I to have the same issue. we are monitoring the RSA key file from some host and we are getting logs from all the source excluding one source. the folder where auth.log file are fetched is present on that host but splunk cant fetch the logs. the configuration of all the host are same and the permission to the auth.log dir is also same for all the servers. still not getting log.
Please help here!
Maybe it's a permissions issue or they all have the same header and Splunk, by defaults, think that already has indexed that file. You could try to add this to your inputs.conf file:
crcSALT = < SOURCE >
**Remove the blanks before and after SOURCE, and you dont need to put here your real source file, just the string SOURCE