Prepare NetApp clustered data ONTAP file servers

Collectors for NetApp file servers

Collectors for NetApp file servers are dedicated Windows servers with the collector service running.

We strongly recommend that you use a Collector server within the same network segment as the NetApp file server, otherwise performance and routing problems may occur.

The FS Logga for NetApp file servers does not require a filter driver installation like on Windows file servers.

 

Set NetApp file servers findable

In Active Directory registered NetApp file servers have a typical value set in the LDAP attribute operatingSystem. This property is used by the collector to detect NetApp file servers and mark it as NetApp file server type in the FS Logga configuration.

By default, the operatingSystem value of the NetApp file servers is set to OnTap or NetApp in the collector configuration file. If your NetApp file servers use different values for the operatingSystem property, you can adjust the search parameters.

If your NetApp file server is not registered in Active Directory, you must create a computer account and set the operatingSystem attribute accordingly.

 

Configuration file

pnCollector.config.xml

 

Computer

Collector server which is configured for the NetApp file server.

 

Path

%ProgramData%\Protected Networks\8MAN\cfg

If the file does not exist, copy the "template" from the following path:

old: %ProgramFiles%\Protected Networks\8MAN\etc

new: %ProgramFiles%\solarwinds\ARM\etc

 

Code

<?xml version="1.0" encoding="utf-8"?>

<config>

<tracer>

<netapp>

<NetappOperatingSystems>OnTap,NetApp</NetappOperatingSystems>

</netapp>

</tracer>

</config>

 

Possible Values

Add your operatingSystem values comma-separated.

If your NetApp file servers have different values for the property “operatingSystem” then insert all these values separated by comma. If no or not all NetApp file servers register the property “operatingSystem” in the Active Directory leave the entry empty in the collectors configuration file. With an empty entry you will get all non-EMC or non-Windows computer accounts from Active Directory visible for the used account.

 

Set up encrypted data transfer on the collector

The following steps are only necessary if communication between NetApp and the collector is to be encrypted.

If you have configured encrypted data transfer (see chapter Creating the External Engine Configuration) you also have to adapt the pnTracer.config.xml file on the collector server. For each file server (CIFS server on the NetApp) to be monitored on this collector, the following entry have to be added under <tracer><netapp><ssl><cifsServers>:

<name of cifs server>

<switchOn type="System.Boolean">true</switchOn>

<protocol type="System.Int32">5</protocol>

<serverCertificateName>name of certificate from certificate store to use</serverCertificateName>

</name of cifs server>

 

The certificate must be installed in the computers certificate store.

For <protocol> the following values are possible: TLS = 1, TLS1.1 = 2, TLS1.2 = 3, SSL2 = 4, SSL3 = 5. Default is SSL3 (5).

Choose a protocol available on both collector and NetApp.

 

Fpolicy feature

The FS-Logga for NetApp file server uses the NetApp FPolicy feature. Therefore it has to be activated and properly configured via CLI. To configure the FPolicy feature you have to use an account of role admin or vsadmin on the NetApp.

In all following CLI commands the parameter “<vserver_name>” has to be replaced by the name of the SVM (Storage Virtual Machine).

 

Creating the event configuration

The Event Configuration determines wich events will be monitored or not and the monitored protocol (only CIFS is supported by FS Logga). Please do change only the parameter “<vserver_name>”. All other changes may lead to missing events in the reports or to higher load of collector and NetApp because of processing of not used events.

fpolicy policy event create -vserver <vserver_name> -event-name event_8manlogga_cifs -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr, open -protocol cifs -filters first-read, first-write, open-with-delete-intent

 

With the following command you can check the result:

fpolicy policy event show

 

Creating the External Engine Configuration

The External Engine Configuration determines to which server (defined by ip address and port) the events has to be sent by the NetApp. The ip address has to be an address of the FS-Logga collector reachable by the NetApp. The used port must be a free port on the collector.

fpolicy policy external-engine create -vserver <vserver_name> -engine-name engine_8manlogga -primary-servers <collector-ip> -port 2002 -extern-engine-type asynchronous -ssl-option <ssl-option>

 

For the <ssl-option> the values “no-auth” and “server-auth” are supported. For the encrypted transfer of event data between SVM and Logga, choose “server-auth”. If encryption is used, additional configurations are required on both the collector and NetApp.

 

With the following command you can check the result:

fpolicy policy external-engine show

 

Creating the FPolicy Configuration

The FPolicy Configuration is the assembly of Event- and External Engine Configuration.

fpolicy policy create -vserver <vserver_name> -policy-name 8manlogga -events event_8manlogga_cifs -engine engine_8manlogga -is-mandatory false

 

With the following command you can check the result:

fpolicy policy show

 

Creating the scope for the FPolicy

The Scope defines the volumes and hence the shares and their subdirectories and files for which events have to sent for to the FS Logga. If only certain shares on certain volumes to be monitored, we recommend to use a comma separated list of volumes instead the wildcard (“*”). This will reduce load for the NetApp and the FS-Logga collector machine.

fpolicy policy scope create -vserver <vserver_name> -policy-name 8manlogga -volumes-to-include "*"

 

Enable FPolicy

If all of the above steps were successful, you need to activate the policy. Even if only one policy is defined, the system requires a sequence number.

fpolicy enable -vserver <vserver_name> -policy-name 8manlogga -sequence-number 1

 

With the following command you can check the result:

fpolicy show-enabled

 

Domain accounts

To read the shares local pathes an account is needed which is member of the local group "Power Users" on the NetApp SVM. With this account the Logga should be configured.

vserver cifs users-and-groups local-group add-members -vserver <vserver_name> -group-name "BUILTIN\Power Users" -member-names <domain\user>

 

The Logga uses the ONTAP API to read FPolicy data and request the NetApp to start Logging for the external engine. For this the Logga needs an account with restricted access rights on the NetApp. Therefore a new role should be created and the rights of this role will be defined.

In all following CLI commands the parameter „<vserver_name>“ denotes the name of the SVM where the CIFS server is configured, which has to be monitor.

security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver fpolicy"

security login role create -role 8manrole -vserver <vserver_name> -cmd "volume" -access readonly

security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver" -access readonly

security login role create -role 8manrole -vserver <vserver_name> -cmd "version" -access readonly

 

With the following command you can check the result:

security login role show

 

Assign the new role to the account used by the Logga:

security login create -username <domain\username> -application ontapi -authmethod domain -role 8manrole -vserver <vserver_name>

 

With the following command you can check the result:

security login show

 

Firewall configuration

The Logga uses the ONTAP API via https to read FPolicy data and to request the NetApp to start logging for the external engine. The service https must be configured on a LIF (Logical Interface) of the SVM. This LIF must be reachable by the collector.

Use the following command to see the service that is active on which SVM firewall policy:

system service firewall policy show

 

The assignment of firewall policies to LIF of a certain SVM can be checked with:

network interface show -vserver <vserver_name> -fields firewall-policy

 

If a firewall policy with the service https is already active on a LIF of the SVM, then you only need to change the 'allow-list':

system services firewall policy modify -vserver <vserver_name> -policy <current_firewall_policy> -service https -allow-list <collector-ip/32>

 

If you do not want to change the current firewall policy, you can create a copy of this firewall policy, perform the necessary changes, and then assign this new firewall policy to the appropriate LIF:

system services firewall policy clone -vserver <vserver_name> -policy <current_firewall_policy> -destination-policy 8manlogga_fp

system services firewall policy modify -vserver <vserver_name> -policy 8manlogga_fp -service https -allow-list <collector-ip/32>

network interface modify -vserver <vserver_name> -lif <lif> -firewall-policy 8manlogga_fp

 

Replace <collector-ip> with the IP address of the external engine described in “Creating the External Engine Configuration”.

 

Certificate configuration for encrypted event data transfer

If you have configured encrypted event data transfer between NetApp and Logga (see “Creating the External Engine Configuration”) then the public certificate of certificate authority that is used to sign the collector certificate has to be installed on the SVM:

security certificate install -vserver <vserver_name> -type client-ca

 

Use the following command to verify that the certificate has been installed:

security certificate show