Best rec right now is to install Edge on the Leader host and collect the logs using that. You can also opt for any of the other agents.

How to collect them? I cant put the Leader in a fleet to soak up the data.

I believe you could join the Leader as a managed node. You could also install Edge and run it as a singleton. Access it on port 9420 and configure a file monitor on /opt/cribl/log.

Another option is to use the agent you are familiar with like the Splunk UF or a FileBeat. Logs then get forwarded to your worker group.

Another way would be be to collect them using the REST API. A thread on Community Slack: Slack

Thank you guys, will try that.