converting NetApp Filer to syslog – and MS API Changes…

One of the things that is done with EventReporter and MonitorWare Agent is forwarding NetApp Filer event logs via syslog. There are essentially two ways how this can be done: either via backup event log files (*.evt), which NetApp writes in a Windows compatible format or (a newer approach) via an Event Log API Emulation inside the NetApp box. If you’d like to know details, you can find them in our NetApp EventLog to Syslog forwarding paper.

Unfortunately, changes in recent Windows versions cause some trouble with the way the forwarding works. Unfortunately, Microsoft seems to have changed the on-disk format of backup event log files. That’s OK and something that usually can happen. What I find strange is that Microsoft does no longer supply code inside Windows (and its APIs!) to read downlevel event logs. So, for example, on Windows 2008 it is no longer possible to read a backup event log from an older release. This includes the NetApp .evt files, as they are written in the older Windows format.

I do not understand the Microsoft decision. It would not have been hard to preserve backward compatibility – a header flag inside the file plus very few code inside the o
operating system would have been sufficient. But without that, we see trouble that the NetApp .evt files can not be accessed by Windows Event Viewer and, consequently, not yet by our eventlog to syslog tools. Thankfully, though, we support all modes NetApp provides, and so the work-around is to use the NetApp Event Log API emulation, which will also get the necessary information out to syslog. But, again, I do not understand how Microsoft can break backward compatibility in thus an unnecessary way.

Anyhow, things are as they are ;) So far, we are also looking at ways to be able to process the NetApp backup event log files even under these new constraints. And as you know, we are already full of ideas. Of course, I also recommended to opening a support ticket with Microsoft – I am too eager to learn the official response to this situation (and -maybe- a solution)? I’ve been told we’ll open the ticket today, so let’s see what comes out of all that…