rustic plover
Using the ONTAP: Audit Log how long does it take for data to show up if you edited the custom.yaml? I followed the steps here for NAbox4 - https://github.com/NetApp/harvest/discussions/3478
collector: Rest objects: Volume: custom_volume_flexgroup.yaml AuditLog: audit_log.yaml
tulip cypress
@rustic plover , It should be appear in Harvest next polling cycle. Could you confirm that your cluster would be having appropriate data for this Rest call ?
lean fern
i did the same and even i dont see the data appearing.
tulip cypress
Then first thing first, Could you share Harvest startup logs at ng-harvest-files@netapp.com Or you can only check this kind of Rest:AuditLog line when you run the AuditLog object, which would indicate how many instances detected and exported.
time=2025-10-21T19:01:12.123+05:30 level=INFO source=collector.go:601 msg=Collected Poller=sar collector=Rest:AuditLog apiMs=249 bytesRx=26609 calcMs=0 exportMs=1 instances=1 instancesExported=0 metrics=2 metricsExported=0 numCalls=4 parseMs=0 pluginInstances=0 pluginMs=2492 pollMs=2743 renderedBytes=0 zBegin=1761053469379
If this would not help then second step,I would share curl commands which you could send with us for further troubleshoot.
lean fern
@tulip cypress : Appologies, you mite have to spoon feed me on how to do it. as we are new to harvest. i have added a line on custom.yaml file for audit log. other than that id idnt see anythign on the documentation
sterile granite
@lean fern Are you using NABox4? If yes, then you can SSH into the NABox instance and restart Harvest with the command dc restart. After it is up and running, from the NABox UI, you can download the support bundle as listed here https://netapp.github.io/harvest/25.08/help/log-collection/#nabox-4. You can then upload the support bundle to https://upload.nabox.org/gazo-qifi-pywo
lean fern
logs uploaded
sterile granite
Thanks. As per logs, AuditLog template is working fine. Could you try creating a volume in this cluster and see if that record is captured in dashboard?
Note that this dashboard only captures create,update and delete operations on volume only
The ONTAP: AuditLog dashboard captures operations such as create, update, and delete attempts on volumes via REST or ONTAP CLI commands
lean fern
created 1 volume and deleted the same volume. but the count says 2 in each
sterile granite
Could you share table screenshot as well displaying records?
You can DM screenshot in case if data is sensitive.
sterile granite
Thanks @lean fern for the details via DM. We'll check on how to fix this double counting and get back to you.
sterile granite
@lean fern We’ll be removing these count panels because the changes function used in these count panels behaves differently in VictoriaMetrics than in Prometheus as mentioned https://docs.victoriametrics.com/victoriametrics/metricsql/#changes. If you want to continue using them you can import AuditLog dashboard from json mentioned here
https://gist.githubusercontent.com/rahulguptajss/83dd50a127ea0345d0dd81f752b00787/raw/4901454b7a3d9f1f5117e444a46ec40754eafc4e/gistfile1.txt
This uses changes_prometheus function.
sterile granite
@lean fern Fix for this issue (removal of panels) https://github.com/NetApp/harvest/issues/3972
is now available in nightly build if you want to try
https://github.com/NetApp/harvest/releases/tag/nightly
lean fern
Thanks @sterile granite . will work on the fix and update here
lean fern
@sterile granite :the dashboard looks accurate now
sterile granite
Thanks for the confirmation @lean fern