• Deploy a cloud proxy as per documentation 
• Activate log forwarding on deployment as per documentation 
• Aria Operations for Logs adapter instance in Aria Operations is collecting data
• The integration of Aria Operations for Logs is configured
• Use a custom role user for Aria Operations for Logs adapter instance and Aria Operations integration in Aria Operations for Logs for authentication
• Decoding OTK token using a decoder for example https://www.base64decode.org/ shows that log forwarder is enabled with entry "is_log_forwarder_enabled":true,"

Aria Operations 8.x up to 8.18.x

Aria Operations for logs 8.x

The issue arises from the restricted permissions of the user in Aria Operations for Logs. During the log forwarding CP deployment process, there are calls from Aria Operations to the Aria Operations for Logs server using the integrated user credentials. These calls are failing due to a lack of user permissions, which causes log forwarding to be disabled.

These privileges are used for detecting any changes on Aria Operations for Logs cluster side by periodic API calls, and appropriately provide that changes to Cloud Proxies, i.e. if there is IP change on cluster(node addition/deletion/...), so having a non privileged user(even if at some point CP and log forwarding were configured properly) will limit the change detection, and as a result can cause data/log collection issues or  Aria Operations for Logs cluster performance issues(e.g. all traffic going to only one node)

The recommendation is that if you wish to have log forwarding activated you should use the local default admin user when configuring Aria Operations for Logs adapter in Aria Operations and also to use local admin user for Aria Operations when configuring the Aria Operations integration in Aria Operations for Logs.