Anyone doing any with netapp fpolicy and syslog? A long shot question for this group ‚Äî but giving it a try.
i routed the netapp (7mode and cluster mode) syslogs to cribl and splunk long time back. did a bunch of basic reduction. also separated out the audit data from the syslog feed with separate sourcetype
Did you do the data/filer activity or the more simple administrative audit data?
for the netapp fpolicy data - i used stealthbits (now netwrix) to receive the fpolicy binary data, decode it, then had a UF route into stream. got 50% reduction and then routed to splunk
for the filer activity - i split the audit info to separate sourcetype from the ops traditional syslog data. security was more interested in who was changing what filer settings, but ops wanted the raw syslog for troubleshooting things like ldap or dns issues, etc
How was stealthbits?
I'd prefer to have netapp to drop this silly fpolicy and just do syslog ‚Äî but they don't seem to have much interest
the fpolicy data was extremly useful - both for security and ops. it can be very volumuous so be sure to tune the fpolicy to what you need. there are also some other companies who can receive the fpolicy data, decode it and pass it along