Audit logs: (It's up to you)
Audit logs (Since 9.x) only contains management related activities from the three shells for CLI commands—the clustershell, the nodeshell, and the non-interactive systemshell (interactive systemshell commands are not logged)—as well as API commands.  The audit.log file is sent by the AutoSupport tool to the specified recipients. However, you can also forward the content securely to external destinations that you specify; for example, a Splunk or a syslog server.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-sag%2FGUID-9F8EB0DF-12F5-4DA9-B14B-34487DE3717D.html

EMS Events: (More important)
To log notifications of the most severe (Important) events on a syslog server, you must configure the EMS to forward notifications for events that signal important activity.
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-ssg%2FGUID-2C98AC64-51D7-44F9-8D29-75BAC122D5E6.html

If you want to know what those important events are, then run this command:
::> event catalog show -filter-name important-events

Thank you for your explanation, but I still don't understand it. And I found that the second link in my topic is wrong, it should be https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/event__destination__create.html.

The description of this commands shows: The event destination create command creates a new event destination. An event destination is a list of addresses that receive event notifications. These addresses can be e-mail addresses, SNMP trap hosts, and syslog servers.

So suppose I have a Splunk server, and I want to send my FAS8200 syslog to my Splunk server. Which command should I choose to use?

cluster1::> cluster log-forwarding create -destination <Splunk IP>

 or

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

Thank you very much! 👍

cluster1::> cluster log-forwarding create -destination <Splunk IP>

By the way, I re-read the description of this command: You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

Can I think: NetApp's existing logs can be exported to a SIEM system like Splunk for log analysis or archiving using this command?

this is a great answer, thanks a lot!

I have 3 questions

- is it possible to use a specific port for the event logging?

::*> event notification destination create -syslog server01:1234 -name test

- is a good practise to forwarding audit logs (cluster log-forwarding create) & event logs (event notification destination create) to same server? 
 

- what is the best practise for the setting the facility level?

*> cluster log-forwarding create -destination bla -port 514 -protocol udp-unencrypted -verify-server false -facility
    kern   user   local0 local1 local2 local3 local4 local5 local6 local7

Cluster syslog forwarding: what does each facility represent?