Prepare the NetApp clustered data ONTAP file servers
Collectors for NetApp file servers
The collectors for NetApp file servers are dedicated Windows servers running the collector service.
SolarWinds strongly recommends using a Collector server within the same network segment as the NetApp file server. Otherwise, you may experience performance and routing problems.
In contrast with Windows file servers, FS Logga for NetApp file servers do not require a filter driver installation.
Set NetApp file servers findable
In Active Directory registered NetApp file servers have a typical value set in the LDAP attribute operatingSystem. This property is used by the collector to detect NetApp file servers and mark it as NetApp file server type in the FS Logga configuration.
By default, the operatingSystem value of the NetApp file servers is set to OnTap or NetApp in the collector configuration file. If your NetApp file servers use different values for the operatingSystem property, you can adjust the search parameters.
If your NetApp file server is not registered in Active Directory, create a computer account and set the operatingSystem attribute accordingly.
Configuration file
pnCollector.config.xml
Computer
The collector server that is configured for the NetApp file server.
Path
%ProgramData%\Protected Networks\8MAN\cfg
If the file does not exist, copy the template from the following path:
old: %ProgramFiles%\Protected Networks\8MAN\etc
new: %ProgramFiles%\solarwinds\ARM\etc
Code
<?xml version="1.0" encoding="utf-8"?>
<config>
<tracer>
<netapp>
<NetappOperatingSystems>OnTap,NetApp</NetappOperatingSystems>
</netapp>
</tracer>
</config>Possible values
Add your operatingSystem values separated by commas.
If your NetApp file servers include different values for the operatingSystem property, insert these values separated by commas.
If no or not all NetApp file servers register the operatingSystem property in the Active Directory, leave the entry empty in the collectors configuration file. Using an empty entry, all non-EMC or non-Windows computer accounts from Active Directory will be visible for the used account.
Set up the encrypted data transfer on the collector
The following steps are required if communications between NetApp and the collector are encrypted.
If you configured the encrypted data transfer, adapt the pnTracer.config.xml file on the collector server. For each file server (CIFS server on the NetApp) to be monitored on this collector, the following entry must be added under <tracer><netapp><ssl><cifsServers>:
<name of cifs server>
<switchOn type="System.Boolean">true</switchOn>
<protocol type="System.Int32">5</protocol>
<serverCertificateName>name of certificate from certificate store to use</serverCertificateName>
</name of cifs server>
The certificate must be installed in the certificate store on the computer.
For <protocol>, the following values are possible:
TLS = 1, TLS1.1 = 2, TLS1.2 = 3, SSL2 = 4, SSL3 = 5. Default is SSL3 (5).
Select an available protocol on the collector and NetApp.
FPolicy feature
The FS-Logga for NetApp file server uses the NetApp FPolicy feature. As a result, it must be activated and configured using the CLI.
To configure the FPolicy feature, use a role admin or vsadmin account on NetApp.
In the following CLI commands, replace the <vserver_name> parameter with the storage virtual machine (SVM) name.
Creating the event configuration
The event configuration determines:
- Events that will be monitored
- Events that will not be monitored
- Protocol to use (only the CIFS protocol is supported by FS Logga)
Change only the <vserver_name> parameter. Any additional changes may lead to missing events in the reports, as well as higher collector and NetApp load due to processing unused events.
Command
fpolicy policy event create -vserver <vserver_name> -event-name event_8manlogga_cifs -file-operations create, create_dir, delete, delete_dir, read, write, rename, rename_dir, setattr, open -protocol cifs -filters first-read, first-write, open-with-delete-intentReplace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
with the following command to check the result:
fpolicy policy event showCreate the External Engine Configuration
The External Engine Configuration determines the server (defined by IP address and port) that receives the events sent by NetApp. Ensure that the IP address is the FS-Logga collector address that is reachable by NetApp. The port must be a free and reachable port on the collector.
Command
fpolicy policy external-engine create -vserver <vserver_name> -engine-name engine_8manlogga -primary-servers <collector-ip> -port 2002 -extern-engine-type asynchronous -ssl-option <ssl-option>
Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<collector-ip> - IP address of the collector
<ssl-option>
- "
no-auth" - no encryption - "
server-auth" - use encryption
To use encryption, be sure to configure encryption on the collector and NetApp.
With the following command you can check the result:
fpolicy policy external-engine show
Creating the FPolicy Configuration
The FPolicy Configuration is the assembly of Event- and External Engine Configuration.
Command
fpolicy policy create -vserver <vserver_name> -policy-name 8manlogga -events event_8manlogga_cifs -engine engine_8manlogga -is-mandatory false
Replace
<vserver_name> - name of the SVM (Storage Virtual Machine)
With the following command to check the result:
fpolicy policy show
Creating the FPolicy scope
Use the following command to select the volumes you want to monitor, including the shares, directories, and files.
Command
fpolicy policy scope create -vserver <vserver_name> -policy-name 8manlogga -volumes-to-include "*"Optional: Replace
"*"
if only certain volumes are monitored. SolarWinds recommends using a comma-separated list of these volumes instead of the wildcard ("*"). This process reduces load on the NetApp file server and collector.
Enable the FPolicy
If the previous procedures were successful, activate the policy. Even if one policy is defined, the system requires a sequence number.
Command
fpolicy enable -vserver <vserver_name> -policy-name 8manlogga -sequence-number 1Replace
<vserver_name> - name of the SVM (Storage Virtual Machine)
with the following command to check the result:
fpolicy show-enabledAlways specify a sequence number, even if you have one FPolicy. This process determines the FPolicies processing order.
Domain accounts
To read the local share paths, create an account that is a member of the local Power Users group on the NetApp SVM. In al later step, you can configure Logga with this account.
Command
vserver cifs users-and-groups local-group add-members -vserver <vserver_name> -group-name "BUILTIN\Power Users" -member-names <domain\user>Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<domain\user> - User account used to configure FS Logga within ARM
The Logga uses the ONTAP API to read the FPolicy data and request the NetApp to start logging for the external engine. This procedure requires a Logga account with restricted access rights on NetApp. As a result, create a new role. The rights of this role will be defined in a later step.
Commands
security login role create -role 8manrole -vserver <vserver_name> -cmd "vserver fpolicy"security login role create -role 8manrole -vserver <vserver_name> -cmd "volume" -access readonlysecurity login role create -role 8manrole -vserver <vserver_name> -cmd "vserver" -access readonlysecurity login role create -role 8manrole -vserver <vserver_name> -cmd "version" -access readonlyReplace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
with the following command to check the result:
security login role showAssign the new role to the account used by Logga
security login create -username <domain\username> -application ontapi -authmethod domain -role
8manrole -vserver <vserver_name>Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<domain\username> - User account used to configure FS Logga within ARM
with the following command to check the result:
security login showFirewall configuration
The Logga uses the ONTAP API through HTTPS to read FPolicy data and request NetApp to begin logging for the external engine. Configure he HTTPS service on a logical interface (LIF) of the SVM. The LIF must be reachable by the collector.
Use the following command to view the service that is active for the SVM firewall policy:
system service firewall policy showUse the following command to check the firewall policies to the LIF of a specific SVM:
network interface show -vserver <vserver_name> -fields firewall-policyReplace
<vserver_name> - name of the SVM (Storage Virtual Machine)
when a firewall policy with the HTTPS is active on a LIF of the SVM. When you are finished, change change the 'allow-list':
system services firewall policy modify -vserver <vserver_name> -policy <current_firewall_policy>
-service https -allow-list <collector-ip/32>Replace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<current_firewall_policy>
- already activated firewall policy
<collector-ip/32> - IP address of the collector
If you do not want to change the current firewall policy, create a copy of this firewall policy, perform the necessary changes, and assign this new firewall policy to the appropriate LIF:
system services firewall policy clone -vserver <vserver_name> -policy <current_firewall_policy>
-destination-policy 8manlogga_fpIf the HTTPS service exists on the cloned firewall policy, run:
system services firewall policy modify -vserver <vserver_name> -policy 8manlogga_fp -service https
-allow-list <collector-ip/32>If the HTTPS service does not exist in the cloned firewall policy, run:
system services firewall policy create -vserver <vserver_name> -policy 8manlogga_fp -service https
-allow-list <collector-ip/32>network interface modify -vserver <vserver_name> -lif <lif> -firewall-policy 8manlogga_fpReplace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
<current_firewall_policy>
- already activated firewall policy
<collector-ip/32> - IP address of the collector
<lif> - Name of the Logical Interface
Configuring a certificate for the encrypted event data transfer
If you configured the encrypted event data transfer between NetApp and Logga, install the public Certificate of Authority (CA) used to sign the collector certificate on the SVM:
security certificate install -vserver <vserver_name> -type client-caReplace:
<vserver_name> - name of the SVM (Storage Virtual Machine)
Use the following command to verify that the certificate is installed:
security certificate show