I have a WinEventLog://System log which rolls to archive every hour or so. I have 4 questions;
1) is the Splunk Universal Forwarder (UF) clever enough to ingest archived files based on the default [WinEventLog://System] input or does it only ingest the data in the current log?
2) Does the UF catch all events in the log or is there a chance some events could be lost at the point when the log rolls?
3) if either the UF or Index layer are unavailable for a period of time (possibly days), will all of the logs be lost until the connection is re-established?
4) what is Splunk's recommended optimum file size for a WinEventLog source?
↧