I wanted to better understand syslog events for a given AOS cluster. It appears that a single node is designated as the ‘syslog leader’ and forwards all events to the destination collector. Thus, the remaining nodes send little to no events to the collector. Is this correct?
My clusters run AOS version 5.15.4 LTS for what it’s worth.
Thank you, Raaji. I am curious to know if each of the CVM’s forward their syslog messages to the destination server individually or if a single CVM in the cluster forwards every syslog messages for all of the other CVM’s in the cluster.
I am only asking this because it appears that way in our cluster - where one CVM is active with sending syslog messages but our syslog server hasn’t received messages from the other CVM’s in the same cluster for several days or weeks.
We can configure syslog monitoring to forward system logs (API Audit, Audit, Security Policy Hitlogs, and Flow Service Logs) of the registered clusters to an external syslog server.
Can you please confirm if this what you are asking about ?