresses. Also it is just the "engine", it doesn't take syslog messages. You need to set up an application ON EKS that can actually handle EMS messages. And when you have that running, you send the logs to that application. Not to EKS

What is that application called

I'd be reading the ElasticSearch on Kubernetes documentation as a starting point. Help with setting that all up is out of the scope of this channel.

https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-quickstart.html

Thanks Chris for doc, as we need some sort of application on EKS but that application should be of what ?

Whatever application you want to be your syslog server. Elastic is the application ... it's an entire suit of applications actually. It has LogStash that is a syslog server, and ElasticSearch for to perform the searching of logs, Kibana to visualise and create/display those searches, etc. None of this is NetApp ... it's all 3rd party. There are hundreds of different syslog servers out there.

https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-deploy-eck.html

Thanks 🙏

They have given me endpoints , can we add endpoints while configuring the syslog in Netapp

there are multiple applications. You can use a simple rsyslog container that collects the logs, or you can use graylog, elasticsearch+logstash+kibana, splunk, or any of hundreds of other applications. Kubernetes alone will not help you much. It's basically like asking "How can I send E-Mail to my vCenter cluster?"

Thank you , so I have been given endpoints:port, so in place of -destination I need to give endpoints:ports or just end point

You'd put the port in the -syslog-port.

Just read the documentation on the CLI command, or just hit ? when entering the command and ONTAP will tell you all the parameters you can supply.

https://docs.netapp.com/us-en/ontap-cli-9121/event-notification-destination-create.html

Hi Chris thanks but in real case I do not see port flag

I’m running 9.11

You may need to flip to advanced or diag mode

I did check and found none such flags it’s same as admin mode

Or not. Looks like you can’t specify a port until 9.12

On the docs page, flip the version (upper left) to 9.11

Thank you but then how will I specify the end point - endpoint;port

That’s the thing, if you are trying to specify a port for events (syslog) you can’t modify the port unless you can upgrade to 9.12 (unless I’m mistaken on what you’re trying to do)

what application are you using to collect the logs? Usually all applications listen on the regular syslog port (UDP 514) so you should not have to specify a port...?

We are using logstash

the Logstash syslog plugin defaults to port 514, so it's okay if you don't specify the port

Thank you but in our case they have given us endpoint:5514 and :5515