Prepare NetApp clustered data ONTAP file servers
Collectors for NetApp file servers
Collectors for NetApp file servers are dedicated Windows servers with the collector service running.
We strongly recommend that you use a Collector server within the same network segment as the NetApp file server, otherwise performance and routing problems may occur.
The FS Logga for NetApp file servers does not require a filter driver installation like on Windows file servers.
Set NetApp file servers findable
In Active Directory registered NetApp file servers have a typical value set in the LDAP attribute operatingSystem. This property is used by the collector to detect NetApp file servers and mark it as NetApp file server type in the FS Logga configuration.
By default, the operatingSystem value of the NetApp file servers is set to OnTap or NetApp in the collector configuration file. If your NetApp file servers use different values for the operatingSystem property, you can adjust the search parameters.
If your NetApp file server is not registered in Active Directory, you must create a computer account and set the operatingSystem attribute accordingly.
Configuration file
pnCollector.config.xml
Computer
Collector server which is configured for the NetApp file server.
Path
%ProgramData%\Protected Networks\8MAN\cfg
If the file does not exist, copy the "template" from the following path:
old: %ProgramFiles%\Protected Networks\8MAN\etc
new: %ProgramFiles%\solarwinds\ARM\etc
Code
<?xml version="1.0" encoding="utf-8"?>
<config>
<tracer>
<netapp>
<NetappOperatingSystems>OnTap,NetApp</NetappOperatingSystems>
</netapp>
</tracer>
</config>
Possible Values
Add your operatingSystem values comma-separated.
If your NetApp file servers have different values for the property “operatingSystem” then insert all these values separated by comma.
If no or not all NetApp file servers register the property “operatingSystem” in the Active Directory leave the entry empty in the collectors configuration file. With an empty entry you will get all non-EMC or non-Windows computer accounts from Active Directory visible for the used account.
Set up encrypted data transfer on the collector
The following steps are only necessary if communication between NetApp and the collector is to be encrypted.
If you have configured encrypted data transfer (see chapter Creating the External Engine Configuration) you also have to adapt the pnTracer.config.xml file on the collector server. For each file server (CIFS server on the NetApp) to be monitored on this collector, the following entry have to be added under <tracer><netapp><ssl><cifsServers>:
<name of cifs server>
<switchOn type="System.Boolean">true</switchOn>
<protocol type="System.Int32">5</protocol>
<serverCertificateName>name of certificate from certificate store to use</serverCertificateName>
</name of cifs server>
The certificate must be installed in the computers certificate store.
For <protocol> the following values are possible: TLS = 1, TLS1.1 = 2, TLS1.2 = 3, SSL2 = 4, SSL3 = 5. Default is SSL3 (5).
Choose a protocol available on both collector and NetApp.
FPolicy feature
The FS-Logga for NetApp file server uses the NetApp FPolicy feature. Therefore it has to be activated and properly configured via CLI.
To configure the FPolicy feature you have to use an account of role admin or vsadmin on the NetApp.
In all following CLI commands the parameter “<vserver_name>” has to be replaced by the name of the SVM (Storage Virtual Machine).
Creating the event configuration
The event configuration determines:
- which events will be monitored
- which events will not be monitored
- which protocol is used (only the CIFS protocol is supported by FS Logga)
Change only the parameter “<vserver_name>”. All other changes may lead to missing events in the reports or to higher load of collector and NetApp because of processing of not used events.
Command
fpolicy policy event create -vserver <vserver_name> -event-name event_8manlogga_cifs -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr, open -protocol cifs -filters first-read, first-write, open-with-delete-intent
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
With the following command you can check the result:
fpolicy policy event show
Creating the External Engine Configuration
The External Engine Configuration determines to which server (defined by IP address and port) the events has to be sent by the NetApp. The IP address has to be an address of the FS-Logga collector reachable by the NetApp. The port must be a free and reachable port on the collector.
Command
fpolicy policy external-engine create -vserver <vserver_name> -engine-name engine_8manlogga -primary-servers <collector-ip> -port 2002 -extern-engine-type asynchronous -ssl-option <ssl-option>
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<collector-ip> - IP address of the collector
<ssl-option>
- "
no-auth" - no encryption - "
server-auth" - use encryption
If you want to use encryption, it must be configured on the collector and on the NetApp.
With the following command you can check the result:
fpolicy policy external-engine show
Creating the FPolicy Configuration
The FPolicy Configuration is the assembly of Event- and External Engine Configuration.
Command
fpolicy policy create -vserver <vserver_name> -policy-name 8manlogga -events event_8manlogga_cifs -engine engine_8manlogga -is-mandatory false
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
With the following command you can check the result:
fpolicy policy show
Creating the scope for the FPolicy
Use the following command to specify the volumes to be monitored, including their shares, directories, and files.
Command
fpolicy policy scope create -vserver <vserver_name> -policy-name 8manlogga -volumes-to-include "*"
Optional: Replace
"*"
If only certain volumes are to be monitored, we recommend specifying a comma-separated list of these volumes instead of the wildcard ("*"). This reduces the load on the NetApp file server and on the collector.
Enable FPolicy
If all of the above steps were successful, you need to activate the policy. Even if only one policy is defined, the system requires a sequence number.
Command
fpolicy enable -vserver <vserver_name> -policy-name 8manlogga -sequence-number 1
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
The sequence number must always be specified, even if there is only one FPolicy. It determines the order in which the FPolicies are processed.
With the following command you can check the result:
fpolicy show-enabled
Domain accounts
To read the shares local pathes an account is needed which is member of the local group "Power Users" on the NetApp SVM. With this account the Logga has to be configured later.
Command
vserver cifs users-and-groups local-group add-members -vserver <vserver_name> -group-name "BUILTIN\Power Users" -member-names <domain\user>
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<domain\user> - User account used to configure FS Logga within ARM
The Logga uses the ONTAP API to read FPolicy data and request the NetApp to start Logging for the external engine. For this the Logga needs an account with restricted access rights on the NetApp. Therefore a new role should be created and the rights of this role will be defined.
Commands
security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver fpolicy"
security login role create -role 8manrole -vserver <vserver_name> -cmd "volume" -access readonly
security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver" -access readonly
security login role create -role 8manrole -vserver <vserver_name> -cmd "version" -access readonly
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
With the following command you can check the result:
security login role show
Assign the new role to the account used by the Logga
security login create -username <domain\username> -application ontapi -authmethod domain -role
8manrole -vserver <vserver_name>
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<domain\username> - User account used to configure FS Logga within ARM
With the following command you can check the result:
security login show
Firewall configuration
The Logga uses the ONTAP API via https to read FPolicy data and to request the NetApp to start logging for the external engine. The service https must be configured on a LIF (Logical Interface) of the SVM. This LIF must be reachable by the collector.
Use the following command to see the service that is active on which SVM firewall policy:
system service firewall policy show
The assignment of firewall policies to LIF of a certain SVM can be checked with:
network interface show -vserver <vserver_name> -fields firewall-policy
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
If a firewall policy with the service https is already active on a LIF of the SVM, then you only need to change the 'allow-list':
system services firewall policy modify -vserver <vserver_name> -policy <current_firewall_policy>
-service https -allow-list <collector-ip/32>
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<current_firewall_policy>
- already activated firewall policy
<collector-ip/32> - IP address of the collector
If you do not want to change the current firewall policy, you can create a copy of this firewall policy, perform the necessary changes, and then assign this new firewall policy to the appropriate LIF:
system services firewall policy clone -vserver <vserver_name> -policy <current_firewall_policy>
-destination-policy 8manlogga_fp
If the https service already exists in the cloned firewall policy:
system services firewall policy modify -vserver <vserver_name> -policy 8manlogga_fp -service https
-allow-list <collector-ip/32>
If the https service is not present in the cloned firewall policy:
system services firewall policy create -vserver <vserver_name> -policy 8manlogga_fp -service https
-allow-list <collector-ip/32>
network interface modify -vserver <vserver_name> -lif <lif> -firewall-policy 8manlogga_fp
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<current_firewall_policy>
- already activated firewall policy
<collector-ip/32> - IP address of the collector
<lif> - Name of the Logical Interface
Certificate configuration for encrypted event data transfer
If you have configured encrypted event data transfer between NetApp and Logga (see “Creating the External Engine Configuration”) then the public certificate of certificate authority that is used to sign the collector certificate has to be installed on the SVM:
security certificate install -vserver <vserver_name> -type client-ca
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
Use the following command to verify that the certificate has been installed:
security certificate show