Monitoring

NetApp

There are two kinds of data collection methods used on NetApp Filers: NetApp API & SNMP. For comprehensive monitoring, both must be configured. This article will walk you through setup and configuration:

    Note: By default, LogicMonitor will access the NetApp API over port 443, using HTTPS. However, older LogicMonitor accounts may default to accessing the NetApp API over HTTP on port 80, which can prevent data retrieval. If you are experiencing this behavior, set 'netapp.ssl' to "true" at the root folder of the devices tree.

    Cluster Mode (CDOT)

    Enabling NetApp SNMP Access:

    SSH to a cluster management address. To display the current SNMP configuration:

    scenariolab::> system snmp community show
    scenariolab
    ro  Logically 
     

    To create a new SNMP community:

    scenariolab::> system snmp community add -type ro -community-name secret 
     

    Confirm SNMP configuration:

    scenariolab::> system snmp community show
    scenariolab ro  Logically
    ro secret 
     

    Enabling NetApp API Access:

    To create an API user with the example name of logicmonitor in the context of the cluster:

    security login create -username logicmonitor -application ontapi -authmethod password  -role readonly 

    You should define the snmp.community, netapp.user, and netapp.pass properties for the host to allow access.

     

    Cluster Mode SVMs (vFiler)

    In order to get complete monitoring of, and be able delegate access to, Storage Virtual Machines on NetApp Cluster mode, it is necessary to add the SVMs as separate devices, and enable both SNMP and API access on the SVM itself. The steps required to do so are:

    1. Add an SNMP community for the SVM.
    2. Ensure SNMP is allowed by the firewall configuration of the interface of the SVM: determine the interface used by the SVM, the firewall policy, and amend if needed.
    3. Enable API access by allowing API access through the SVM firewall, and creating an API user.

    In the following example, we will enable access on the images server.

    To enable SNMP

    First, we can check the current SNMP configuration:

    scenariolab::> system snmp community show
    scenariolab
    ro  Logically
     

    Add SNMP community for the SVM (server) images:

    scenariolab::> system snmp community add -type ro -community-name Logical -vserver images
     

    Confirm SNMP configuration:

    scenariolab::> system snmp community show
    images
    ro  Logical
    
    scenariolab
    ro  Logically
     

    You can determine the firewall policy used by the interface for a vserver with the following command:

    network interface show  -fields firewall-policy
    vserver lif  firewall-policy
    ------- ---- ---------------
    foo     lif2 data
    images  lif1 data
     

    You can then determine if the policy for the server in question (images, using the data policy in our case) allows snmp:

    scenariolab::> firewall policy show -service snmp
    
    (system services firewall policy show)
    
    Policy           Service    Action IP-List
    
    ---------------- ---------- ------ --------------------
    
    cluster           snmp       allow  0.0.0.0/0
    
    data              snmp       deny   0.0.0.0/0
    
    intercluster      snmp       deny   0.0.0.0/0
    
    mgmt              snmp       allow  0.0.0.0/0
     

    As the data policy does not allow SNMP, we could either amend the firewall policy, or create a new one. In this case, we will create a new firewall policy:

    system services firewall policy create -policy data1 -service snmp -action allow -ip-list 0.0.0.0/0
    
    scenariolab::> firewall policy show -service snmp
    
    (system services firewall policy show)
    
    Policy           Service    Action IP-List
    
    ---------------- ---------- ------ --------------------
    
    cluster           snmp       allow  0.0.0.0/0
    
    data              snmp       deny   0.0.0.0/0
    
    data1             snmp       allow  0.0.0.0/0
    
    intercluster      snmp       deny   0.0.0.0/0
    
    mgmt              snmp       allow  0.0.0.0/0
     

    We can now assign new policy to the interface used by the vserver images (lif1):

    network interface modify -vserver images -lif lif1 -firewall-policy data1

    SNMP is now enabled

     

    API

    To enable API access the SVM, we must allow HTTP/HTTPS access through the firewall policy used by the SVM's interfaces. These commands add HTTP and HTTPS access to the new firewall policy we created above, that is already applied to the interface for the vserver images.

    system service firewall policy create  -policy data1 -service http -action allow -ip-list 0.0.0.0/0
    system service firewall policy create  -policy data1 -service https -action allow -ip-list 0.0.0.0/0 
     

    Now we just need to create an API user in the context of this vserver:

    security login create -username logicmonitor -application ontapi -authmethod password -vserver images -role vsadmin 

    You can now add the SVM as a host to LogicMonitor. You should define the snmp.community, netapp.user, and netapp.pass properties for the host to allow access.

     

    Non-Cluster Mode (7-mode)

    Notes:

    • In OnTap 8 and later, you must explicitly enable HTTP access for the API: options httpd.admin.enable on
    • Using GD Collectors 22.0 or 21.0 requires TLS to be enabled (command line "options tls.enable on") to monitor 7-Mode Netapps

    Enabling NetApp API access:

    It is recommended that you create a new NetApp account with the  privileges detailed below.

    To create a new user called logicmonitor with only API access, on your NetApp filers perform these operations:

    useradmin role add APIrole -a api-*,login-http-admin
    useradmin group add APIGroup -r APIRole
    useradmin user add logicmonitor -g APIGroup
    New password:<secret>
    Retype new password:<secret> 

    (Note: to create a role with the current minimum API rights required, substitute this command for the command above, or use useradmin role modify if the role already exists:

    useradmin role add APIrole -a login-http-admin,api-perf*,api-disk-list*,api-volume-list*,api-system-get* 
     

    This grants read only API access sufficient for the current NetApp datasources, but may not be sufficient for future datasources that may use different API calls.).

    You would then specify these properties in LogicMonitor:

    netapp.user=logicmonitor
    netapp.pass=<secret> 
     

    By default, LogicMonitor will access the NetApp API over port 443, using HTTPS. To change the port that LogicMonitor will connect to the API on, set the property netapp.api.sslport to the appropriate port.

    If you wish to access the API using HTTP, instead of SSL:

    • Set the netapp.ssl property (globally, per group, or for a host)  to "false" to disable SSL access.
    • netapp.api.port will default to 80. If you wish to connect via HTTP to another port, set this property appropriately.

    Enabling NetApp SNMP access:

    Perform these operations from the netapp CLI:

    options snmp.enable                  on
    snmp community add ro <secret> 

    Note: if you have changed the default settings of options trusted.hosts or options snmp.access, ensure that the IP address of the collector for the filer is added to those options.  You can check your SNMP settings by simply entering snmp at the command line:

    labfiler01> snmp
     contact:
     ~
     location:
     ~ PDT
     authtrap:
     ~ 0
     init:
     ~ 1
     traphosts:
     community:
     ~ ro public 

    SSH Messages in NetApp Syslog

    After enabling LogicMonitor to monitor a NetApp, usually the NetApp will start logging messages similar to:

    [openssh.versionExchange.Fail:error]: Did not receive identification string from X.X.X.X 

    This is due to the fact that LogicMonitor checks the responsiveness of SSH on the NetApp, but does not complete an actual log in. The messages are harmless, but you can disable LogicMonitor's checking of SSH on the device if you wish to not generate the messages. (Of course, this will also prevent alerting if SSH fails to respond on the device.)

    Legacy / Deprecated Modules

    The following list of modules have been deprecated and/or replaced:

    LogicModule
    NetApp Aggregate Performance-
    NetApp Aggregate Snapshot Usage-
    NetApp Aggregate Usage Cluster-
    NetApp Aggregate Usage-
    NetApp Cluster HA-
    NetApp Cluster LIFs-
    NetApp Cluster Performance
    NetApp Cluster Performance post 8.2.2
    NetApp Cluster Volume Performance SVM-
    NetApp Cluster Volume Performance-
    NetApp SnapMirror Status for clusters-
    NetApp Vfiler-
    NetApp Volume Usage Cluster-
    NetApp Volume Usage SVM Cluster-
    NetAppBadOnTAP
    NetAppDisk-
    NetAppHBA-
    NetAppPAM-
    NetAppPerformance
    NetAppSMP-
    NetAppSnapMirrors-
    NetAppSnapVol-
    NetAppVol-
    NetAppVolPerf-
    NetAppVolPerf_microsec-
    NetAppEncl-
    NetAppEncl_7_3_2-
    NetAppHAPair-