#Cluster log forwarding through firewall

Hey! I can't find any mention of this in the documentation so asking here instead;

If one needs to enable cluster log forwarding but send the data through a firewall, what is the source interface?
The cluster management lif?

From my experience the logs are sent from the node management interface.

How does that work? Each node sends its own log?

It is not like all nodes send duplicates of all events. I don't know how ONTAP decides from which node to send. The majority of event comes from the node that holds the mgwd process. Over 24 hours I see events coming from all cluster nodes.

Thank you for the information, it feels like this needs to be in the official documentation.

Oh, @rare trail: Are you talking about cluster Audit logs or Events/something else?
My question is regarding cluster audit logs, which might have not been clear from my original post

I was talking about audit logs as in "cluster log-forwarding" command. But the same applies for event forwarding via syslog as in "event notification destination" command.

According to our vendor, NetApp support says that both cluster mgmt lif and node mgmt lifs are sources for "cluster log-forwarding". So they all need to be added.

Not sure if this is changed in ONTAP 9.12 with the service-policy, hopefully one can specify a single source then.

Yes, 9.12 changes it again with service policy. Pre that.. outbound routing is not as deterministic as would be optimal. Make sure your route metrics are good and specific - had a customer where they were coming out of the intercluster LIFs because they had gateways with the same route metric as the ones for the management LIFs