Same version of splunk forwarder (8.0.2) on 2 linux servers are behaving differently.
One lists all files under a folder to monitor. However other one shows only few of them. What's the issue.
Check if forwarders in both linux servers have same inputs.conf configurations. If yes, then check the file and folders permissions on both servers.
strange part is the server which is working fine has no monitor parameter set in any of the inputs.conf
/opt/splunkforwarder/bin/splunk list monitor
Monitored Directories:
$SPLUNK_HOME/var/log/splunk
/opt/splunkforwarder/var/log/splunk/audit.log
/opt/splunkforwarder/var/log/splunk/first_install.log
/opt/splunkforwarder/var/log/splunk/splunkd_access.log
$SPLUNK_HOME/var/log/splunk/license_usage_summary.log
$SPLUNK_HOME/var/log/splunk/metrics.log
/opt/splunkforwarder/var/log/splunk/metrics.log
$SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log*
$SPLUNK_HOME/var/log/splunk/splunkd.log
/opt/splunkforwarder/var/log/splunk/splunkd.log
$SPLUNK_HOME/var/log/watchdog/watchdog.log*
/var/log/forwarder-logs
/var/log/forwarder-logs/LogA
/var/log/forwarder-logs/LogB
/var/log/forwarder-logs/LogC
/var/log/forwarder-logs/LogD
/var/log/forwarder-logs/LogE
/var/log/forwarder-logs/LogF
/var/log/forwarder-logs/LogG
/var/log/forwarder-logs/LogH
/var/log/forwarder-logs/LogI
/var/log/forwarder-logs/LogJ
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
$SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json
$SPLUNK_HOME/var/spool/splunk/...stash_new
grep -r "/var/log/forwarder-logs" /opt/splunkforwarder/etc/
Above command returns nothing.
It'll be there somewhere use btool command to check:
/opt/splunkforwarder/bin/splunk cmd btool inputs list --debug
Check if directories are monitored recursively, check paths with /.../
strangely nothing again.
/opt/splunkforwarder/bin/splunk cmd btool inputs list --debug | grep forwarder | grep -v splunkforwarder