I've heard that Splunk recommends monitoring of rolled log files (eg. file.log.1, file.log.2, etc) under certain situations. What are those situations?
I would think that monitoring of file.log would be sufficient.
It is all about the last events recorded before the log rotated. If this is too quick, the tailing processor may have read them.
So the recommended behavior (when not using crcSalt) is to monitor the first rotated files.
Otherwise, the behavior will depend of the OS and of the type of rotation.
I'd assume that file.log.1 does not get updated - so a single pass through that file should find any events that were written just before the file was rotated. Thus there would be no real need to monitor .2 or .3 etc