Hi Campbell04,
Yes, and No.
By default you will only get a message if the universal forwarder is sending events again.
BUT, one can increase the logging for any tcpout*
channels which would give you the messages you are after, BUT (yes, another but) this will be a lot of additional events and therefore network traffic).
Hope this helps ...
cheers, MuS
Hi Campbell04,
Yes, and No.
By default you will only get a message if the universal forwarder is sending events again.
BUT, one can increase the logging for any tcpout*
channels which would give you the messages you are after, BUT (yes, another but) this will be a lot of additional events and therefore network traffic).
Hope this helps ...
cheers, MuS
Thanks. Where would you see these messages if the tcpout were increased? That is what I'm after.
Hi Campbell04,
the universal forwarder will log a running number for each event in splunkd.log
or index=_internal
, but here are your next two problems : this running number has no direct link to the event (one might get this information by turning on more debug logging on all instances), and _internal
will only be kept for 30 days be default.
cheers, MuS