English

Configuring the ONTAP SVM Data Collector

Contributors netapp-alavoie Download PDF of this page

Cloud Secure uses data collectors to collect file and user access data from devices.

Before you begin

  • This data collector is supported on Data ONTAP 9.1 and later versions.

  • Only data type SVMs are supported. SVMs with infinite/flexgroup volumes are not supported

  • SVM has several sub-types. Of these, only default and sync_source are supported.

  • An Agent must be configured before you can configure data collectors.

  • Make sure that you have a properly configured LDAP Data Connector, otherwise events will show encoded user names and not the actual name of the user (as stored in Active Directory) in the “Activity Forensics” page.

  • A separate subnet must be used for FPolicy traffic.

  • You must add an SVM using one of the two methods:

    • By Using Cluster IP, SVM name, and Cluster Management Username and Password

      • SVM name must be exactly as is shown in ONTAP and is case-sensitive.

    • By Using SVM Vserver Management IP, Username, and Password

    • If you are not able or not willing to use the full Administrator Cluster/SVM Management Username and Password, you can create a custom user with lesser privileges as mentioned in the “A note about permissions” section below. This custom user can be created for either SVM or Cluster access.

  • Ensure the correct applications are set for the SVM by executing the following command:

    clustershell::> security login show -vserver <vservername> -user-or-group-name <username>

Example output:
SVM Command Output Example

  • Ensure that the SVM has a CIFS server configured:
    clustershell::> vserver cifs show

    The system returns the Vserver name, CIFS server name and additional fields.

  • Set a password for the SVM vsadmin user. If using custom user, skip this step.
    clustershell::> security login password -username vsadmin -vserver svmname

  • Unlock the SVM vsadmin user for external access. If using custom user, skip this step.
    clustershell::> security login unlock -username vsadmin -vserver svmname

  • Ensure the firewall-policy of the data LIF is set to ‘mgmt’ (not ‘data’).
    clustershell::> network interface modify -lif <SVM_data_LIF_name> -firewall-policy mgmt

  • When a firewall is enabled, you must have an exception defined to allow TCP traffic for the port using the Data ONTAP Data Collector.

    See Agent requirements for configuration information. This applies to on-premise Agents and Agents installed in the Cloud.

  • When an Agent is installed in an AWS EC2 instance to monitor a Cloud ONTAP SVM, the Agent and Storage must be in the same VPC. If they are in separate VPCs, there must be a valid route between the VPC’s.

A Note About Permissions

Permissions when adding via Cluster Management IP:

If you cannot use the Cluster management administrator user to allow Cloud Secure to access the ONTAP SVM data collector, you can create a new user named “csuser” with the roles as shown in the commands below. Use the username “csuser” and password for “csuser” when configuring the Cloud Secure data collector to use Cluster Management IP.

To create the new user, log in to ONTAP with the Cluster management Administrator username/password, and execute the following commands on the ONTAP server:

security login role create -role csrole -cmddirname DEFAULT -access none
security login role create -role csrole -cmddirname "network interface" -access readonly
security login role create -role csrole -cmddirname version -access readonly
security login role create -role csrole -cmddirname volume -access readonly
security login role create -role csrole -cmddirname vserver -access readonly
security login role create -role csrole -cmddirname "vserver fpolicy" -access all
security login role create -role csrole -cmddirname "volume snapshot" -access all
security login create -user-or-group-name csuser -application ontapi -authmethod password -role csrole

Permissions when adding via Vserver Management IP:

If you cannot use the Cluster management administrator user to allow Cloud Secure to access the ONTAP SVM data collector, you can create a new user named “csuser” with the roles as shown in the commands below. Use the username “csuser” and password for “csuser” when configuring the Cloud Secure data collector to use Vserver Management IP.

To create the new user, log in to ONTAP with the Cluster management Administrator username/password, and execute the following commands on the ONTAP server. For ease, copy these commands to a text editor and replace the <vservername> with your Vserver name before and executing these commands on ONTAP:

security login role create -vserver <vservername> -role csrole -cmddirname DEFAULT -access none
security login role create -vserver <vservername> -role csrole -cmddirname "network interface" -access readonly
security login role create -vserver <vservername> -role csrole -cmddirname version -access readonly
security login role create -vserver <vservername> -role csrole -cmddirname volume -access readonly
security login role create -vserver <vservername> -role csrole -cmddirname vserver -access readonly
security login role create -vserver <vservername> -role csrole -cmddirname "vserver fpolicy" -access all
security login role create -vserver <vservername> -role csrole -cmddirname "volume snapshot" -access all
security login create -user-or-group-name csuser -application ontapi -authmethod password -role csrole -vserver <vservername>

Configure the data collector

Steps for Configuration
  1. Log in as Administrator or Account Owner to your Cloud Insights environment.

  2. Click Admin > Data Collectors > +Data Collectors

    The system displays the available Data Collectors.

  3. Click the NetApp SVM tile.

    The system displays the ONTAP SVM configuration page. Enter the required data for each field.

Configuration

Field

Description

Name

Unique name for the Data Collector

Agent

Select a configured agent from the list.

Connect via Management IP for:

Select either Cluster IP or SVM Management IP

Cluster / SVM Management IP Address

The IP address for the cluster or the SVM, depending on your selection above.

SVM Name

The Name of the SVM (this field is required when connecting via Cluster IP)

Username

User name to access the SVM/Cluster

Password

Password for the above user name

Filter Shares/Volumes

Choose whether to include or exclude Shares / Volumes from event collection

Enter complete share names to exclude/include

Comma-separated list of shares to exclude or include (as appropriate) from event collection

Enter complete volume names to exclude/include

Comma-separated list of volumes to exclude or include (as appropriate) from event collection

After you finish
  • In the Installed Data Collectors page, use the options menu on the right of each collector to edit the data collector. You can restart the data collector or edit data collector configuration attributes.

Troubleshooting

Known problems and their resolutions are described in the following table.

Problem: Resolution:

Agent is in Connected State and ONTAP Data collector is in Error State.
"Unable to define the state of datasource with id:<ID>"

Ensure Docker service is running on the agent.

Error message: "Connection to the FPolicy server <IP> is broken. ( reason: "FPolicy server is removed from external engine." )"

SVM is unable to reach the Fpolicy Server.
Make sure there is route available from SVM to the Fpolicy Server. Login to the SVM and ping the Fpolicy Server IP address.
Also, in instances where the same SVM was added in two different Cloud Secure environments (tenants), the last one will always succeed. The second collector will configure fpolicy with its own IP address and kick out the first one. So the collector in the first one will stop receiving events and its "audit" service will enter into error state.
To prevent this, configure each SVM on a single environment.

DSC reports Error Message: “No local IP address found on the connector that can reach the data interfaces of the SVM”.

While adding the DSC via SVM IP and vsadmin credentials, check if the SVM Lif has Data plus Mgmt role enabled.
If yes, create an SVM Mgmt Only Lif and try connecting via this SVM management only Lif.

Message: "Failed to determine ONTAP type for [hostname: <IP Address>. Reason: Connection error to Storage System <IP Address>: Host is unreachable (Host unreachable)"

Verify that the correct SVM IP Management address or Cluster Management IP has been provided.

Error Message: "Connector is in error state. Service.name: audit. Reason for failure: External fpolicy server terminated."

It is most likely that a firewall is blocking the necessary ports in the agent machine. Verify the port range 35001-35100/tcp is opened for the agent machine to connect from the SVM. Also ensure that there are no firewalls enabled from the ONTAP side blocking communication to the agent machine.

No events seen in activity page.

Check if ONTAP collector is in “RUNNING” state. If yes, then ensure that some cifs events are being generated on the cifs client VMs.