Will a universal forwarder pick up a newly created subdirectory after it's already running?
For example, I'm monitoring
/apps/logs/ with a recursive statement and a whitelist. If a new sub-directory gets created after the forwarder is running, will it monitor it? Or, do I need to restart the UFW?
It will pick it up, as long as the recursive optiont is enabled and it matches the whitelist and blacklist
@mzorzi - im having the same issue. how can i configure the inputs.conf to have it recursive?
And don't forget file system permissions; if the Splunk user is not able to read the new directory, it will never be picked up.......