I have set splunk to ingest the /var/log directory. On this particular host, I go to filter by "source", and only see 2 sources:
Why is it not seeing other files and folders? For example, there is /var/log/audit/audit.log.
Does the account running Splunk have read access to the missing files? Often, files in /var/log are secured so only root can read them.
"fine" as in able to read the files, yes. "fine" as in a good way to run Splunk, no. Running Splunk (or any non-OS process) as root increases your attack surface.
Search index=_internal to verify the forwarder is sending data to the indexers. Verify you are looking in the right index for the data.