跳转到主内容
NetApp Response to Russia-Ukraine Cyber Threat
In response to the recent rise in cyber threat due to the Russian-Ukraine crisis, NetApp is actively monitoring the global security intelligence and updating our cybersecurity measures. We follow U.S. Federal Government guidance and remain on high alert. Customers are encouraged to monitor the Cybersecurity and Infrastructure Security (CISA) website for new information as it develops and remain on high alert.

常见问题解答: ONTAP 9 事件管理系统概述

Views:
28
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
core
Last Updated:

适用场景

ONTAP 9                

问题解答

什么是 EMS 事件消息?
EMS 事件是 ONTAP 9 中发生的记录,默认情况下会记录在事件管理系统日志中。EMS 事件消息包含多个组件,可以在 ONTAP 事件目录中查看这些组件。

如何查找 EMS 事件消息的详细信息的示例:
::> event catalog show -message-name monitor.volume.nearlyFull
     Message Name: monitor.volume.nearlyFull
         Severity: ALERT

问题描述: 如果一个或多个文件系统接近全满,通常表示至少已满 95% ,则会出现此消息。此事件还附带了针对客户的全球运行状况监控消息。空间使用量是根据活动文件系统大小计算 volume show-space的,计算方法是从 " " 命令的 " 已用 " 字段值中减去 " Snapshot 预留 " 字段的值。

更正操作: 通过增加卷或聚合大小,删除数据或删除 Snapshot ( R )副本来创建空间。要增加卷的大小、请运行“volume size”命令。要删除卷的 Snapshot ( R )副本,请运行 "" volume snapshot delete命令。要增加聚合的大小、请通过运行 ''storage aggregate add-disks 命令添加磁盘。聚合已满时,系统会自动删除聚合 Snapshot ( R )副本。
SNMP Trap Type: Built-in
Is Deprecated: false

 

任何给定事件的唯一特征是消息名称。在此示例中,消息名称为 monitor.volume.lidlyFull 。此外,严重性为 " 警报 " ,与事件关联的 SNMP 陷阱类型为 " 内置 " 。
任何给定事件消息的严重性均表示事件的预期影响。下面列出了严重性及其含义:

::> event catalog show -severity ?
  EMERGENCY                   Disruption
  ALERT                       Single point of failure
  ERROR                       Degradation
  NOTICE                      Information
  INFORMATIONAL               Information
  DEBUG                       Debug information
SNMP 陷阱类型在 ONTAP 9 文档中心中进行了讨论
,在 ONTAP 9 之前, EMS 事件消息会按消息单独配置到目标:
 
ClusterA::*> even route show -message-name monitor.volume.nearlyFull -destinations ?
  (event route show)
  allevents
  asup
  criticals
  pager
  traphost

 

最终, EMS 事件消息目录会不断增长,并且难以按消息进行管理,因此, ONTAP 9 中实施了一个基于筛选器的新路由事件消息系统。  新系统允许基于规则的事件筛选器通过使用事件通知将事件筛选器与事件目标相关联来收集要传送到事件目标的事件。  安装或升级到 ONTAP 9 后,默认情况下会实施事件筛选器,事件目标和事件通知的基本配置。可以通过删除事件通知来禁用默认配置,但无法修改或删除内置事件筛选器和事件目标(但可以将其复制到新的用户可自定义筛选器和目标中以供进一步自定义)。


ClusterA::*> system snmp traphost show
snmp-traphost   snmp        - (from "system snmp traphost")
--------------  ----------  ---------------------
Name            Type        Destination
ClusterA::*> event notification destination show
1    default-trap-events            snmp-traphost
---- ------------------------------  -----------------
ID   Filter Name                     Destinations
ClusterA::*> event notification show
9 entries were displayed.
            2       exclude   *                      *               *
            1        include   *                      *               EMERGENCY, ALERT, ERROR, NOTICE
no-info-debug-events
            3        exclude   *                      *               *
            2        include   callhome.*             *               ERROR
            1        include   *                      *               EMERGENCY, ALERT
important-events
            4        exclude   *                      *               *
                                                                     *
            3        include   *                      Standard, Built-in
            2        include   callhome.*             *               ERROR
           1        include   *                      *               EMERGENCY, ALERT
default-trap-events
----------- -------- --------- ---------------------- --------------- --------
            Position Type
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
ClusterA::*> event filter show
        -
内置目标 "nmp-traphost" 会通过运行命令 " system snmp traphost add链接到为存储系统配置的默认陷阱主机,或者通过 OnCommand 系统管理器在类似于以下示例的 URL 处进行配置时链接到该陷阱主机:
https : // /sysmgr/SysMgr.html#SNMP


 
1073980.png
ONTAP 9 EMS 事件筛选器的工作原理
每当生成 EMS 事件消息时,系统都会将其与所有已配置的 EMS 事件筛选器进行比较。EMS 事件筛选器是包含或排除任何给定 EMS 事件消息的规则列表。系统会按顺序将每条消息与 EMS 事件筛选器中的规则进行比较,以寻求与规则匹配,如果存在任何匹配,则会停止进一步的规则处理。每个 EMS 事件筛选器中的最后一个规则将匹配每个事件消息并将其排除。因此,如果 EMS 事件消息与先前的规则不匹配,则它将从筛选器中排除。  因此,仅使用默认规则的新创建的 EMS 事件筛选器不会与任何 EMS 事件消息匹配。
您可以创建类似于以下示例的自定义 EMS 事件筛选器:
ClusterA::> event filter create -filter-name Custom_Filter
ClusterA::> event filter show -filter-name Custom_Filter
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
            1        exclude   *                      *               *

 

请注意,新创建的事件筛选器会自动在位置 1 中包含默认规则,该规则会排除与任何条件(消息名称, SNMP 陷阱类型和严重性)匹配的事件消息。这样可确保筛选器不会收集任何不需要的 EMS 事件消息。对于示例 EMS 事件消息 monitor.volume.nearlyFull,请创建一个规则,以便在新筛选器中收集该消息。

ClusterA::> event filter rule add -filter-name Custom_Filter -type include -message-name monitor.volume.nearlyFull
 
ClusterA::> event filter show -filter-name Custom_Filter                                                   Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
            1        include   monitor.volume.nearlyFull
                                                      *               *
            2        exclude   *                      *               *
2 entries were displayed.

 

此规则将收集与消息名称 monitor.volume.nullyFull 匹配的任何事件,但是,假设需要收集与查询 "monitor.volume.* " 匹配的所有 EMS 事件消息,则可以




            2        exclude   *                     *               *
            1        include   monitor.volume.*       *               *
Custom_Filter
----------- -------- --------- ---------------------- --------------- --------
            Position Type
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
ClusterA::> event filter show -filter-name Custom_Filter
ClusterA::> event filter rule add -filter-name Custom_Filter -type include -message-name monitor.volume.* 
ClusterA::> event filter rule delete -filter-name Custom_Filter -position 1
Now, our rule will collect all of these EMS Event Messages:
ClusterA::> event catalog show -message-name monitor.volume.*
Message                          Severity         SNMP Trap Type
-------------------------------- ---------------- -----------------
monitor.volume.full              DEBUG            Built-in
monitor.volume.nearlyFull        ALERT            Built-in
monitor.volume.ok                DEBUG            Built-in
3 entries were displayed.

 

但是在测试中,我们决定不需要收集 monitor.volume.ok。因此,请在事件筛选器中插入要在前面处理的规则,以明确排除该事件消息。具体操作如下:

ClusterA::> event filter rule add -filter-name Custom_Filter -type exclude -message-name monitor.volume.ok -position 1
 
ClusterA::> event filter show -filter-name Custom_Filter                                                   Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
            1        exclude   monitor.volume.ok      *               *
            2        include   monitor.volume.*       *               *
            3        exclude   *                      *               *
3 entries were displayed.

 

这些示例重点介绍 EMS 事件消息名称,但也可以按 SNMP 技术类型或严重性进行筛选。因此,例如,如果您还希望筛选器收集严重性级别警报的所有事件,则可以使用该条件添加规则。 

ClusterA::> event filter rule add -filter-name Custom_Filter -type include -severity ALERT
 
ClusterA::> event filter show -filter-name Custom_Filter
Filter Name Rule     Rule      Message Name           SNMP Trap Type  Severity
            Position Type
----------- -------- --------- ---------------------- --------------- --------
Custom_Filter
            1        exclude   monitor.volume.ok      *               *
            2        include   monitor.volume.*       *               *
            3        include   *                      *               ALERT
            4        exclude   *                      *              *
4 entries were displayed.

什么是错误:命令失败:此规则与任何事件不匹配。输入有效规则。平均值?
例如
ClusterA::>event filter rule add -filter-name Inodes_Events -type include -message-name wafl.vol.runningOutOfInodes -severity ALERT

Error: command failed: This rule does not match any event. Enter a valid rule.
这意味着 EMS 消息的严重性类型不正确。

要验证:
ClusterA::*> event catalog show -message-name wafl.vol.runningOutOfInodes
Message Name: wafl.vol.runningOutOfInodes
Severity: ERROR

严重性应为错误,正确的命令应为
ClusterA::>event filter rule add -filter-name Inodes_Events -type include -message-name wafl.vol.runningOutOfInodes -severity ERROR


有关用于管理 EMS 事件筛选器的命令的详细信息,请访问以下链接:
ONTAP 9 文档中心 
 
ONTAP 9 EMS 事件通知目标的工作原理
ONTAP 9 事件通知目标控制 EMS 事件筛选器收集的 EMS 事件消息的传送。目标可以是电子邮件地址,系统日志服务器, SNMP 陷阱主机或 REST .API 服务器。默认 snmp-traphost情况下,唯一的 EMS 事件通知目标是内置的 " " ,不可删除,并映射到 " 系统 SNMP 陷阱主机 " 中的 SNMP 陷阱主机配置,该配置可以单独配置(或根本不配置)。 
ClusterA::> event notification destination show
Name            Type        Destination
--------------  ----------  ---------------------
snmp-traphost   snmp        - (from "system snmp traphost")
ClusterA::> system snmp traphost show
        -

 

您可以运行以下命令来创建其他自定义事件目标:

ClusterA::> event notification destination create
Usage:
   [-name]              Destination Name
   { [-email]   Email Destination
   | [-syslog]          Syslog Destination
   | [-rest-api-url]    REST API Server URL
    [[-certificate-authority] ]
                             Client Certificate Issuing CA
    [ -certificate-serial ] }
                              Client Certificate Serial Number
 
ClusterA::> event notification destination create Custom_Destination_syslog -syslog 1.2.3.4
 
ClusterA::> event notification destination create Custom_Destination_email -email user@domain.com
ClusterA::> event notification destination show
Name            Type        Destination
--------------  ----------  ---------------------
Custom_Destination_email
                email      user@domain.com (via "localhost" from "admin@localhost", configured in "event config")
Custom_Destination_syslog
                syslog      1.2.3.4
snmp-traphost   snmp        - (from "system snmp traphost")
3 entries were displayed.
 
系统日志的自定义 EMS 事件通知目标的 IP 地址为 1.2.3.4 。请注意,事件通知目标类型 " 电子邮件 " 的圆括号中有一个注释,其中显示了在事件配置中配置的邮件服务器和源电子邮件地址:
ClusterA::> event config show
                      Mail From:  admin@localhost
                    Mail Server:  localhost
                      Proxy URL:  -
                     Proxy User:  -
EMS 事件通知的工作原理
EMS 事件通知用于定义 EMS 事件筛选器中收集的有效负载与 EMS 事件通知目标中定义的交付目标之间的映射。默认情况下,系统会预配置一个 EMS 事件通知,用于将内置的 default-trap-events EMS 事件筛选器映射到内置的 snmp-traphost EMS 事件通知目标。如果需要,可以删除此默认 EMS 事件通知。
ClusterA::> event notification show
ID   Filter Name                     Destinations
---- ------------------------------  -----------------
1    default-trap-events             snmp-traphost
ClusterA::> event notification delete 1
ClusterA::> event notification show
This table is currently empty.

 

创建 EMS 事件通知时,请仅指定一个 EMS 事件筛选器和一个或多个 EMS 事件通知目标。EMS 事件消息将根据类型(电子邮件, SNMP ,系统日志事件消息等)自动转换为每个 EMS 事件通知目标的相应格式 

ClusterA::vserver> event notification create -filter-name Custom_Filter -destination Custom_Destination_email
 
ClusterA::vserver> event notification create -filter-name Custom_Filter -destination Custom_Destination_syslog
ClusterA::vserver> event notification show
ID   Filter Name                     Destinations
---- ------------------------------  -----------------
1    Custom_Filter                   Custom_Destination_email
2    Custom_Filter                  Custom_Destination_syslog
2 entries were displayed.
可以在多个 EMS 事件通知中引用一个 EMS 事件筛选器,如果不谨慎,可能会引入冗余:
ClusterA::vserver> event notification create -filter-name Custom_Filter -destination Custom_Destination_syslog,Custom_Destination_email
 
ClusterA::vserver> event notification show                                                                 ID   Filter Name                     Destinations
---- ------------------------------  -----------------
1    Custom_Filter                   Custom_Destination_email
2    Custom_Filter                   Custom_Destination_syslog
3    Custom_Filter                   Custom_Destination_syslog, Custom_Destination_email
3 entries were displayed.

 

如果删除 EMS 事件筛选器,则任何相应的 EMS 事件通知也将被删除。如果删除 EMS 事件通知目标,它将自动从任何 EMS 事件通知中删除(如果它是最后定义的 EMS 事件目标,则 EMS 事件通知也将被删除):

ClusterA::> event notification destination delete -name Custom_Destination_syslog
 
Warning: The destination will be deleted from all notifications, if present. If
         this was the only destination in the notification, it will be deleted
         too.
Do you want to continue? {y|n}: y
 
ClusterA::> event filter delete -filter-name Custom_Filter
 
Warning: Deleting this filter will delete the notification as well.
Do you want to continue? {y|n}: y
 
ClusterA::> event filter delete -filter-name Custom_Filter
ClusterA::> event notification show
This table is currently empty.
 
  

追加信息

不适用

 

Scan to view the article on your device