We have deployed universal forwarders on Windows and are running as "local system" (admin). This is installed in `C:\Program Files\SplunkUniversalForwarder`. When we checked into the splunkd.log details, none of the logs are getting rotated due to permission issues:
WARN Logger - Error unlinking "C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log.1": Access is denied
WARN Logger - Error renaming "C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log" to "C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log.1": Access is denied
As an admin, I can read/write into the same folder. Splunkd can write the log files Ok as the data and size is growing in each of the files. Any reason why access is denied when it tries to rename/unlink?
↧