I deploy a universal forwarder on SUSE Linux server, and monitor a log file. This forwarder forwards data to an indexer. We found that sometimes we can't search some logs which were added to the log file on the Linux server. For example, we added one log which contains the key word **YWG_704740** to the log file, and then we do searching on the indexer like this `index=XXXX host=XXXX YWG_704740`, time range is **all time**, but we can't search anything.
I enable indexer acknowledgment on the forwarder, set the **useACK** attribute to **true** in **outputs.conf**. It is effective, but we still can't search some logs on the indexer, but they were more less than before.
I want to know, do we have some methods to find what happened? For example, the connection problem or the forwarder problem or indexer problem.
Thanks a lot!
↧