Splunk forwarders seem to stop forwarding internal logs after enabling SplunkForwarder app.
Any idea how to forward internal logs even after enabling Splunk forwarder?
Current issue is being caused by forwardedindex.2.whitelist parameter in SPLUNK_HOME/etc/apps/SplunkForwarder/default/outputs.conf
[tcpout]
...
forwardedindex.2.whitelist = (_audit|_introspection|_telemetry)
...
Please add below content to either in SPLUNK_HOME/etc/apps/SplunkForwarder/local/outputs.conf or SPLUNK_HOME/etc/system/local/outputs.conf to fix this issue.
[tcpout]
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
Current issue is being caused by forwardedindex.2.whitelist parameter in SPLUNK_HOME/etc/apps/SplunkForwarder/default/outputs.conf
[tcpout]
...
forwardedindex.2.whitelist = (_audit|_introspection|_telemetry)
...
Please add below content to either in SPLUNK_HOME/etc/apps/SplunkForwarder/local/outputs.conf or SPLUNK_HOME/etc/system/local/outputs.conf to fix this issue.
[tcpout]
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)