Hi,
Will a universal forwarder pick up a newly created subdirectory after it's already running?
For example, I'm monitoring /apps/logs/
with a recursive statement and a whitelist. If a new sub-directory gets created after the forwarder is running, will it monitor it? Or, do I need to restart the UFW?
It will pick it up, as long as the recursive optiont is enabled and it matches the whitelist and blacklist
And don't forget file system permissions; if the Splunk user is not able to read the new directory, it will never be picked up.......
@mzorzi - im having the same issue. how can i configure the inputs.conf to have it recursive?