Come join our live training webinar every other Wednesday at 11am PST and hear LogicMonitor experts explain best practices and answer common questions. We understand these are uncertain times, and we are here to help!
There are two kinds of data collection methods used for monitoring NetApp Fabric Attached Storage (FAS) systems (also commonly referred to as Filers):
For comprehensive monitoring, both NetApp API and SNMP access must be configured. This article will walk you through setup and configuration for the various available NetApp modes:
Note: By default, LogicMonitor will access the NetApp API over port 443, using HTTPS. However, older LogicMonitor accounts may default to accessing the NetApp API over HTTP on port 80, which can prevent data retrieval. If you are experiencing this behavior, set the netapp.ssl property to a value of TRUE at the root folder level of the Resources tree.
SSH to a cluster management address. To display the current SNMP configuration:
scenariolab::> system snmp community show scenariolab ro Logically
To create a new SNMP community:
scenariolab::> system snmp community add -type ro -community-name secret
Confirm SNMP configuration:
scenariolab::> system snmp community show scenariolab ro Logically ro secret
To create an API user with the example name of logicmonitor in the context of the cluster:
security login create -username logicmonitor -application ontapi -authmethod password -role readonly
You should define the snmp.community, netapp.user, and netapp.pass properties for the host to allow access.
In order to get complete monitoring of, and be able delegate access to, Storage Virtual Machines on NetApp Cluster mode, it is necessary to add the SVMs as separate devices, and enable both SNMP and API access on the SVM itself. The steps required to do so are:
In the following example, we will enable access on the images server.
First, we can check the current SNMP configuration:
Add SNMP community for the SVM (server) images:
scenariolab::> system snmp community add -type ro -community-name Logical -vserver images
scenariolab::> system snmp community show images ro Logical scenariolab ro Logically
You can determine the firewall policy used by the interface for a vserver with the following command:
network interface show -fields firewall-policy vserver lif firewall-policy ------- ---- --------------- foo lif2 data images lif1 data
You can then determine if the policy for the server in question (images, using the data policy in our case) allows snmp:
scenariolab::> firewall policy show -service snmp (system services firewall policy show) Policy Service Action IP-List ---------------- ---------- ------ -------------------- cluster snmp allow 0.0.0.0/0 data snmp deny 0.0.0.0/0 intercluster snmp deny 0.0.0.0/0 mgmt snmp allow 0.0.0.0/0
As the data policy does not allow SNMP, we could either amend the firewall policy, or create a new one. In this case, we will create a new firewall policy:
system services firewall policy create -policy data1 -service snmp -action allow -ip-list 0.0.0.0/0 scenariolab::> firewall policy show -service snmp (system services firewall policy show) Policy Service Action IP-List ---------------- ---------- ------ -------------------- cluster snmp allow 0.0.0.0/0 data snmp deny 0.0.0.0/0 data1 snmp allow 0.0.0.0/0 intercluster snmp deny 0.0.0.0/0 mgmt snmp allow 0.0.0.0/0
We can now assign new policy to the interface used by the vserver images (lif1):
network interface modify -vserver images -lif lif1 -firewall-policy data1
SNMP is now enabled
To enable API access the SVM, we must allow HTTP/HTTPS access through the firewall policy used by the SVM’s interfaces. These commands add HTTP and HTTPS access to the new firewall policy we created above, that is already applied to the interface for the vserver images.
system service firewall policy create -policy data1 -service http -action allow -ip-list 0.0.0.0/0 system service firewall policy create -policy data1 -service https -action allow -ip-list 0.0.0.0/0
Now we just need to create an API user in the context of this vserver:
security login create -username logicmonitor -application ontapi -authmethod password -vserver images -role vsadmin
You can now add the SVM as a host to LogicMonitor. You should define the snmp.community, netapp.user, and netapp.pass properties for the host to allow access.
Notes:
It is recommended that you create a new NetApp account with the privileges detailed below.
To create a new user called logicmonitor with only API access, on your NetApp filers perform these operations:
useradmin role add APIrole -a api-*,login-http-admin useradmin group add APIGroup -r APIRole useradmin user add logicmonitor -g APIGroup New password:<secret> Retype new password:<secret>
Note: To create a role with the current minimum API rights required, substitute this command for the command above, or use useradmin role modify if the role already exists:
useradmin role add APIrole -a login-http-admin,api-perf*,api-disk-list*,api-volume-list*,api-system-get*
This grants read only API access sufficient for the current NetApp datasources, but may not be sufficient for future datasources that may use different API calls.).
You would then specify these properties in LogicMonitor:
netapp.user=logicmonitor netapp.pass=<secret>
By default, LogicMonitor will access the NetApp API over port 443, using HTTPS. To change the port that LogicMonitor will connect to the API on, set the property netapp.api.sslport to the appropriate port.
If you wish to access the API using HTTP, instead of SSL:
Perform these operations from the netapp CLI:
options snmp.enable on snmp community add ro <secret>
Note: if you have changed the default settings of options trusted.hosts or options snmp.access, ensure that the IP address of the collector for the filer is added to those options. You can check your SNMP settings by simply entering snmp at the command line:
labfiler01> snmp contact: ~ location: ~ PDT authtrap: ~ 0 init: ~ 1 traphosts: community: ~ ro public
After enabling LogicMonitor to monitor a NetApp, usually the NetApp will start logging messages similar to:
[openssh.versionExchange.Fail:error]: Did not receive identification string from X.X.X.X
This is due to the fact that LogicMonitor checks the responsiveness of SSH on the NetApp, but does not complete an actual log in. The messages are harmless, but you can disable LogicMonitor’s checking of SSH on the device if you wish to not generate the messages. (Of course, this will also prevent alerting if SSH fails to respond on the device.)
LogicMonitor offers two different packages for NetAPP FAS monitoring, depending on whether your NetApp system is running in a Cluster-Mode (CDOT) or 7-Mode environment; some LogicModules are shared across both packages.
In This Article