we have configured audit logs to be sent via syslog to a Splunk server using command:
cluster log-forwarding create -destination xx.xx.xx.xx -port 514 -protocol tcp-unencrypted -verify-server false -facility user
but it seems that logs are sent only from node 1 of the Netapp storage array. So node 2 always results as it is not sending anything to Splunk.
It is normal? I mean, are all logs normally sent only from node 1?
The storage is a FAS8200, Ontap version is 9.7P17
Thanks in advance for any information.