Thank you for your explanation, but I still don't understand it. And I found that the second link in my topic is wrong, it should be https://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-970/event__destination__create.html.

The description of this commands shows: The event destination create command creates a new event destination. An event destination is a list of addresses that receive event notifications. These addresses can be e-mail addresses, SNMP trap hosts, and syslog servers.

So suppose I have a Splunk server, and I want to send my FAS8200 syslog to my Splunk server. Which command should I choose to use?

cluster1::> cluster log-forwarding create -destination <Splunk IP>

 or

cluster1::> event destination create -name syslog01 -syslog <Splunk IP>

Thank you very much! 👍

cluster1::> cluster log-forwarding create -destination <Splunk IP>

By the way, I re-read the description of this command: You can forward the audit log to a maximum of 10 destinations that you specify by using the cluster log-forwarding create command. For example, you can forward the log to a Splunk or syslog server for monitoring, analysis, or backup purposes.

Can I think: NetApp's existing logs can be exported to a SIEM system like Splunk for log analysis or archiving using this command?

this is a great answer, thanks a lot!

I have 3 questions

- is it possible to use a specific port for the event logging?

::*> event notification destination create -syslog server01:1234 -name test

- is a good practise to forwarding audit logs (cluster log-forwarding create) & event logs (event notification destination create) to same server? 
 

- what is the best practise for the setting the facility level?

*> cluster log-forwarding create -destination bla -port 514 -protocol udp-unencrypted -verify-server false -facility
    kern   user   local0 local1 local2 local3 local4 local5 local6 local7

Cluster syslog forwarding: what does each facility represent?