I have this Heavy Forwarder apparently not sending its own _internal logs $SPLUNK_HOME/var/log/splunk/*.log to the indexers.
What I've already checked:
HF is working fine, delivering data which it's set to receive and forward.
HF is phoning Deployment server fine.
_audit index is being indexed fine.
Using $ splunk list forward-server I see it is properly set to send data only to correct indexers.
The logs are being written as expected and have proper reading permissions, e.g.: $ ls -ltr ~/var/log/splunk/splunkd.log
-rw------- 1 splunk splunk 12983503 Feb 26 11:43 /opt/splunk/var/log/splunk/splunkd.log
Searching for _internal index into HF returns no results as supposed to be.
Any ideas about what is going on?
There is already a question about it in Answers, but not satisfying answered...