Prepare the NetApp clustered data ONTAP file servers

Collectors for NetApp file servers

The collectors for NetApp file servers are dedicated Windows servers running the collector service.

SolarWinds strongly recommends using a Collector server within the same network segment as the NetApp file server. Otherwise, you may experience performance and routing problems.

In contrast with Windows file servers, FS Logga for NetApp file servers do not require a filter driver installation.

Set NetApp file servers findable

In Active Directory registered NetApp file servers have a typical value set in the LDAP attribute operatingSystem. This property is used by the collector to detect NetApp file servers and mark it as NetApp file server type in the FS Logga configuration.

By default, the operatingSystem value of the NetApp file servers is set to OnTap or NetApp in the collector configuration file. If your NetApp file servers use different values for the operatingSystem property, you can adjust the search parameters.

If your NetApp file server is not registered in Active Directory, create a computer account and set the operatingSystem attribute accordingly.

Configuration file

pnCollector.config.xml

Computer

The collector server that is configured for the NetApp file server.

Path

%ProgramData%\Protected Networks\8MAN\cfg

If the file does not exist, copy the template from the following path:

old: %ProgramFiles%\Protected Networks\8MAN\etc

new: %ProgramFiles%\solarwinds\ARM\etc

Code

<?xml version="1.0" encoding="utf-8"?>
<config>
  <tracer>
    <netapp>
      <NetappOperatingSystems>OnTap,NetApp</NetappOperatingSystems>
    </netapp>
  </tracer>
</config>

Possible values

Add your operatingSystem values separated by commas.

If your NetApp file servers include different values for the operatingSystem property, insert these values separated by commas.

If no or not all NetApp file servers register the operatingSystem property in the Active Directory, leave the entry empty in the collectors configuration file. Using an empty entry, all non-EMC or non-Windows computer accounts from Active Directory will be visible for the used account.

Set up the encrypted data transfer on the collector

The following steps are required if communications between NetApp and the collector are encrypted.

If you configured the encrypted data transfer, adapt the pnTracer.config.xml file on the collector server. For each file server (CIFS server on the NetApp) to be monitored on this collector, the following entry must be added under <tracer><netapp><ssl><cifsServers>:

<name of cifs server>

<switchOn type="System.Boolean">true</switchOn>

<protocol type="System.Int32">5</protocol>

<serverCertificateName>name of certificate from certificate store to use</serverCertificateName>

</name of cifs server>

The certificate must be installed in the certificate store on the computer.

For <protocol>, the following values are possible:

TLS = 1, TLS1.1 = 2, TLS1.2 = 3, SSL2 = 4, SSL3 = 5. Default is SSL3 (5).

Select an available protocol on the collector and NetApp.

FPolicy feature

The FS-Logga for NetApp file server uses the NetApp FPolicy feature. As a result, it must be activated and configured using the CLI.

To configure the FPolicy feature, use a role admin or vsadmin account on NetApp.

In the following CLI commands, replace the <vserver_name> parameter with the storage virtual machine (SVM) name.

Creating the event configuration

The event configuration determines:

• Events that will be monitored
• Events that will not be monitored
• Protocol to use (only the CIFS protocol is supported by FS Logga)

Change only the <vserver_name> parameter. Any additional changes may lead to missing events in the reports, as well as higher collector and NetApp load due to processing unused events.

Command

fpolicy policy event create -vserver <vserver_name> -event-name event_8manlogga_cifs -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr, open -protocol cifs -filters first-read, first-write, open-with-delete-intent

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

with the following command to check the result:

fpolicy policy event show

Create the External Engine Configuration

The External Engine Configuration determines the server (defined by IP address and port) that receives the events sent by NetApp. Ensure that the IP address is the FS-Logga collector address that is reachable by NetApp. The port must be a free and reachable port on the collector.

Command

fpolicy policy external-engine create -vserver <vserver_name> -engine-name engine_8manlogga -primary-servers <collector-ip> -port 2002 -extern-engine-type asynchronous -ssl-option <ssl-option>

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<collector-ip> - IP address of the collector

<ssl-option>

• "no-auth" - no encryption
• "server-auth" - use encryption

To use encryption, be sure to configure encryption on the collector and NetApp.

With the following command you can check the result:

fpolicy policy external-engine show

Creating the FPolicy Configuration

The FPolicy Configuration is the assembly of Event- and External Engine Configuration.

Command

fpolicy policy create -vserver <vserver_name> -policy-name 8manlogga -events event_8manlogga_cifs -engine engine_8manlogga -is-mandatory false

Replace

<vserver_name> - name of the SVM (Storage Virtual Machine)

With the following command to check the result:

fpolicy policy show

Creating the FPolicy scope

Use the following command to select the volumes you want to monitor, including the shares, directories, and files.

Command

fpolicy policy scope create -vserver <vserver_name> -policy-name 8manlogga -volumes-to-include "*"

Optional: Replace

"*"

if only certain volumes are monitored. SolarWinds recommends using a comma-separated list of these volumes instead of the wildcard ("*"). This process reduces load on the NetApp file server and collector.

Enable the FPolicy

If the previous procedures were successful, activate the policy. Even if one policy is defined, the system requires a sequence number.

Command

fpolicy enable -vserver <vserver_name> -policy-name 8manlogga -sequence-number 1

Replace

<vserver_name> - name of the SVM (Storage Virtual Machine)

with the following command to check the result:

fpolicy show-enabled

Always specify a sequence number, even if you have one FPolicy. This process determines the FPolicies processing order.

Domain accounts

To read the local share paths, create an account that is a member of the local Power Users group on the NetApp SVM. In al later step, you can configure Logga with this account.

Command

vserver cifs users-and-groups local-group add-members -vserver <vserver_name> -group-name "BUILTIN\Power Users" -member-names <domain\user>

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<domain\user> - User account used to configure FS Logga within ARM

The Logga uses the ONTAP API to read the FPolicy data and request the NetApp to start logging for the external engine. This procedure requires a Logga account with restricted access rights on NetApp. As a result, create a new role. The rights of this role will be defined in a later step.

Commands

security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver fpolicy"

security login role create -role 8manrole -vserver <vserver_name> -cmd "volume" -access readonly

security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver" -access readonly

security login role create -role 8manrole -vserver <vserver_name> -cmd "version" -access readonly

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

with the following command to check the result:

security login role show

Assign the new role to the account used by Logga

security login create -username <domain\username> -application ontapi -authmethod domain -role 
8manrole -vserver <vserver_name>

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<domain\username> - User account used to configure FS Logga within ARM

with the following command to check the result:

security login show

Firewall configuration

The Logga uses the ONTAP API through HTTPS to read FPolicy data and request NetApp to begin logging for the external engine. Configure he HTTPS service on a logical interface (LIF) of the SVM. The LIF must be reachable by the collector.

Use the following command to view the service that is active for the SVM firewall policy:

system service firewall policy show

Use the following command to check the firewall policies to the LIF of a specific SVM:

network interface show -vserver <vserver_name> -fields firewall-policy

Replace

<vserver_name> - name of the SVM (Storage Virtual Machine)

when a firewall policy with the HTTPS is active on a LIF of the SVM. When you are finished, change change the 'allow-list':

system services firewall policy modify -vserver <vserver_name> -policy <current_firewall_policy> 
-service https -allow-list <collector-ip/32>

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<current_firewall_policy> - already activated firewall policy

<collector-ip/32> - IP address of the collector

If you do not want to change the current firewall policy, create a copy of this firewall policy, perform the necessary changes, and assign this new firewall policy to the appropriate LIF:

system services firewall policy clone -vserver <vserver_name> -policy <current_firewall_policy> 
-destination-policy 8manlogga_fp

If the HTTPS service exists on the cloned firewall policy, run: 

system services firewall policy modify -vserver <vserver_name> -policy 8manlogga_fp -service https 
-allow-list <collector-ip/32>

If the HTTPS service does not exist in the cloned firewall policy, run: 

system services firewall policy create -vserver <vserver_name> -policy 8manlogga_fp -service https 
-allow-list <collector-ip/32>

network interface modify -vserver <vserver_name> -lif <lif> -firewall-policy 8manlogga_fp

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

<current_firewall_policy> - already activated firewall policy

<collector-ip/32> - IP address of the collector

<lif> - Name of the Logical Interface

Configuring a certificate for the encrypted event data transfer

If you configured the encrypted event data transfer between NetApp and Logga, install the public Certificate of Authority (CA) used to sign the collector certificate on the SVM:

security certificate install -vserver <vserver_name> -type client-ca

Replace:

<vserver_name> - name of the SVM (Storage Virtual Machine)

Use the following command to verify that the certificate is installed:

security certificate show